/varz endpoint

[Matthew Sykes]

Hi.  I spent the morning walking through the output of the /varz endpoints from all components that responded to a discover message.  I had assumed that these endpoints existed to support monitoring tools but they respond with a fair bit more than is needed to support that use case.

Based on the recent discussion about service creds in logs, I'm wondering if there are any concerns about the information presented here?

For example the cc's /varz endpoint responds with configuration information for the blob stores, db credentials, and db password and the go router's endpoint responds with the nats credentials.

Thanks.

--
Matthew Sykes
matthe...@gmail.com

[David Lee]

Hi Matthew,

Did you enumerate the /varz endpoints via NATS and (directly) access /varz using the HTTP credentials from NATS message?

While /varz may provide a bit too much information (because it publishes all of its settings), access is via authenticated HTTP which is only available via authorized access to NATS.

If nobody is using it, we could consider its removal. Since there's no easy way to determine which settings are sensitive and which ones are not, would any tool be affected by the the removal of all config values from /varz?

-Dave

To unsubscribe from this group and stop receiving emails from it, send an email to vcap-dev+u...@cloudfoundry.org.

[Matthew Sykes]

Hi David.  While I did enumerate components and get credential information from the nats bus, I acquired the credentials for the bus *from the go router* by using my creds for /routes to get /varz.

I understand the authorization and network access requirements here, but it just seems like an unnecessary amount of detail is exposed.

Thanks.

--
Matthew Sykes
matthe...@gmail.com

[David Lee]

Other than the password, are you concerned about the rest of the configuration information? The connectivity information can be useful for visualizing the dependencies across the system.