Details
-
Bug
-
Resolution: Done
-
Critical
-
1.0.0.Alpha3
-
None
Description
It is possible to get metrics from a tenant knowing only a few pieces of information, all of which are "public":
Example:
$ curl --ciphers ecdhe_rsa_aes_128_gcm_sha_256 'https://hawkular.kroehling.de/hawkular/metrics/gauges/a79e7b485cd04b90ce1a6ba87f62f039.status.duration/data?buckets=1&end=1439465926443&start=1439462326443' -H 'Hawkular-Tenant: e2f89c8b-5957-4325-94fb-8504f6f734a5' [{"start":1439462326443,"end":1439465926443,"value":"NaN","min":489.0,"avg":550.9333333333333,"median":523.0,"max":1955.0,"percentile95th":654.8999999999997,"empty":false}]
Note the lack of Bearer token or any other auth mechanism (user/pass, for instance).
Attachments
Issue Links
- is blocked by
-
HAWKULAR-1032 Remove Hawkular-Tenant from pinger
- Closed
-
HAWKULAR-1039 Avail creator must use Metrics input queues
- Closed
-
HAWKULAR-1025 Access-Control-Allow-Origin multiple values
- Closed