Commit bd41e3c7 authored by Daniel Gerhardt's avatar Daniel Gerhardt Committed by Tom Käsler

Add more fine-grained authorization handling for management API

* Everyone can access /health (w/o details) and /info.
* Role `MONITORING` can access:
    * /health/** (w/ component details)
    * /metrics[/**]
    * /prometheus
    * /stats
* Role `ADMIN` can access everything.
parent 7ae685ce
......@@ -241,7 +241,16 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
protected void configure(final HttpSecurity http) throws Exception {
super.configure(http);
http.antMatcher(managementPath + "/**");
http.authorizeRequests().anyRequest().hasRole("ADMIN");
http.authorizeRequests()
.antMatchers(managementPath + "/health", managementPath + "/info").permitAll()
.antMatchers(
managementPath + "/health/**",
managementPath + "/metrics",
managementPath + "/metrics/**",
managementPath + "/prometheus",
managementPath + "/stats"
).hasAnyRole("ADMIN", "MONITORING")
.anyRequest().hasRole("ADMIN");
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
}
......
......@@ -5,6 +5,12 @@ arsnova:
base-path: /management
exposure:
include: "*"
endpoint:
health:
show-details: when-authorized
roles:
- ADMIN
- MONITORING
metrics:
web:
server:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment