Merge pull request #57 from tkishel/PE-28451_use_v2_metrics

(PE-28451) switch from the v1 to v2 metrics api

Author: Sharpie

README.md

@@ -21,6 +21,10 @@ Table of Contents
 This module collects metrics provided by the status endpoints of Puppet Enterprise services.
 The metrics can be used to identify performance issues that may be addressed by performance tuning.
 
+> In PE 2018.1.13 and newer and PE 2019.4 and newer, the `/metrics/v1` endpoints are disabled by default and access to the `/metrics/v2` endpoints are restricted to localhost ... in response to CVE-2020-7943. 
+This module requires access those endpoints to collect additional metrics from PuppetDB, and those metrics will not be collected from remote PuppetDB hosts until these restricted are resolved.
+Refer to [Configuration for Distributed Metrics Collection](#Configuration-for-distributed-metrics-collection) for a workaround. 
+
 
 ## Setup
 
@@ -173,22 +177,6 @@ puppetdb/master.example.com/20190404T171001Z.json: "queue_depth": 0,
 puppetdb/master.example.com/20190404T171502Z.json: "queue_depth": 0,
 ```
 
-Example for PE 2016.5 and older:
-
-```bash
-grep Cursor puppetdb/master.example.com/*.json
-
-puppetdb/master.example.com/20190404T171001Z.json: "CursorMemoryUsage": 0,
-puppetdb/master.example.com/20190404T171001Z.json: "CursorFull": false,
-puppetdb/master.example.com/20190404T171001Z.json: "CursorPercentUsage": 0,
-puppetdb/master.example.com/20190404T171502Z.json: "CursorMemoryUsage": 0,
-puppetdb/master.example.com/20190404T171502Z.json: "CursorFull": false,
-puppetdb/master.example.com/20190404T171502Z.json: "CursorPercentUsage": 0,
-puppetdb/master.example.com/20190404T172002Z.json: "CursorMemoryUsage": 0,
-puppetdb/master.example.com/20190404T172002Z.json: "CursorFull": false,
-puppetdb/master.example.com/20190404T172002Z.json: "CursorPercentUsage": 0,
-```
-
 ### Sharing Metrics Data
 
 When working with Support, you may be asked for an archive of collected metrics data.
@@ -364,17 +352,23 @@ Classify each PE Infrastructure Host with this module, specifying the following
 When classifying a Compile Master, specify these additional parameters:
 
 ```puppet
+class { 'puppet_metrics_collector':
+  puppetserver_hosts          => ['127.0.0.1'],
   puppetdb_metrics_ensure     => absent,
   orchestrator_metrics_ensure => absent,
   ace_metrics_ensure          => absent,
   bolt_metrics_ensure         => absent,
+}
 ```
 
 When classifying a PuppetDB Host, specify these additional parameters:
 
 ```puppet
+class { 'puppet_metrics_collector':
+  puppetdb_hosts              => ['127.0.0.1'],
   puppetserver_metrics_ensure => absent,
   orchestrator_metrics_ensure => absent,
   ace_metrics_ensure          => absent,
   bolt_metrics_ensure         => absent,
+}
 ```

files/pe_metrics.rb

@@ -83,10 +83,20 @@ def setup_connection(url, use_ssl)
 def get_endpoint(url, use_ssl)
   http, uri = setup_connection(url, use_ssl)
 
-  data = JSON.parse(http.get(uri.request_uri).body)
+  endpoint_data = JSON.parse(http.get(uri.request_uri).body)
+  if endpoint_data.key?('status')
+    if endpoint_data['status'] == 200
+      endpoint_data = endpoint_data['value']
+    else
+      $error_array << "HTTP Error #{endpoint_data['status']} for #{url}"
+      endpoint_data = {}
+    end
+  end
+  return endpoint_data
+
 rescue Exception => e
-    $error_array << "#{e}"
-    data = {}
+  $error_array << "#{e}"
+  endpoint_data = {}
 end
 
 def post_endpoint(url, use_ssl, post_data)
@@ -96,50 +106,37 @@ def post_endpoint(url, use_ssl, post_data)
   request.content_type = 'application/json'
   request.body = post_data
 
-  data = JSON.parse(http.request(request).body)
+  endpoint_data = JSON.parse(http.request(request).body)
+  return endpoint_data
+
 rescue Exception => e
-    $error_array << "#{e}"
-    data = {}
+  $error_array << "#{e}"
+  endpoint_data = {}
 end
 
-def individually_retrieve_additional_metrics(host, port, use_ssl, metrics)
-  host_url = generate_host_url(host, port, use_ssl)
+# PE-28451 Disables Metrics API v1 (/metrics/v1/beans/) and restricts v2 (/metrics/v2/read/) to localhost by default.
 
-  metrics_array = []
-  metrics.each do |metric|
-    endpoint = URI.escape("#{host_url}/metrics/v1/mbeans/#{metric['url']}")
-    metrics_array <<  { 'name' => metric['name'], 'data' => get_endpoint(endpoint, use_ssl) }
+def retrieve_additional_metrics(host, port, use_ssl, metrics_type, metrics)
+  if metrics_type == 'puppetdb'
+    host = '127.0.0.1' if host == CERTNAME
+    return [] unless ['127.0.0.1', 'localhost'].include?(host)
   end
 
-  return metrics_array
-end
-
-def bulk_retrieve_additional_metrics(host, port, use_ssl, metrics)
   host_url = generate_host_url(host, port, use_ssl)
 
-  post_data = []
-  metrics.each do |metric|
-    post_data << metric['url']
-  end
+  endpoint = "#{host_url}/metrics/v2/read"
+  metrics_output = post_endpoint(endpoint, use_ssl, metrics.to_json)
 
-  endpoint = "#{host_url}/metrics/v1/mbeans"
-  metrics_output = post_endpoint(endpoint, use_ssl, post_data.to_json)
   metrics_array = []
-
   metrics.each_index do |index|
     metric_name = metrics[index]['name']
     metric_data = metrics_output[index]
-    metrics_array << { 'name' => metric_name, 'data' => metric_data }
-  end
-
-  return metrics_array
-end
-
-def retrieve_additional_metrics(host, port, use_ssl, pe_version, metrics)
-  if Gem::Version.new(pe_version) < Gem::Version.new('2016.2.0') then
-    metrics_array = individually_retrieve_additional_metrics(host, port, use_ssl, metrics)
-  else
-    metrics_array = bulk_retrieve_additional_metrics(host, port, use_ssl, metrics)
+    if metric_data['status'] == 200
+      metrics_array << { 'name' => metric_name, 'data' => metric_data['value'] }
+    else
+      metric_mbean = metrics[index]['mbean']
+      $error_array << "HTTP Error #{metric_data['status']} for #{metric_mbean}"
+    end
   end
 
   return metrics_array

files/tk_metrics

@@ -26,7 +26,7 @@ HOSTS.each do |host|
     dataset['servers'][hostkey][METRICS_TYPE] = status_output
 
     unless ADDITIONAL_METRICS.empty? then
-      metrics_array = retrieve_additional_metrics(host, PORT, USE_SSL, PE_VERSION, ADDITIONAL_METRICS)
+      metrics_array = retrieve_additional_metrics(host, PORT, USE_SSL, METRICS_TYPE, ADDITIONAL_METRICS)
       metrics_array.each do |metric_hash|
         metric_name = metric_hash['name']
         metric_data = metric_hash['data']

manifests/pe_metric.pp

@@ -48,6 +48,7 @@
   $metric_script_file_path = "${puppet_metrics_collector::scripts_dir}/${metric_script_file}"
   $conversion_script_file_path = "${puppet_metrics_collector::scripts_dir}/json2timeseriesdb"
 
+  # lint:ignore:140chars
   if empty($override_metrics_command) {
     $base_metrics_command = "${metric_script_file_path} --metrics_type ${metrics_type} --output_dir ${metrics_output_dir}"
 
@@ -79,10 +80,10 @@
     } else {
       $metrics_command = "${base_metrics_command} --no-print"
     }
-
   } else {
     $metrics_command = $override_metrics_command
   }
+  # lint:endignore
 
   cron { "${metrics_type}_metrics_collection" :
     ensure  => $metric_ensure,

manifests/service/activemq.pp

@@ -12,6 +12,7 @@
   Optional[Integer]       $metrics_server_port      = $puppet_metrics_collector::metrics_server_port,
   Optional[String]        $metrics_server_db_name   = $puppet_metrics_collector::metrics_server_db_name,
 ) {
+  # lint:ignore:140chars
   $additional_metrics = [
     {
       'type'      => 'read',
@@ -49,6 +50,7 @@
       'attribute' => 'AverageBlockedTime,AverageEnqueueTime,AverageMessageSize,ConsumerCount,DequeueCount,DispatchCount,EnqueueCount,ExpiredCount,ForwardCount,InFlightCount,ProducerCount,QueueSize',
     },
   ]
+  # lint:endignore
 
   file { "${puppet_metrics_collector::scripts_dir}/amq_metrics" :
     ensure => $metrics_ensure,