matrix-docker-ansible-deploy
matrix-docker-ansible-deploy copied to clipboard
spantaleev
Expose Synapse Event Reports, used by mjolnir
Describe the solution you'd like
roles/matrix-synapse/vars/workers.yml to expose:
https://matrix-org.github.io/synapse/latest/admin_api/event_reports.html
Describe alternatives you've considered
I've tried adding:
- ^/_synapse/admin/v1/event_reports.*$
- ^/_synapse/admin/v1/event_reports/
without success
Additional context This is for use with https://github.com/matrix-org/mjolnir report functionality.
Would this need to be added to https://github.com/matrix-org/synapse/raw/master/docs/workers.md first?
Have you tried enabling the Synapse Admin API?
By default, as per upstream recommendations, we don't expose /_synapse/admin endpoints publicly (e.g. https://matrix.DOMAIN/_synapse/admin), but they are available over the container network (http://matrix-synapse:8008/_synapse/admin).
We have a variable (matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled) which controls whether /_synapse/admin is exposed publicly or not. The playbook automatically sets this to true whenever certain components (synapse-admin, etc.) are enabled - check group_vars/matrix_servers.
If mjolnir can access the Synapse Admin API over the container network (not over the public interface), that would be a better solution.
Otherwise, we can consider auto-exposing the Synapse Admin API endpoints when Mjolnir is enabled. Not sure how critical this is to Mjolnir's operations. If it is critical, auto-exposing may be fine. If it's only some minot Mjolnir feature breaking (which most people may not care about), updating our Mjolnir setup documentation so that it mentions matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled may be preferable.
Have you tried enabling the Synapse Admin API?
I very clearly remember not enabling it :(
Works now :facepalm:
By default, as per upstream recommendations, we don't expose
/_synapse/adminendpoints publicly (e.g.https://matrix.DOMAIN/_synapse/admin), but they are available over the container network (http://matrix-synapse:8008/_synapse/admin).We have a variable (
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled) which controls whether/_synapse/adminis exposed publicly or not. The playbook automatically sets this totruewhenever certain components (synapse-admin, etc.) are enabled - checkgroup_vars/matrix_servers.If mjolnir can access the Synapse Admin API over the container network (not over the public interface), that would be a better solution.
Agreed. https://github.com/matrix-org/mjolnir/commit/ed68e02c4e34262d68a5ada3ba8afd47e979031a is what I wanted it for, which calls this.mjolnir.client.doRequest("GET", "/_synapse/admin/v1/event_reports") CC: @jesopo - would it be possible to send this over the internal network somehow? Maybe a config?
Or perhaps configuring the reverse proxy needed for https://github.com/matrix-org/mjolnir/blob/9f872f78e1b6b470201cabbffbbd1d7ef1451658/config/default.yaml#L212 ?
Otherwise, we can consider auto-exposing the Synapse Admin API endpoints when Mjolnir is enabled. Not sure how critical this is to Mjolnir's operations. If it is critical, auto-exposing may be fine. If it's only some minot Mjolnir feature breaking (which most people may not care about), updating our Mjolnir setup documentation so that it mentions
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabledmay be preferable.
It's not critical and not used by default.
You have to set pollReports: true in the config to use it.
Would you try setting homeserverUrl to {{ matrix_homeserver_container_url }} instead? This is where the homeserver can be reached over the container network.
The default we use is {{ matrix_homeserver_url }}, which is where the homeserver can be reached publicly (https://matrix.DOMAIN).
I wonder if Mjolnir works with a local URL to the homeserver only. You can try switching using:
matrix_bot_mjolnir_configuration_extension_yaml: |
homeserverUrl: {{ matrix_homeserver_container_url|to_json }}
# Consider enabling this too, if you wish
# pollReports: true
Looking at the current sample configuration for Mjolnir here, it looks like it include a new `rawHomeserverUrl configuration setting, which will be used for accessing the reports. Strangely, it says:
only set this to the public-internet homeserver client API URL, do NOT set this to the pantalaimon URL.
which seems to require a public URL, not an in-container one.
Still, if the above (homeserverUrl) thing doesn't work, you can also define rawHomeserverUrl in your matrix_bot_mjolnir_configuration_extension_yaml configuration. I suppose it won't hurt to try setting both to matrix_homeserver_container_url. Please give that a try and let us know! Or open a PR ;)
It's also interesting to try these without enabling the Synapse Admin API publicly (matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled). The best thing would be if we can get Mjolnir working with in-container homeserver URL addresses and without publicly exposing the Synapse Admin API. That way, we won't need any special changes and Mjolnir can be fully functional. We may even consider setting pollReports to true, since Mjolnir will be able to do that (and the alternative is to intercept abuse report API calls, which we can't do).
