[prev in list] [next in list] [prev in thread] [next in thread] 

List:       geronimo-dev
Subject:    [metrics] change in security shield
From:       Romain Manni-Bucau <rmannibucau () gmail ! com>
Date:       2020-02-27 22:32:02
Message-ID: CACLE=7N5NWSFtGcbpMCspjeP+KF3ZuQCELsiw0ijkP7UiEpRww () mail ! gmail ! com
[Download RAW message or body]

Hi all

Wdyt of https://github.com/apache/geronimo-metrics/pull/4 ?

My last comment requires some discussion I think but since pr is not from G
itself, I dont want to wait too long before getting it in.

Personally, I'd be tempted to add an event fired only if there is an
observer and enhance the doc for meecrowave/tomee/tomcat + support ranges
with a warning saying it is not recommended but I also get the easiness to
not need to observe the event.

Main point is to ensure only the monitor (prometheus or equivalent) can
call the metrics endpoint since some sensitive - or even pii - data can be
there.

Romain

[Attachment #3 (text/html)]

<div dir="auto">Hi all<div dir="auto"><br></div><div dir="auto">Wdyt of  <a \
href="https://github.com/apache/geronimo-metrics/pull/4">https://github.com/apache/geronimo-metrics/pull/4</a> \
?</div><div dir="auto"><br></div><div dir="auto">My last comment requires some \
discussion I think but since pr is not from G itself, I dont want to wait too long \
before getting it in.</div><div dir="auto"><br></div><div dir="auto">Personally, \
I&#39;d be tempted to add an event fired only if there is an observer and enhance the \
doc for meecrowave/tomee/tomcat + support ranges with a warning saying it is not \
recommended but I also get the easiness to not need to observe the event.</div><div \
dir="auto"><br></div><div dir="auto">Main point is to ensure only the monitor \
(prometheus or equivalent) can call the metrics endpoint since some sensitive - or \
even pii - data can be there.</div><div dir="auto"><br></div><div \
dir="auto">Romain</div></div>



[prev in list] [next in list] [prev in thread] [next in thread]