feat: allow prometheus for only authorized users (#12121)

allow restrictions on who can access Prometheus endpoint, additionally add prometheus as part of diagnostics canned policy. Signed-off-by: Harshavardhana <harsha@minio.io>
2025-11-10 14:09:48 -05:00 · 2021-04-22 18:55:30 -07:00
parent 4438124948
commit d0d67f9de0
3 changed files with 19 additions and 2 deletions
--- a/cmd/metrics.go
+++ b/cmd/metrics.go
@@ -23,6 +23,7 @@ import (
 	"time"

 	"github.com/minio/minio/cmd/logger"
+	iampolicy "github.com/minio/minio/pkg/iam/policy"
 	"github.com/minio/minio/pkg/madmin"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
@@ -751,11 +752,22 @@ func metricsHandler() http.Handler {
 // AuthMiddleware checks if the bearer token is valid and authorized.
 func AuthMiddleware(h http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		claims, _, authErr := webRequestAuthenticate(r)
+		claims, owner, authErr := webRequestAuthenticate(r)
 		if authErr != nil || !claims.VerifyIssuer("prometheus", true) {
 			w.WriteHeader(http.StatusForbidden)
 			return
 		}
+		// For authenticated users apply IAM policy.
+		if !globalIAMSys.IsAllowed(iampolicy.Args{
+			AccountName:     claims.AccessKey,
+			Action:          iampolicy.PrometheusAdminAction,
+			ConditionValues: getConditionValues(r, "", claims.AccessKey, claims.Map()),
+			IsOwner:         owner,
+			Claims:          claims.Map(),
+		}) {
+			w.WriteHeader(http.StatusForbidden)
+			return
+		}
 		h.ServeHTTP(w, r)
 	})
 }