elek commented on issue #751: HDDS-3321. Prometheus endpoint should not have Authentication filter … URL: https://github.com/apache/hadoop-ozone/pull/751#issuecomment-610920020 > Prometheus does not directly support basic authentication (aka "basic auth") for connections to the Prometheus expression browser and HTTP API It seems to be a different question: about how to authenticate the Prometheus server itself (API and UI). It can be an interesting question when Recon will read data from Prometheus via Prometheus API, but that's a different story, IMHO. As far as I understood the current PR is about the security of the ozone `/prom` endpoints (as we assume that Prometheus is provided by the environment and is secured). Based on the Promethes documentation it seems to be possible with a few lines of code as Promethes supports Bearer tokens: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config ``` # Sets the `Authorization` header on every scrape request with # the configured bearer token. It is mutually exclusive with `bearer_token_file`. [ bearer_token: <secret> ] ``` It seems to be enough to modify the `PrometheusServlet`: ```java public static final String SECURITY_TOKEN = "PROMETHEUS_SECURITY_TOKEN"; public static final String BEARER = "Bearer"; public PrometheusMetricsSink getPrometheusSink() { return (PrometheusMetricsSink) getServletContext().getAttribute( BaseHttpServer.PROMETHEUS_SINK); } @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { String securityToken = (String) getServletContext().getAttribute(SECURITY_TOKEN); if (securityToken != null) { String authorizationHeader = req.getHeader("Authorization"); if (authorizationHeader == null || !authorizationHeader.startsWith(BEARER) || !securityToken.equals(authorizationHeader.substring(BEARER.length() + 1))) { resp.setStatus(HttpServletResponse.SC_FORBIDDEN); return; } } ``` And we should set the configuration in the `BaseHttpServer.java`: ```java if (prometheusSupport) { prometheusMetricsSink = new PrometheusMetricsSink(); httpServer.getWebAppContext().getServletContext().setAttribute(PROMETHEUS_SINK, prometheusMetricsSink); httpServer.getWebAppContext().getServletContext().setAttribute(PrometheusServlet.SECURITY_TOKEN, conf.get("hdds.prometheus.endpoint.token")); httpServer.addServlet("prometheus", "/prom", PrometheusServlet.class); } ``` And it works well with the following configuration: ``` scrape_configs: - job_name: ozone bearer_token: <putyourtokenhere> metrics_path: /prom static_configs: - targets: - "127.0.0.1:9876" ``` What do you think?
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
