[
https://issues.apache.org/jira/browse/FLINK-38309?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18017641#comment-18017641
]
Gabor Somogyi commented on FLINK-38309:
---------------------------------------
I'm just wondering what do you mean under "secured monitoring systems". I'm not
arguing here just want to know it.
> Add Basic Authentication Support to OpenTelemetry HTTP Metrics Reporter
> -----------------------------------------------------------------------
>
> Key: FLINK-38309
> URL: https://issues.apache.org/jira/browse/FLINK-38309
> Project: Flink
> Issue Type: Improvement
> Components: Runtime / Metrics
> Reporter: Kumar Mallikarjuna
> Priority: Major
>
> h3. Background
> The {{OpenTelemetryMetricReporter}} supports both HTTP and gRPC. Many
> production-grade OTLP receiver endpoints, such as those used in cloud
> monitoring platforms such as Prometheus have secure ingestion endpoints. A
> common requirement is for clients to authenticate using {*}HTTP Basic
> Authentication{*}.
> Currently, the reporter implementation does not provide a way to add custom
> headers, which is necessary to send the {{Authorization}} header required for
> Basic Auth. This limitation prevents users from integrating Flink with these
> secured monitoring systems.
> h3. Goal
> This ticket proposes adding native support for Basic Authentication to the
> Otel HTTP metrics reporter. This will enable users to securely export metrics
> to protected OTLP/HTTP endpoints by simply providing a username and password
> in the Flink configuration.
> h3. Acceptance Criteria
> * New configuration keys are introduced to the
> {{OpenTelemetryMetricReporter}} for specifying a username and password
> {code:java}
> metrics.reporter.otel.exporter.http.authentication.username
> metrics.reporter.otel.exporter.http.authentication.password {code}
> * When both a username and password are provided in the configuration, the
> reporter *must* add an {{Authorization: Basic <base64-encoded-credentials>}}
> header to every outgoing OTLP/HTTP request.
> * If the username and password configurations are not set, the reporter
> *must not* add an {{Authorization}} header.
> * The official Flink documentation for Metric Reporters is updated to
> include these new configuration options with a clear example.
> * Unit tests are added to validate that the {{Authorization}} header is
> correctly formatted and attached if and only if credentials are provided.
> h3. Proposed Implementation
> # Modify the {{OpenTelemetryMetricReporterFactory}} to read the new
> configuration values for username and password.
> # If the credentials are present, combine them in the format
> {{username:password}} and apply Base64 encoding.
> # Use the {{OtlpHttpMetricExporterBuilder.addHeader("Authorization", "Basic
> " + encodedString)}} method to configure the {{OtlpHttpMetricExporter}}
> instance.
> # Ensure that this logic is only applied when the exporter is configured for
> HTTP, not gRPC.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
