[jira] [Updated] (FLINK-38309) Add Basic Authentication Support to OpenTelemetry HTTP Metrics Reporter

Kumar Mallikarjuna (Jira) Tue, 02 Sep 2025 03:16:49 -0700


     [ 
https://issues.apache.org/jira/browse/FLINK-38309?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Kumar Mallikarjuna updated FLINK-38309:
---------------------------------------
    Description: 
h3. Background

The {{OpenTelemetryMetricReporter}} supports both HTTP and gRPC. Many 
production-grade OTLP receiver endpoints, such as those used in cloud 
monitoring platforms such as Prometheus have secure ingestion endpoints. A 
common requirement is for clients to authenticate using {*}HTTP Basic 
Authentication{*}.

Currently, the reporter implementation does not provide a way to add custom 
headers, which is necessary to send the {{Authorization}} header required for 
Basic Auth. This limitation prevents users from integrating Flink with these 
secured monitoring systems.
h3. Goal

This ticket proposes adding native support for Basic Authentication to the Otel 
HTTP metrics reporter. This will enable users to securely export metrics to 
protected OTLP/HTTP endpoints by simply providing a username and password in 
the Flink configuration.
h3. Acceptance Criteria
 * New configuration keys are introduced to the {{OpenTelemetryMetricReporter}} 
for specifying a username and password. For example:

 * 
 ** {{metrics.reporter.otel.exporter.http.authentication.username}}

 * 
 ** {{metrics.reporter.otel.exporter.http.authentication.password}}

 * When both a username and password are provided in the configuration, the 
reporter *must* add an {{Authorization: Basic <base64-encoded-credentials>}} 
header to every outgoing OTLP/HTTP request.

 * If the username and password configurations are not set, the reporter *must 
not* add an {{Authorization}} header.

 * The official Flink documentation for Metric Reporters is updated to include 
these new configuration options with a clear example.

 * Unit tests are added to validate that the {{Authorization}} header is 
correctly formatted and attached if and only if credentials are provided.

h3. Proposed Implementation
 # Modify the {{OpenTelemetryMetricReporterFactory}} to read the new 
configuration values for username and password.
 # If the credentials are present, combine them in the format 
{{username:password}} and apply Base64 encoding.
 # Use the {{OtlpHttpMetricExporterBuilder.addHeader("Authorization", "Basic " 
+ encodedString)}} method to configure the {{OtlpHttpMetricExporter}} instance.
 # Ensure that this logic is only applied when the exporter is configured for 
HTTP, not gRPC.

  was:
h3. Background

The {{OpenTelemetryMetricReporter}} supports both HTTP and gRPC. Many 
production-grade OTLP receiver endpoints, such as those used in cloud 
monitoring platforms such as Prometheus have secure ingestion endpoints. A 
common requirement is for clients to authenticate using {*}HTTP Basic 
Authentication{*}.

Currently, the reporter implementation does not provide a way to add custom 
headers, which is necessary to send the {{Authorization}} header required for 
Basic Auth. This limitation prevents users from integrating Flink with these 
secured monitoring systems.
h3. Goal

This ticket proposes adding native support for Basic Authentication to the Otel 
HTTP metrics reporter. This will enable users to securely export metrics to 
protected OTLP/HTTP endpoints by simply providing a username and password in 
the Flink configuration.
h3. Acceptance Criteria
 * New configuration keys are introduced to the {{OpenTelemetryMetricReporter}} 
for specifying a username and password. For example:

 ** {{metrics.reporter.otel.exporter.http.authentication.username}}

 ** {{metrics.reporter.otel.exporter.http.authentication.password}}

 * When both a username and password are provided in the configuration, the 
reporter *must* add an {{Authorization: Basic <base64-encoded-credentials>}} 
header to every outgoing OTLP/HTTP request.

 * If the username and password configurations are not set, the reporter *must 
not* add an {{Authorization}} header.

 * The official Flink documentation for Metric Reporters is updated to include 
these new configuration options with a clear example.

 * Unit tests are added to validate that the {{Authorization}} header is 
correctly formatted and attached if and only if credentials are provided.

h3. Proposed Implementation
 # Modify the {{OpenTelemetryMetricReporterFactory}} to read the new 
configuration values for username and password.

 # If the credentials are present, combine them in the format 
{{username:password}} and apply Base64 encoding.

 # Use the {{OtlpHttpMetricExporterBuilder.addHeader("Authorization", "Basic " 
+ encodedString)}} method to configure the {{OtlpHttpMetricExporter}} instance.

 # Ensure that this logic is only applied when the exporter is configured for 
HTTP, not gRPC.


> Add Basic Authentication Support to OpenTelemetry HTTP Metrics Reporter
> -----------------------------------------------------------------------
>
>                 Key: FLINK-38309
>                 URL: https://issues.apache.org/jira/browse/FLINK-38309
>             Project: Flink
>          Issue Type: Improvement
>          Components: Runtime / Metrics
>            Reporter: Kumar Mallikarjuna
>            Priority: Major
>
> h3. Background
> The {{OpenTelemetryMetricReporter}} supports both HTTP and gRPC. Many 
> production-grade OTLP receiver endpoints, such as those used in cloud 
> monitoring platforms such as Prometheus have secure ingestion endpoints. A 
> common requirement is for clients to authenticate using {*}HTTP Basic 
> Authentication{*}.
> Currently, the reporter implementation does not provide a way to add custom 
> headers, which is necessary to send the {{Authorization}} header required for 
> Basic Auth. This limitation prevents users from integrating Flink with these 
> secured monitoring systems.
> h3. Goal
> This ticket proposes adding native support for Basic Authentication to the 
> Otel HTTP metrics reporter. This will enable users to securely export metrics 
> to protected OTLP/HTTP endpoints by simply providing a username and password 
> in the Flink configuration.
> h3. Acceptance Criteria
>  * New configuration keys are introduced to the 
> {{OpenTelemetryMetricReporter}} for specifying a username and password. For 
> example:
>  * 
>  ** {{metrics.reporter.otel.exporter.http.authentication.username}}
>  * 
>  ** {{metrics.reporter.otel.exporter.http.authentication.password}}
>  * When both a username and password are provided in the configuration, the 
> reporter *must* add an {{Authorization: Basic <base64-encoded-credentials>}} 
> header to every outgoing OTLP/HTTP request.
>  * If the username and password configurations are not set, the reporter 
> *must not* add an {{Authorization}} header.
>  * The official Flink documentation for Metric Reporters is updated to 
> include these new configuration options with a clear example.
>  * Unit tests are added to validate that the {{Authorization}} header is 
> correctly formatted and attached if and only if credentials are provided.
> h3. Proposed Implementation
>  # Modify the {{OpenTelemetryMetricReporterFactory}} to read the new 
> configuration values for username and password.
>  # If the credentials are present, combine them in the format 
> {{username:password}} and apply Base64 encoding.
>  # Use the {{OtlpHttpMetricExporterBuilder.addHeader("Authorization", "Basic 
> " + encodedString)}} method to configure the {{OtlpHttpMetricExporter}} 
> instance.
>  # Ensure that this logic is only applied when the exporter is configured for 
> HTTP, not gRPC.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (FLINK-38309) Add Basic Authentication Support to OpenTelemetry HTTP Metrics Reporter

Reply via email to