oyd
/
minio
6
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Authorize prometheus endpoint with bearer token (#7640)

Browse Source
master
Praveen raj Mani 5 years ago committed by kannappanr
parent 4925bc3e80
commit ad75683bde
5 changed files with 20 additions and 35 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 2
      cmd/generic-handlers.go
  2. 2
      cmd/metrics-router.go
  3. 14
      cmd/metrics.go
  4. 8
      docs/metrics/README.md
  5. 29
      mint/run/core/healthcheck/healthcheck.go

2
cmd/generic-handlers.go
Unescape View File

@ -221,7 +221,7 @@ func guessIsMetricsReq(req *http.Request) bool {
return false
}
aType := getRequestAuthType(req)
return aType == authTypeAnonymous &&
return (aType == authTypeAnonymous || aType == authTypeJWT) &&
req.URL.Path == minioReservedBucketPath+prometheusMetricsPath
}

2
cmd/metrics-router.go
Unescape View File

@ -28,5 +28,5 @@ const (
func registerMetricsRouter(router *mux.Router) {
// metrics router
metricsRouter := router.NewRoute().PathPrefix(minioReservedBucketPath).Subrouter()
metricsRouter.Handle(prometheusMetricsPath, metricsHandler())
metricsRouter.Handle(prometheusMetricsPath, AuthMiddleware(metricsHandler()))
}

14
cmd/metrics.go
Unescape View File

@ -199,6 +199,7 @@ func (c *minioCollector) Collect(ch chan<- prometheus.Metric) {
}
func metricsHandler() http.Handler {
registry := prometheus.NewRegistry()
err := registry.Register(minioVersionInfo)
@ -222,4 +223,17 @@ func metricsHandler() http.Handler {
ErrorHandling: promhttp.ContinueOnError,
}),
)
}
// AuthMiddleware checks if the bearer token is valid and authorized.
func AuthMiddleware(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
claims, _, authErr := webRequestAuthenticate(r)
if authErr != nil || !claims.VerifyIssuer("prometheus", true) {
w.WriteHeader(http.StatusForbidden)
return
}
h.ServeHTTP(w, r)
})
}

8
docs/metrics/README.md
Unescape View File

@ -1,10 +1,10 @@
## MinIO Monitoring Guide
MinIO server exposes monitoring data over un-authenticated endpoints so monitoring tools can pick the data without you having to share MinIO server credentials. This document lists the monitoring endpoints and relevant documentation.
MinIO server exposes monitoring data over endpoints. Monitoring tools can pick the data from these endpoints. This document lists the monitoring endpoints and relevant documentation.
### Healthcheck Probe
MinIO server has two healthcheck related endpoints, a liveness probe to indicate if server is working fine and a readiness probe to indicate if server is not accepting connections due to heavy load.
MinIO server has two healthcheck related un-authenticated endpoints, a liveness probe to indicate if server is working fine and a readiness probe to indicate if server is not accepting connections due to heavy load.
- Liveness probe available at `/minio/health/live`
- Readiness probe available at `/minio/health/ready`
@ -13,8 +13,8 @@ Read more on how to use these endpoints in [MinIO healthcheck guide](https://git
### Prometheus Probe
MinIO server exposes Prometheus compatible data on a single endpoint.
MinIO server exposes Prometheus compatible data on a single endpoint. By default, the endpoint is authenticated.
- Prometheus data available at `/minio/prometheus/metrics`
To use this endpoint, setup Prometheus to scrape data from this endpoint. Read more on how to use Prometheues to monitor MinIO server in [How to monitor MinIO server with Prometheus](https://github.com/minio/cookbook/blob/master/docs/how-to-monitor-minio-with-prometheus.md).
To use this endpoint, setup Prometheus to scrape data from this endpoint. Read more on how to configure and use Prometheus to monitor MinIO server in [How to monitor MinIO server with Prometheus](https://github.com/minio/cookbook/blob/master/docs/how-to-monitor-minio-with-prometheus.md).

29
mint/run/core/healthcheck/healthcheck.go
Unescape View File

@ -144,34 +144,6 @@ func testReadinessEndpoint(endpoint string) {
defer successLogger(function, nil, startTime).Info()
}
func testPrometheusEndpoint(endpoint string) {
startTime := time.Now()
function := "testPrometheusEndpoint"
u, err := url.Parse(fmt.Sprintf("%s%s", endpoint, prometheusPath))
if err != nil {
// Could not parse URL successfully
failureLog(function, nil, startTime, "", "URL Parsing for Healthcheck Prometheus handler failed", err).Fatal()
}
tr := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}
client := &http.Client{Transport: tr, Timeout: timeout}
resp, err := client.Get(u.String())
if err != nil {
// GET request errored
failureLog(function, nil, startTime, "", "GET request to Prometheus endpoint failed", err).Fatal()
}
if resp.StatusCode != http.StatusOK {
// Status not 200 OK
failureLog(function, nil, startTime, "", "GET /minio/prometheus/metrics returned non OK status", err).Fatal()
}
defer resp.Body.Close()
defer successLogger(function, nil, startTime).Info()
}
func main() {
endpoint := os.Getenv("SERVER_ENDPOINT")
secure := os.Getenv("ENABLE_HTTPS")
@ -191,5 +163,4 @@ func main() {
// execute tests
testLivenessEndpoint(endpoint)
testReadinessEndpoint(endpoint)
testPrometheusEndpoint(endpoint)
}

Write Preview
Loading…
Cancel
Save