Ingester: allow only POST method on /ingester/shutdown

Signed-off-by: Kevin Mingtarja <[email protected]>

CHANGELOG.md

@@ -179,6 +179,7 @@
 * [BUGFIX] Fix metadata API using wrong JSON field names. #7475
 * [BUGFIX] Ruler: fix native histogram recording rule result corruption. #7552
 * [BUGFIX] Querier: fix HTTP status code translations for remote read requests. Previously, remote-read had conflicting behaviours: when returning samples all internal errors were translated to HTTP 400; when returning chunks all internal errors were translated to HTTP 500. #7487
+* [CHANGE] Ingester: allow only POST method on `/ingester/shutdown`, as previously it was too easy to accidentally trigger through GET requests. At the same time, add an option to keep the existing behavior by introducing an `-ingester.allow-get-request-for-shutdown` flag. This flag will be removed in Mimir 2.14. #7707
 
 ### Mixin
 

cmd/mimir/config-descriptor.json

@@ -96,6 +96,17 @@
           "fieldType": "boolean",
           "fieldCategory": "deprecated"
         },
+        {
+          "kind": "field",
+          "name": "allow_get_request_for_ingester_shutdown",
+          "required": false,
+          "desc": "If true, allow GET requests to the /ingester/shutdown endpoint to trigger an ingester shutdown. This is a potentially dangerous operation and should only be enabled consciously.",
+          "fieldValue": null,
+          "fieldDefaultValue": false,
+          "fieldFlag": "ingester.allow-get-request-for-shutdown",
+          "fieldType": "boolean",
+          "fieldCategory": "deprecated"
+        },
         {
           "kind": "field",
           "name": "alertmanager_http_prefix",

cmd/mimir/help-all.txt.tmpl

@@ -1267,6 +1267,8 @@ Usage of ./cmd/mimir/mimir:
     	After what time a series is considered to be inactive. (default 10m0s)
   -ingester.active-series-metrics-update-period duration
     	How often to update active series metrics. (default 1m0s)
+  -ingester.allow-get-request-for-shutdown
+    	If true, allow GET requests to the /ingester/shutdown endpoint to trigger an ingester shutdown. This is a potentially dangerous operation and should only be enabled consciously. (default false)
   -ingester.client.backoff-max-period duration
     	Maximum delay when backing off. (default 10s)
   -ingester.client.backoff-min-period duration

docs/sources/mimir/configure/configuration-parameters/index.md

@@ -146,6 +146,12 @@ api:
   # CLI flag: -distributor.enable-otlp-metadata-storage
   [enable_otel_metadata_translation: <boolean> | default = true]
 
+  # (deprecated) If true, allow GET requests to the /ingester/shutdown endpoint
+  # to trigger an ingester shutdown. This is a potentially dangerous operation
+  # and should only be enabled consciously.
+  # CLI flag: -ingester.allow-get-request-for-shutdown
+  [allow_get_request_for_ingester_shutdown: <boolean> | default = false]
+
   # (advanced) HTTP URL path under which the Alertmanager ui and api will be
   # served.
   # CLI flag: -http.alertmanager-http-prefix

pkg/api/api.go

@@ -53,6 +53,9 @@ type Config struct {
 	// TODO: Remove option in Mimir 2.14.
 	EnableOtelMetadataStorage bool `yaml:"enable_otel_metadata_translation" category:"deprecated"`
 
+	// TODO: Remove option in Mimir 2.14.
+	AllowGETRequestForIngesterShutdown bool `yaml:"allow_get_request_for_ingester_shutdown" category:"deprecated"`
+
 	AlertmanagerHTTPPrefix string `yaml:"alertmanager_http_prefix" category:"advanced"`
 	PrometheusHTTPPrefix   string `yaml:"prometheus_http_prefix" category:"advanced"`
 
@@ -71,6 +74,7 @@ type Config struct {
 func (cfg *Config) RegisterFlags(f *flag.FlagSet) {
 	f.BoolVar(&cfg.SkipLabelNameValidationHeader, "api.skip-label-name-validation-header-enabled", false, "Allows to skip label name validation via X-Mimir-SkipLabelNameValidation header on the http write path. Use with caution as it breaks PromQL. Allowing this for external clients allows any client to send invalid label names. After enabling it, requests with a specific HTTP header set to true will not have label names validated.")
 	f.BoolVar(&cfg.EnableOtelMetadataStorage, "distributor.enable-otlp-metadata-storage", true, "If true, store metadata when ingesting metrics via OTLP. This makes metric descriptions and types available for metrics ingested via OTLP.")
+	f.BoolVar(&cfg.AllowGETRequestForIngesterShutdown, "ingester.allow-get-request-for-shutdown", false, "If true, allow GET requests to the /ingester/shutdown endpoint to trigger an ingester shutdown. This is a potentially dangerous operation and should only be enabled consciously.")
 	cfg.RegisterFlagsWithPrefix("", f)
 }
 
@@ -296,7 +300,10 @@ func (a *API) RegisterIngester(i Ingester) {
 	a.RegisterRoute("/ingester/flush", http.HandlerFunc(i.FlushHandler), false, true, "GET", "POST")
 	a.RegisterRoute("/ingester/prepare-shutdown", http.HandlerFunc(i.PrepareShutdownHandler), false, true, "GET", "POST", "DELETE")
 	a.RegisterRoute("/ingester/prepare-partition-downscale", http.HandlerFunc(i.PreparePartitionDownscaleHandler), false, true, "GET", "POST", "DELETE")
-	a.RegisterRoute("/ingester/shutdown", http.HandlerFunc(i.ShutdownHandler), false, true, "GET", "POST")
+	a.RegisterRoute("/ingester/shutdown", http.HandlerFunc(i.ShutdownHandler), false, true, "POST")
+	if a.cfg.AllowGETRequestForIngesterShutdown {
+		a.RegisterDeprecatedRoute("/ingester/shutdown", http.HandlerFunc(i.ShutdownHandler), false, true, "GET")
+	}
 	a.RegisterRoute("/ingester/tsdb_metrics", http.HandlerFunc(i.UserRegistryHandler), true, true, "GET")
 
 	a.indexPage.AddLinks(defaultWeight, "Ingester", []IndexPageLink{