Skip to content

security: add authorization checks to MetricsHandler#16186

Open
adilburaksen wants to merge 1 commit into
cdapio:developfrom
adilburaksen:security/metrics-handler-authz
Open

security: add authorization checks to MetricsHandler#16186
adilburaksen wants to merge 1 commit into
cdapio:developfrom
adilburaksen:security/metrics-handler-authz

Conversation

@adilburaksen

Copy link
Copy Markdown

Summary

The Studio metrics endpoints in MetricsHandler (cdap-watchdog) select metrics by
caller-supplied tag values (namespace, app, program, …) but never enforce
authorization, so any authenticated user can read or enumerate the operational metrics
of any namespace/app/program:

  • POST /v3/metrics/queryMetricsQueryHelper.executeBatchQueries / executeTagQuery
  • POST /v3/metrics/searchsearchTags / searchMetric

The CDAP router authenticates but does not perform per-resource authorization — that is
the handler's responsibility. The sibling observability handler in the same module,
LogHttpHandler, already enforces StandardPermission.GET on the target program before
returning logs (ensureVisibilityOnProgram); MetricsHandler was added without the
equivalent check. Metrics are namespace-scoped — DefaultMetricStore aggregates on the
namespace tag — so this is a real cross-namespace authorization gap, not just a modeling
concern.

Fix

Inject ContextAccessEnforcer and, before executing any query/search, derive the target
namespace from the request tags and enforce StandardPermission.GET:

  • a query naming a namespace requires GET on that NamespaceId;
  • a namespace-less (cross-namespace) query requires GET on the system namespace;
  • for the batch path, each sub-query's tags are enforced individually.

ContextAccessEnforcer is already bound in the metrics-query injector
(MetricsTwillRunnable / MetricsServiceMain / StandaloneMain all install
AuthorizationEnforcementModule), so no wiring change is needed. This mirrors the
existing security: add authorization checks to … handler hardening.

Testing

I verified the gap and the enforcement points by source inspection (no AccessEnforcer
reference existed in MetricsHandler, unlike its sibling LogHttpHandler). I don't have
a local Apple/CI build environment to run the watchdog suite; happy to add a unit test
(e.g. asserting an unauthorized principal is rejected before the query executes) in the
style the reviewers prefer.

The /v3/metrics query and search endpoints selected metrics by
caller-supplied namespace/app/program tags but never enforced access, so
any authenticated user could read or enumerate another namespaces
operational metrics. Inject ContextAccessEnforcer and enforce
StandardPermission.GET on the namespace derived from the request tags
before executing the query/search (and for each query in the batch path),
mirroring the visibility checks the sibling LogHttpHandler performs in the
same module. A cross-namespace (namespace-less) query now requires GET on
the system namespace.
@gemini-code-assist

Copy link
Copy Markdown

Warning

Gemini encountered an error creating the review. You can try again by commenting /gemini review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant