New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow consul debug on non-ACL consul servers #15155
Allow consul debug on non-ACL consul servers #15155
Conversation
// If enableDebug or ACL enabled, register wrapped pprof handlers | ||
if enableDebug || !s.checkACLDisabled() { | ||
handlePProf("/debug/pprof/", pprof.Index) | ||
handlePProf("/debug/pprof/cmdline", pprof.Cmdline) | ||
handlePProf("/debug/pprof/profile", pprof.Profile) | ||
handlePProf("/debug/pprof/symbol", pprof.Symbol) | ||
handlePProf("/debug/pprof/trace", pprof.Trace) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought it would make more sense for the handler registration to be guarded by the if condition here rather than allowing the endpoints to be exposed but returning a 401 every time.
Would this cause any side effects?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The only one I can think of is that it will alter the HTTP status code send back when enable debug is false and acls are not on. I think it will be a 404 instead of a 403/401. I think that should be fine though.
@@ -209,13 +209,6 @@ func (s *HTTPHandlers) handler(enableDebug bool) http.Handler { | |||
var token string | |||
s.parseToken(req, &token) | |||
|
|||
// If enableDebug is not set, and ACLs are disabled, write | |||
// an unauthorized response | |||
if !enableDebug && s.checkACLDisabled() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of checking these conditions per request, I've moved the check below to conditionally register pprof handlers instead.
if c.captureTarget(targetProfiles) { | ||
dir, err := makeIntervalDir(c.output, c.timeNow()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
avoids making empty directories if this branch is never entered
@@ -274,6 +273,22 @@ func (c *cmd) prepare() (version string, err error) { | |||
c.capture = defaultTargets | |||
} | |||
|
|||
// If EnableDebug is not true, skip collecting pprof | |||
enableDebug, ok := self["DebugConfig"]["EnableDebug"].(bool) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I approved but I think the connect ca testing code could probably be rolled back. Its not a blocker though
// If enableDebug or ACL enabled, register wrapped pprof handlers | ||
if enableDebug || !s.checkACLDisabled() { | ||
handlePProf("/debug/pprof/", pprof.Index) | ||
handlePProf("/debug/pprof/cmdline", pprof.Cmdline) | ||
handlePProf("/debug/pprof/profile", pprof.Profile) | ||
handlePProf("/debug/pprof/symbol", pprof.Symbol) | ||
handlePProf("/debug/pprof/trace", pprof.Trace) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The only one I can think of is that it will alter the HTTP status code send back when enable debug is false and acls are not on. I think it will be a 404 instead of a 403/401. I think that should be fine though.
7163f33
to
86972fa
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Description
#10273 had an unintended side-effect of crashing
consul debug
CLI command if ACLs were disabled anddebug_enabled
was false.The correct behavior would be to disable the HTTP endpoints for profiling information but still allowing other debug profile targets like
logs
andmetrics
to run without issues.Testing & Reproduction steps
PR Checklist