When setting up logging for the API Gateway, the log created follows this default pattern :
API-Gateway-Execution-Logs_awsnameofservice/stage
The awsnamesofservice part is like 'fhsdydfn7*' an aws equivilent for the name of your service. Is there a way to rename this, so it becomes something more user friendly?
Thanks
For execution logs for REST and WebSocket APIs, there is no way for you to configure this today.
For access logs you can provide the log group when you configure the logs by specifying the destinationArn.
https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html
Related
Close proxy API access
Hi community,
Grafana 8.2.5
We have a Grafana system 8.2.5. He had a security audit, where the API access is criticized.
We have enabled an anonymous acess for users without login.
[auth.anonymous]
enabled =true
org_name = IT.NRW
org_role = Viewer
When I try to access the Grafana like:
curl http://<fqdn>:3000/api/datasources -> {"message":"Permission denied"}
curl http://admin:<password>#<fqdn>:3000/api/datasources -> a valid json object with the datasource etc....
But the security audit found also the access to the datasource proxy? API.
curl http://<fqdn>:3000/api/datasources/proxy/3/query?db=<db>\&q=SELECT+*+FROM+<ts>\&epoch=ms
So I can query with or without credentials ALWAYS the API.
Security audit: a Denial of Service (DoS) is possible, maybe some SQL injection.
I don't want discuss this topic here.
I have to close the access through the API. At least from other network segments.
Any hints?
Thanks in advance.
I'm a grafana beginner!
I do not complain, the security audit listed the two topics (DoS/SQL injection).
I didn't found any configuration possibilities (grafana.ini) about closing the proxy API interface (only data_source_whitelist-ing).
So, I added some rules into the NGIX config in front of the grafana server to
forbid the proxy API access -> throw 40x error.
Now the web UI is not able anymore to fetch and render the data in the UI.
My conclusion:
the grafana architecture define: the proxy API will be used by the web UIs.
with or without credentials: a user can fire a query (DoS) using the proxy API
with or without credentials: the query is pass through the proxy API to the datasource, potential sql injection is possible
I’m currently experimenting on Metaflow. I followed the documentation and was able to deploy an aws setup with the given cloud formation template.
My question is why is that I’m always getting a:
message: "Missing Authentication Token"
when I access METAFLOW_SERVICE_URL in the browser, even if I made sure that the APIBasicAuth was set to false during the creation of cloudformation?
Shouldn’t this setting make the metadata/metaflow service accessible without the authentication/api key?
How can I resolve this? Or is this expected? That is, I cannot really view the metadata/metaflow service url via browser?
Thanks in advance
This was resolved under this github issue.
You still need to set the x-api-key header if you are trying to access the service url via the browser. To get the api-key you can go to the aws console
Api Gateway -> Api Keys -> show api key
Alternatively you can use the metaflow client in the sagemaker notebook which should be automatically setup for you via the template.
Also worth mentioning that there are two sets of endpoints: The one provided by the api gateway (which you seem to be hitting) and the one provided by the service itself. The api gateway forwards the requests the the service endpoints but needs the x-api-key to be set in the header. You can probably try hitting the service endpoints directly since you disabled auth.
Is it possible to get access to events generated by User Account and Authentication (UAA) server in the context of Swisscom Application Cloud?
It is essential for me, to be able to have an audit trail of actions executed by authorised operators through the API (that would include cli and portal).
What I am looking for is an alternative of AWS CloudTrail for IAM module, that you can turn on for specific VPCs / regions there.
I have found this in the CF documentation (https://docs.cloudfoundry.org/loggregator/cc-uaa-logging.html) but that (as far as I understand it) requires infrastructure level access.
Thanks a lot for any hints.
We can't expose UAA logs to individual customers since it contains probably sensitive information about other users or the platform.
You should be able to retrieve the logs of your application in the application logs (which you can send to a syslog drain, i.e. the ELK/Elasticsearch service).
All API interactions should be covered by this log stream, according to the documentation:
Users make API calls to request changes in app state. Cloud Controller, the Cloud Foundry component responsible for the API, logs the actions that Cloud Controller takes in response.
For example:
2016-06-14T14:10:05.36-0700 [API/0] OUT Updated app with guid cdabc600-0b73-48e1-b7d2-26af2c63f933 ({"name"=>"spring-music", "instances"=>1, "memory"=>512, "environment_json"=>"PRIVATE DATA HIDDEN"})
From https://docs.cloudfoundry.org/devguide/deploy-apps/streaming-logs.html
I have my REST Service name getRates. Which accepts few inputs and gives out the loan rates. I wanted to use the API that I have with WSO2 Api Manager. I am not able to do it. I am not sure where and how to define the sample request/response code to check if my service is being hit or not. I have a URL to my Service but I want it to be used via WSO2 APi manager. Help me out with this
Question is too generic to give an exact answer. Please follow this guide to create a new API from scratch and add your backend service URL as 'Production Endpoint'. If you already have set this up and want to get an idea if the message flow is working correctly, enable wire logs as follows,
open log4j.properties file from a text editor.
log4j.properties file is located in /repository/conf directory.
Un-comment the following entry.
log4j.logger.org.apache.synapse.transport.http.wire=DEBUG
Get an idea about the wire logs from here. Explain the steps you tried already and mention if you get any errors.
I have ACL on for Consul, and have tried many ways to specify the token to use for service discovery. The config ACL token works fine, and the discovery ACL token works for registration (I can see my services in the Consul UI). I see the code for AgentConsulClient.agentServiceRegister() supports the token with this:
UrlParameters tokenParam = token != null ? new SingleUrlParameters("token", token) : null;
Nothing similar is supported in CatalogConsulClient, as far as I can tell. When called from Spring Cloud's ConsulDiscoveryClient, no token is passed, regardless of how it is set. Logs show the call being made without the token, and getting back a valid response with none of the registered services listed. I don't see how to have ACL on for registration but off for discovery. What am I missing? Is nobody actually using ACL if using discovery? (It works fine in the development environment with no ACL). Do I need to edit the source to add the token support from the agent service to the catalog service? Has anybody had success doing that?
BTW, could not tag this with spring-cloud-consul. Add it if you can.
ACL support for Consul catalog services is in consul-api v1.1.11 and will be (I hope) part of spring-cloud-consul 1.0.3.RELEASE. The 1.0.2.RELEASE version still uses consul-api-1.1.10. Update: confirmed to be in Camden.SR3.
Gradle:
'com.ecwid.consul:consul-api:1.1.11',
'org.springframework.cloud:spring-cloud-consul-dependencies:1.0.3.RELEASE'