Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[improve][monitor] Metrics: allow to configure a set of roles for the scrapers #53

Open
wants to merge 9 commits into
base: master
Choose a base branch
from
Open

[improve][monitor] Metrics: allow to configure a set of roles for the scrapers #53

wants to merge 9 commits into from

Conversation

nicoloboschi
Copy link
Owner

@nicoloboschi nicoloboschi commented Feb 8, 2023
edited
Loading

Motivation

For the metrics endpoints for the Pulsar services (broker, proxy, functions-worker) it would be handy to configure dedicated "service" roles that have grain-fined permission to only scrape the metrics.

Changes

The metrics impacted are on broker, proxy, and functions worker.
Currently the default config values for "authenticateMetricsEndpoint" are:

  • broker: false
  • proxy: true
  • functionsWorker: true
    It's not intended to change these values in this pull request.

For all the above services, we add two new configurations:

  • metricsRoles=
  • authorizeMetricsEndpoint=true

Before this change, any authenticated users could see the metrics if authenticateMetricsEndpoint=true.
After this change, the logic is:

  • if authenticationEnabled=true AND authenticateMetricsEndpoint=true AND authorizationEnabled=true AND authorizeMetricsEndpoint=true => you need to be either a metricsRole user or a superUser user (if metricsRoles is empty, only superUser can access metrics)
  • if authenticationEnabled=true AND authenticateMetricsEndpoint=true => you need to be authenticated as before this change

Since the default value of authorizeMetricsEndpoint is true, after the upgrade, the effects are:

  • non super users are NOT able to get metrics anymore
  • super users are able to get metrics

At this point the operator must consider to either

  • adding non-super users to "metricsRoles" OR
  • leave the config as is.

If the operator wants to leave anyone authenticated with the metrics access - so rollback to the previous behaviour, they have to set authorizeMetricsEndpoint=false before upgrading the code.

Modifications

  • Added a new config in the broker, proxy, function-worker authorizeMetricsEndpoint=true.
    authorizeMetricsEndpoint only takes effect if authenticateMetricsEndpoint is also true.
    The authorization model relies on being a super user role or a metrics role.
  • Added a new config in the broker, proxy, function-worker metricsRoles, a set of roles separated by a comma.

Only metricsRoles or superuser are allowed to get the metrics endpoints.

The impacted metrics endpoints are:

Broker:

  • /metrics/
  • /admin/v2/worker-stats/*

Functions Worker:

  • /metrics/
  • /admin/v2/worker-stats/*

Proxy:

  • /metrics/
  • /admin/v2/proxy-stats

Verifying this change

  • Make sure that the change passes the CI checks.

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

@github-actions
Copy link

The pr had no activity for 30 days, mark with Stale label.

@github-actions github-actions bot added the Stale label Mar 11, 2023
@nicoloboschi nicoloboschi marked this pull request as ready for review May 5, 2023 13:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Stale
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@nicoloboschi