Authorize prometheus endpoint with bearer token (#7640)

2025-01-11 15:03:22 -05:00 · 2019-09-22 20:27:12 +05:30 · 2019-09-22 20:27:12 +05:30 · ad75683bde
commit ad75683bde
parent 4925bc3e80
5 changed files with 20 additions and 35 deletions
--- a/cmd/generic-handlers.go
+++ b/cmd/generic-handlers.go
@ -221,7 +221,7 @@ func guessIsMetricsReq(req *http.Request) bool {
 		return false
 	}
 	aType := getRequestAuthType(req)
-	return aType == authTypeAnonymous &&
+	return (aType == authTypeAnonymous || aType == authTypeJWT) &&
 		req.URL.Path == minioReservedBucketPath+prometheusMetricsPath
 }

--- a/cmd/metrics-router.go
+++ b/cmd/metrics-router.go
@ -28,5 +28,5 @@ const (
 func registerMetricsRouter(router *mux.Router) {
 	// metrics router
 	metricsRouter := router.NewRoute().PathPrefix(minioReservedBucketPath).Subrouter()
-	metricsRouter.Handle(prometheusMetricsPath, metricsHandler())
+	metricsRouter.Handle(prometheusMetricsPath, AuthMiddleware(metricsHandler()))
 }
--- a/cmd/metrics.go
+++ b/cmd/metrics.go
@ -199,6 +199,7 @@ func (c *minioCollector) Collect(ch chan<- prometheus.Metric) {
 }

 func metricsHandler() http.Handler {
+
 	registry := prometheus.NewRegistry()

 	err := registry.Register(minioVersionInfo)
@ -222,4 +223,17 @@ func metricsHandler() http.Handler {
 				ErrorHandling: promhttp.ContinueOnError,
 			}),
 	)
+
+}
+
+// AuthMiddleware checks if the bearer token is valid and authorized.
+func AuthMiddleware(h http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		claims, _, authErr := webRequestAuthenticate(r)
+		if authErr != nil || !claims.VerifyIssuer("prometheus", true) {
+			w.WriteHeader(http.StatusForbidden)
+			return
+		}
+		h.ServeHTTP(w, r)
+	})
 }
--- a/docs/metrics/README.md
+++ b/docs/metrics/README.md
@ -1,10 +1,10 @@
 ## MinIO Monitoring Guide

-MinIO server exposes monitoring data over un-authenticated endpoints so monitoring tools can pick the data without you having to share MinIO server credentials. This document lists the monitoring endpoints and relevant documentation.
+MinIO server exposes monitoring data over endpoints. Monitoring tools can pick the data from these endpoints. This document lists the monitoring endpoints and relevant documentation.

 ### Healthcheck Probe

-MinIO server has two healthcheck related endpoints, a liveness probe to indicate if server is working fine and a readiness probe to indicate if server is not accepting connections due to heavy load.
+MinIO server has two healthcheck related un-authenticated endpoints, a liveness probe to indicate if server is working fine and a readiness probe to indicate if server is not accepting connections due to heavy load.

 - Liveness probe available at `/minio/health/live`
 - Readiness probe available at `/minio/health/ready`
@ -13,8 +13,8 @@ Read more on how to use these endpoints in [MinIO healthcheck guide](https://git

 ### Prometheus Probe

-MinIO server exposes Prometheus compatible data on a single endpoint.
+MinIO server exposes Prometheus compatible data on a single endpoint. By default, the endpoint is authenticated.

 - Prometheus data available at `/minio/prometheus/metrics`

-To use this endpoint, setup Prometheus to scrape data from this endpoint. Read more on how to use Prometheues to monitor MinIO server in [How to monitor MinIO server with Prometheus](https://github.com/minio/cookbook/blob/master/docs/how-to-monitor-minio-with-prometheus.md).
+To use this endpoint, setup Prometheus to scrape data from this endpoint. Read more on how to configure and use Prometheus to monitor MinIO server in [How to monitor MinIO server with Prometheus](https://github.com/minio/cookbook/blob/master/docs/how-to-monitor-minio-with-prometheus.md).
--- a/mint/run/core/healthcheck/healthcheck.go
+++ b/mint/run/core/healthcheck/healthcheck.go
@ -144,34 +144,6 @@ func testReadinessEndpoint(endpoint string) {
 	defer successLogger(function, nil, startTime).Info()
 }

-func testPrometheusEndpoint(endpoint string) {
-	startTime := time.Now()
-	function := "testPrometheusEndpoint"
-
-	u, err := url.Parse(fmt.Sprintf("%s%s", endpoint, prometheusPath))
-	if err != nil {
-		// Could not parse URL successfully
-		failureLog(function, nil, startTime, "", "URL Parsing for Healthcheck Prometheus handler failed", err).Fatal()
-	}
-
-	tr := &http.Transport{
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-	}
-	client := &http.Client{Transport: tr, Timeout: timeout}
-	resp, err := client.Get(u.String())
-	if err != nil {
-		// GET request errored
-		failureLog(function, nil, startTime, "", "GET request to Prometheus endpoint failed", err).Fatal()
-	}
-	if resp.StatusCode != http.StatusOK {
-		// Status not 200 OK
-		failureLog(function, nil, startTime, "", "GET /minio/prometheus/metrics returned non OK status", err).Fatal()
-	}
-
-	defer resp.Body.Close()
-	defer successLogger(function, nil, startTime).Info()
-}
-
 func main() {
 	endpoint := os.Getenv("SERVER_ENDPOINT")
 	secure := os.Getenv("ENABLE_HTTPS")
@ -191,5 +163,4 @@ func main() {
 	// execute tests
 	testLivenessEndpoint(endpoint)
 	testReadinessEndpoint(endpoint)
-	testPrometheusEndpoint(endpoint)
 }