MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-01-11 15:03:22 -05:00
Code Issues Packages Projects Releases Wiki Activity

Authorize prometheus endpoint with bearer token (#7640)

Browse Source
This commit is contained in:
Praveen raj Mani 2019-09-22 20:27:12 +05:30 committed by kannappanr
parent 4925bc3e80
commit ad75683bde
5 changed files with 20 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/generic-handlers.go
View File

@ -221,7 +221,7 @@ func guessIsMetricsReq(req *http.Request) bool {
return false return false
} }
aType := getRequestAuthType(req) aType := getRequestAuthType(req)
return aType == authTypeAnonymous && return (aType == authTypeAnonymous || aType == authTypeJWT) &&
req.URL.Path == minioReservedBucketPath+prometheusMetricsPath req.URL.Path == minioReservedBucketPath+prometheusMetricsPath
} }

2
cmd/metrics-router.go
View File

@ -28,5 +28,5 @@ const (
func registerMetricsRouter(router *mux.Router) { func registerMetricsRouter(router *mux.Router) {
// metrics router // metrics router
metricsRouter := router.NewRoute().PathPrefix(minioReservedBucketPath).Subrouter() metricsRouter := router.NewRoute().PathPrefix(minioReservedBucketPath).Subrouter()
metricsRouter.Handle(prometheusMetricsPath, metricsHandler()) metricsRouter.Handle(prometheusMetricsPath, AuthMiddleware(metricsHandler()))
} }

14
cmd/metrics.go
View File

@ -199,6 +199,7 @@ func (c *minioCollector) Collect(ch chan<- prometheus.Metric) {
} }
func metricsHandler() http.Handler { func metricsHandler() http.Handler {
registry := prometheus.NewRegistry() registry := prometheus.NewRegistry()
err := registry.Register(minioVersionInfo) err := registry.Register(minioVersionInfo)
@ -222,4 +223,17 @@ func metricsHandler() http.Handler {
ErrorHandling: promhttp.ContinueOnError, ErrorHandling: promhttp.ContinueOnError,
}), }),
) )
}
// AuthMiddleware checks if the bearer token is valid and authorized.
func AuthMiddleware(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
claims, _, authErr := webRequestAuthenticate(r)
if authErr != nil || !claims.VerifyIssuer("prometheus", true) {
w.WriteHeader(http.StatusForbidden)
return
}
h.ServeHTTP(w, r)
})
} }

8
docs/metrics/README.md
View File

@ -1,10 +1,10 @@
## MinIO Monitoring Guide ## MinIO Monitoring Guide
MinIO server exposes monitoring data over un-authenticated endpoints so monitoring tools can pick the data without you having to share MinIO server credentials. This document lists the monitoring endpoints and relevant documentation. MinIO server exposes monitoring data over endpoints. Monitoring tools can pick the data from these endpoints. This document lists the monitoring endpoints and relevant documentation.
### Healthcheck Probe ### Healthcheck Probe
MinIO server has two healthcheck related endpoints, a liveness probe to indicate if server is working fine and a readiness probe to indicate if server is not accepting connections due to heavy load. MinIO server has two healthcheck related un-authenticated endpoints, a liveness probe to indicate if server is working fine and a readiness probe to indicate if server is not accepting connections due to heavy load.
- Liveness probe available at `/minio/health/live` - Liveness probe available at `/minio/health/live`
- Readiness probe available at `/minio/health/ready` - Readiness probe available at `/minio/health/ready`
@ -13,8 +13,8 @@ Read more on how to use these endpoints in [MinIO healthcheck guide](https://git
### Prometheus Probe ### Prometheus Probe
MinIO server exposes Prometheus compatible data on a single endpoint. MinIO server exposes Prometheus compatible data on a single endpoint. By default, the endpoint is authenticated.
- Prometheus data available at `/minio/prometheus/metrics` - Prometheus data available at `/minio/prometheus/metrics`
To use this endpoint, setup Prometheus to scrape data from this endpoint. Read more on how to use Prometheues to monitor MinIO server in [How to monitor MinIO server with Prometheus](https://github.com/minio/cookbook/blob/master/docs/how-to-monitor-minio-with-prometheus.md). To use this endpoint, setup Prometheus to scrape data from this endpoint. Read more on how to configure and use Prometheus to monitor MinIO server in [How to monitor MinIO server with Prometheus](https://github.com/minio/cookbook/blob/master/docs/how-to-monitor-minio-with-prometheus.md).

29
mint/run/core/healthcheck/healthcheck.go
View File

@ -144,34 +144,6 @@ func testReadinessEndpoint(endpoint string) {
defer successLogger(function, nil, startTime).Info() defer successLogger(function, nil, startTime).Info()
} }
func testPrometheusEndpoint(endpoint string) {
startTime := time.Now()
function := "testPrometheusEndpoint"
u, err := url.Parse(fmt.Sprintf("%s%s", endpoint, prometheusPath))
if err != nil {
// Could not parse URL successfully
failureLog(function, nil, startTime, "", "URL Parsing for Healthcheck Prometheus handler failed", err).Fatal()
}
tr := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}
client := &http.Client{Transport: tr, Timeout: timeout}
resp, err := client.Get(u.String())
if err != nil {
// GET request errored
failureLog(function, nil, startTime, "", "GET request to Prometheus endpoint failed", err).Fatal()
}
if resp.StatusCode != http.StatusOK {
// Status not 200 OK
failureLog(function, nil, startTime, "", "GET /minio/prometheus/metrics returned non OK status", err).Fatal()
}
defer resp.Body.Close()
defer successLogger(function, nil, startTime).Info()
}
func main() { func main() {
endpoint := os.Getenv("SERVER_ENDPOINT") endpoint := os.Getenv("SERVER_ENDPOINT")
secure := os.Getenv("ENABLE_HTTPS") secure := os.Getenv("ENABLE_HTTPS")
@ -191,5 +163,4 @@ func main() {
// execute tests // execute tests
testLivenessEndpoint(endpoint) testLivenessEndpoint(endpoint)
testReadinessEndpoint(endpoint) testReadinessEndpoint(endpoint)
testPrometheusEndpoint(endpoint)
} }