(PE-28451) switch from the v1 to v2 metrics api

With this commit ...

We switch from the v1 to v2 Metrics API for additional metrics (for PuppetDB),
and drop metrics for unsupported versions of PE.

(This is required in response to PE-28451 / PE-28468.

Note these additional metrics generate errors in PE 2019.4 via v2:

  puppetlabs.puppetdb.ha:name=failed-request-counter
  puppetlabs.puppetdb.mq:name=global.generate-retry-message-time
  puppetlabs.puppetdb.mq:name=global.retry-persistence-time

Author: tkishel

README.md

@@ -21,6 +21,10 @@ Table of Contents
 This module collects metrics provided by the status endpoints of Puppet Enterprise services.
 The metrics can be used to identify performance issues that may be addressed by performance tuning.
 
+> In PE 2018.1.13 and newer and PE 2019.4 and newer, the `/metrics/v1` endpoints are disabled by default and access to the `/metrics/v2` endpoints are restricted to localhost ... in response to CVE-2020-7943. 
+This module requires access those endpoints to collect additional metrics from PuppetDB, and those metrics will not be collected from remote PuppetDB hosts until these restricted are resolved.
+Refer to [Configuration for Distributed Metrics Collection](#Configuration-for-distributed-metrics-collection) for a workaround. 
+
 
 ## Setup
 

files/pe_metrics.rb

@@ -83,10 +83,20 @@ def setup_connection(url, use_ssl)
 def get_endpoint(url, use_ssl)
   http, uri = setup_connection(url, use_ssl)
 
-  data = JSON.parse(http.get(uri.request_uri).body)
+  endpoint_data = JSON.parse(http.get(uri.request_uri).body)
+  if endpoint_data.key?('status')
+    if endpoint_data['status'] == 200
+      endpoint_data = endpoint_data['value']
+    else
+      $error_array << "HTTP Error #{endpoint_data['status']} for #{url}"
+      endpoint_data = {}
+    end
+  end
+  return endpoint_data
+
 rescue Exception => e
-    $error_array << "#{e}"
-    data = {}
+  $error_array << "#{e}"
+  endpoint_data = {}
 end
 
 def post_endpoint(url, use_ssl, post_data)
@@ -96,50 +106,37 @@ def post_endpoint(url, use_ssl, post_data)
   request.content_type = 'application/json'
   request.body = post_data
 
-  data = JSON.parse(http.request(request).body)
+  endpoint_data = JSON.parse(http.request(request).body)
+  return endpoint_data
+
 rescue Exception => e
-    $error_array << "#{e}"
-    data = {}
+  $error_array << "#{e}"
+  endpoint_data = {}
 end
 
-def individually_retrieve_additional_metrics(host, port, use_ssl, metrics)
-  host_url = generate_host_url(host, port, use_ssl)
+# PE-28451 Disables Metrics API v1 (/metrics/v1/beans/) and restricts v2 (/metrics/v2/read/) to localhost by default.
 
-  metrics_array = []
-  metrics.each do |metric|
-    endpoint = URI.escape("#{host_url}/metrics/v1/mbeans/#{metric['url']}")
-    metrics_array <<  { 'name' => metric['name'], 'data' => get_endpoint(endpoint, use_ssl) }
+def retrieve_additional_metrics(host, port, use_ssl, metrics_type, metrics)
+  if metrics_type == 'puppetdb'
+    host = '127.0.0.1' if host == CERTNAME
+    return [] unless ['127.0.0.1', 'localhost'].include?(host)
   end
 
-  return metrics_array
-end
-
-def bulk_retrieve_additional_metrics(host, port, use_ssl, metrics)
   host_url = generate_host_url(host, port, use_ssl)
 
-  post_data = []
-  metrics.each do |metric|
-    post_data << metric['url']
-  end
+  endpoint = "#{host_url}/metrics/v2/read"
+  metrics_output = post_endpoint(endpoint, use_ssl, metrics.to_json)
 
-  endpoint = "#{host_url}/metrics/v1/mbeans"
-  metrics_output = post_endpoint(endpoint, use_ssl, post_data.to_json)
   metrics_array = []
-
   metrics.each_index do |index|
     metric_name = metrics[index]['name']
     metric_data = metrics_output[index]
-    metrics_array << { 'name' => metric_name, 'data' => metric_data }
-  end
-
-  return metrics_array
-end
-
-def retrieve_additional_metrics(host, port, use_ssl, pe_version, metrics)
-  if Gem::Version.new(pe_version) < Gem::Version.new('2016.2.0') then
-    metrics_array = individually_retrieve_additional_metrics(host, port, use_ssl, metrics)
-  else
-    metrics_array = bulk_retrieve_additional_metrics(host, port, use_ssl, metrics)
+    if metric_data['status'] == 200
+      metrics_array << { 'name' => metric_name, 'data' => metric_data['value'] }
+    else
+      metric_mbean = metrics[index]['mbean']
+      $error_array << "HTTP Error #{metric_data['status']} for #{metric_mbean}"
+    end
   end
 
   return metrics_array

files/tk_metrics

@@ -26,7 +26,7 @@ HOSTS.each do |host|
     dataset['servers'][hostkey][METRICS_TYPE] = status_output
 
     unless ADDITIONAL_METRICS.empty? then
-      metrics_array = retrieve_additional_metrics(host, PORT, USE_SSL, PE_VERSION, ADDITIONAL_METRICS)
+      metrics_array = retrieve_additional_metrics(host, PORT, USE_SSL, METRICS_TYPE, ADDITIONAL_METRICS)
       metrics_array.each do |metric_hash|
         metric_name = metric_hash['name']
         metric_data = metric_hash['data']

manifests/service/activemq.pp

@@ -12,44 +12,6 @@
   Optional[Integer]       $metrics_server_port      = $puppet_metrics_collector::metrics_server_port,
   Optional[String]        $metrics_server_db_name   = $puppet_metrics_collector::metrics_server_db_name,
 ) {
-  $additional_metrics = [
-    {
-      'type'      => 'read',
-      'mbean'     => 'java.lang:type=Memory',
-      'attribute' => 'HeapMemoryUsage,NonHeapMemoryUsage'
-    },
-    {
-      'type'      => 'read',
-      'mbean'     => 'java.lang:name=*,type=GarbageCollector',
-      'attribute' => 'CollectionCount'
-    },
-    {
-      'type'      => 'read',
-      'mbean'     => 'java.lang:type=Runtime',
-      'attribute' => 'Uptime'
-    },
-    {
-      'type'      => 'read',
-      'mbean'     => 'java.lang:type=OperatingSystem',
-      'attribute' => 'OpenFileDescriptorCount,MaxFileDescriptorCount'
-    },
-    {
-      'type'      => 'read',
-      'mbean'     => 'org.apache.activemq:brokerName=*,type=Broker',
-      'attribute' => 'MemoryLimit,MemoryPercentUsage,CurrentConnectionsCount'
-    },
-    {
-      'type'      => 'read',
-      'mbean'     => 'org.apache.activemq:type=Broker,brokerName=*,destinationType=Queue,destinationName=mcollective.*',
-      'attribute' => 'AverageBlockedTime,AverageEnqueueTime,AverageMessageSize,ConsumerCount,DequeueCount,DispatchCount,EnqueueCount,ExpiredCount,ForwardCount,InFlightCount,ProducerCount,QueueSize',
-    },
-    {
-      'type'      => 'read',
-      'mbean'     => 'org.apache.activemq:type=Broker,brokerName=*,destinationType=Topic,destinationName=mcollective.*.agent',
-      'attribute' => 'AverageBlockedTime,AverageEnqueueTime,AverageMessageSize,ConsumerCount,DequeueCount,DispatchCount,EnqueueCount,ExpiredCount,ForwardCount,InFlightCount,ProducerCount,QueueSize',
-    },
-  ]
-
   file { "${puppet_metrics_collector::scripts_dir}/amq_metrics" :
     ensure => $metrics_ensure,
     mode   => '0755',
@@ -65,7 +27,7 @@
     metric_script_file       => 'amq_metrics',
     override_metrics_command => $override_metrics_command,
     excludes                 => $excludes,
-    additional_metrics       => $additional_metrics,
+    additional_metrics       => [],
     metrics_server_type      => $metrics_server_type,
     metrics_server_hostname  => $metrics_server_hostname,
     metrics_server_port      => $metrics_server_port,