nsqadmin: X-Forwarded-User based ACL

Author: chen-anders

apps/nsqadmin/main.go

@@ -47,14 +47,17 @@ var (
 	httpClientTLSKey                = flagSet.String("http-client-tls-key", "", "path to key file for the HTTP client")
 
 	allowConfigFromCIDR = flagSet.String("allow-config-from-cidr", "127.0.0.1/8", "A CIDR from which to allow HTTP requests to the /config endpoint")
+	aclHttpHeader       = flagSet.String("acl-http-header", "X-Forwarded-User", "HTTP header to check for authenticated admin users")
 
+	adminUsers              = app.StringArray{}
 	nsqlookupdHTTPAddresses = app.StringArray{}
 	nsqdHTTPAddresses       = app.StringArray{}
 )
 
 func init() {
 	flagSet.Var(&nsqlookupdHTTPAddresses, "lookupd-http-address", "lookupd HTTP address (may be given multiple times)")
 	flagSet.Var(&nsqdHTTPAddresses, "nsqd-http-address", "nsqd HTTP address (may be given multiple times)")
+	flagSet.Var(&adminUsers, "admin-user", "admin user (may be given multiple times; if specified, only these users will be able to perform privileged actions; acl-http-header is used to determine the authenticated user)")
 }
 
 func main() {

nsqadmin/http.go

@@ -134,6 +134,7 @@ func (s *httpServer) indexHandler(w http.ResponseWriter, req *http.Request, ps h
 		StatsdGaugeFormat   string
 		StatsdPrefix        string
 		NSQLookupd          []string
+		IsAdmin             bool
 	}{
 		Version:             version.Binary,
 		ProxyGraphite:       s.ctx.nsqadmin.getOpts().ProxyGraphite,
@@ -144,6 +145,7 @@ func (s *httpServer) indexHandler(w http.ResponseWriter, req *http.Request, ps h
 		StatsdGaugeFormat:   s.ctx.nsqadmin.getOpts().StatsdGaugeFormat,
 		StatsdPrefix:        s.ctx.nsqadmin.getOpts().StatsdPrefix,
 		NSQLookupd:          s.ctx.nsqadmin.getOpts().NSQLookupdHTTPAddresses,
+		IsAdmin:             s.isAuthorizedAdminRequest(req),
 	})
 
 	return nil, nil
@@ -420,6 +422,11 @@ func (s *httpServer) createTopicChannelHandler(w http.ResponseWriter, req *http.
 		Topic   string `json:"topic"`
 		Channel string `json:"channel"`
 	}
+
+	if !s.isAuthorizedAdminRequest(req) {
+		return nil, http_api.Err{403, "FORBIDDEN"}
+	}
+
 	err := json.NewDecoder(req.Body).Decode(&body)
 	if err != nil {
 		return nil, http_api.Err{400, err.Error()}
@@ -458,6 +465,10 @@ func (s *httpServer) createTopicChannelHandler(w http.ResponseWriter, req *http.
 func (s *httpServer) deleteTopicHandler(w http.ResponseWriter, req *http.Request, ps httprouter.Params) (interface{}, error) {
 	var messages []string
 
+	if !s.isAuthorizedAdminRequest(req) {
+		return nil, http_api.Err{403, "FORBIDDEN"}
+	}
+
 	topicName := ps.ByName("topic")
 
 	err := s.ci.DeleteTopic(topicName,
@@ -483,6 +494,10 @@ func (s *httpServer) deleteTopicHandler(w http.ResponseWriter, req *http.Request
 func (s *httpServer) deleteChannelHandler(w http.ResponseWriter, req *http.Request, ps httprouter.Params) (interface{}, error) {
 	var messages []string
 
+	if !s.isAuthorizedAdminRequest(req) {
+		return nil, http_api.Err{403, "FORBIDDEN"}
+	}
+
 	topicName := ps.ByName("topic")
 	channelName := ps.ByName("channel")
 
@@ -523,6 +538,11 @@ func (s *httpServer) topicChannelAction(req *http.Request, topicName string, cha
 	var body struct {
 		Action string `json:"action"`
 	}
+
+	if !s.isAuthorizedAdminRequest(req) {
+		return nil, http_api.Err{403, "FORBIDDEN"}
+	}
+
 	err := json.NewDecoder(req.Body).Decode(&body)
 	if err != nil {
 		return nil, http_api.Err{400, err.Error()}
@@ -755,6 +775,21 @@ func (s *httpServer) doConfig(w http.ResponseWriter, req *http.Request, ps httpr
 	return v, nil
 }
 
+func (s *httpServer) isAuthorizedAdminRequest(req *http.Request) bool {
+	adminUsers := s.ctx.nsqadmin.getOpts().AdminUsers
+	if len(adminUsers) == 0 {
+		return true
+	}
+	aclHttpHeader := s.ctx.nsqadmin.getOpts().AclHttpHeader
+	user := req.Header.Get(aclHttpHeader)
+	for _, v := range adminUsers {
+		if v == user {
+			return true
+		}
+	}
+	return false
+}
+
 func getOptByCfgName(opts interface{}, name string) (interface{}, bool) {
 	val := reflect.ValueOf(opts).Elem()
 	typ := val.Type()

nsqadmin/http_test.go

@@ -55,6 +55,10 @@ func mustStartNSQLookupd(opts *nsqlookupd.Options) (*net.TCPAddr, *net.TCPAddr,
 }
 
 func bootstrapNSQCluster(t *testing.T) (string, []*nsqd.NSQD, []*nsqlookupd.NSQLookupd, *NSQAdmin) {
+	return bootstrapNSQClusterWithAuth(t, false)
+}
+
+func bootstrapNSQClusterWithAuth(t *testing.T, withAuth bool) (string, []*nsqd.NSQD, []*nsqlookupd.NSQLookupd, *NSQAdmin) {
 	lgr := test.NewTestLogger(t)
 
 	nsqlookupdOpts := nsqlookupd.NewOptions()
@@ -85,6 +89,9 @@ func bootstrapNSQCluster(t *testing.T) (string, []*nsqd.NSQD, []*nsqlookupd.NSQL
 	nsqadminOpts.HTTPAddress = "127.0.0.1:0"
 	nsqadminOpts.NSQLookupdHTTPAddresses = []string{nsqlookupd1.RealHTTPAddr().String()}
 	nsqadminOpts.Logger = lgr
+	if withAuth {
+		nsqadminOpts.AdminUsers = []string{"matt"}
+	}
 	nsqadmin1 := New(nsqadminOpts)
 	go nsqadmin1.Main()
 

nsqadmin/options.go

@@ -38,6 +38,9 @@ type Options struct {
 	AllowConfigFromCIDR string `flag:"allow-config-from-cidr"`
 
 	NotificationHTTPEndpoint string `flag:"notification-http-endpoint"`
+
+	AclHttpHeader string   `flag:"acl-http-header"`
+	AdminUsers    []string `flag:"admin-user" cfg:"admin_users"`
 }
 
 func NewOptions() *Options {
@@ -52,5 +55,7 @@ func NewOptions() *Options {
 		HTTPClientConnectTimeout: 2 * time.Second,
 		HTTPClientRequestTimeout: 5 * time.Second,
 		AllowConfigFromCIDR:      "127.0.0.1/8",
+		AclHttpHeader:            "X-Forwarded-User",
+		AdminUsers:               []string{},
 	}
 }

nsqadmin/static/html/index.html

@@ -23,6 +23,7 @@
         var STATSD_INTERVAL = {{.StatsdInterval}};
         var STATSD_PREFIX = '{{.StatsdPrefix}}';
         var NSQLOOKUPD = [{{range .NSQLookupd}}'{{.}}',{{end}}];
+        var IS_ADMIN ={{.IsAdmin}};
     </script>
     <script src="/static/vendor.js"></script>
     <script src="/static/main.js"></script>

nsqadmin/static/js/app_state.js

@@ -12,7 +12,8 @@ var AppState = Backbone.Model.extend({
             'STATSD_GAUGE_FORMAT': STATSD_GAUGE_FORMAT,
             'STATSD_PREFIX': STATSD_PREFIX,
             'NSQLOOKUPD': NSQLOOKUPD,
-            'graph_interval': '2h'
+            'graph_interval': '2h',
+            'IS_ADMIN': IS_ADMIN
         };
     },
 

nsqadmin/static/js/views/app.js

@@ -73,7 +73,6 @@ var AppView = BaseView.extend({
                     .fail(function() { $el.html('ERROR'); });
             });
         });
-
         this.render();
     },
 
@@ -98,21 +97,21 @@ var AppView = BaseView.extend({
 
     showTopic: function(topic) {
         this.showView(function() {
-            var model = new Topic({'name': topic});
+            var model = new Topic({'name': topic, 'isAdmin': AppState.get('IS_ADMIN')});
             return new TopicView({'model': model});
         });
     },
 
     showChannel: function(topic, channel) {
         this.showView(function() {
-            var model = new Channel({'topic': topic, 'name': channel});
+            var model = new Channel({'topic': topic, 'name': channel, 'isAdmin': AppState.get('IS_ADMIN')});
             return new ChannelView({'model': model});
         });
     },
 
     showLookup: function() {
         this.showView(function() {
-            return new LookupView();
+            return new LookupView({'isAdmin': AppState.get('IS_ADMIN')});
         });
     },
 

nsqadmin/static/js/views/channel.hbs

@@ -26,6 +26,7 @@
     </div>
 </div>
 {{else}}
+{{#if isAdmin}}
 <div class="row channel-actions">
     <div class="col-md-2">
         <button class="btn btn-medium btn-warning" data-action="empty">Empty Queue</button>
@@ -41,6 +42,7 @@
         {{/if}}
     </div>
 </div>
+{{/if}}
 
 <div class="row">
     <div class="col-md-12">

nsqadmin/static/js/views/channel.js

@@ -21,10 +21,11 @@ var ChannelView = BaseView.extend({
     initialize: function() {
         BaseView.prototype.initialize.apply(this, arguments);
         this.listenTo(AppState, 'change:graph_interval', this.render);
+        var isAdmin = this.model.get('isAdmin');
         this.model.fetch()
             .done(function(data) {
                 this.template = require('./channel.hbs');
-                this.render({'message': data['message']});
+                this.render({'message': data['message'], 'isAdmin': isAdmin});
             }.bind(this))
             .fail(this.handleViewError.bind(this))
             .always(Pubsub.trigger.bind(Pubsub, 'view:ready'));

nsqadmin/static/js/views/lookup.hbs

@@ -51,6 +51,7 @@
     </div>
 </div>
 
+{{#if isAdmin}}
 <div class="row">
     <div class="col-md-4">
         <form class="hierarchy">
@@ -68,4 +69,5 @@
         </form>
     </div>
 </div>
+{{/if}}
 {{/unless}}

nsqadmin/static/js/views/lookup.js

@@ -21,14 +21,16 @@ var LookupView = BaseView.extend({
 
     initialize: function() {
         BaseView.prototype.initialize.apply(this, arguments);
+        var isAdmin = arguments[0]['isAdmin'];
         $.ajax(AppState.url('/topics?inactive=true'))
             .done(function(data) {
                 this.template = require('./lookup.hbs');
                 this.render({
                     'topics': _.map(data['topics'], function(v, k) {
                         return {'name': k, 'channels': v};
                     }),
-                    'message': data['message']
+                    'message': data['message'],
+                    'isAdmin': isAdmin
                 });
             }.bind(this))
             .fail(this.handleViewError.bind(this))

nsqadmin/static/js/views/topic.hbs

@@ -25,6 +25,7 @@
     </div>
 </div>
 {{else}}
+{{#if isAdmin}}
 <div class="row topic-actions">
     <div class="col-md-2">
         <button class="btn btn-medium btn-warning" data-action="empty">Empty Queue</button>
@@ -40,6 +41,7 @@
         {{/if}}
     </div>
 </div>
+{{/if}}
 
 <div class="row">
     <div class="col-md-12">

nsqadmin/static/js/views/topic.js

@@ -21,10 +21,11 @@ var TopicView = BaseView.extend({
     initialize: function() {
         BaseView.prototype.initialize.apply(this, arguments);
         this.listenTo(AppState, 'change:graph_interval', this.render);
+        var isAdmin = this.model.get('isAdmin')
         this.model.fetch()
             .done(function(data) {
                 this.template = require('./topic.hbs');
-                this.render({'message': data['message']});
+                this.render({'message': data['message'], 'isAdmin': isAdmin});
             }.bind(this))
             .fail(this.handleViewError.bind(this))
             .always(Pubsub.trigger.bind(Pubsub, 'view:ready'));