Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security in Prometheus exporter #2400

Closed
fmhwong opened this issue Mar 3, 2022 · 7 comments
Closed

Security in Prometheus exporter #2400

fmhwong opened this issue Mar 3, 2022 · 7 comments
Assignees
@yurishkuro
Labels
area:sdk Related to the SDK help wanted Extra attention is needed spec:metrics Related to the specification/metrics directory triage:deciding:community-feedback Open to community discussion. If the community can provide sufficient reasoning, it may be accepted

Comments

@fmhwong
Copy link

fmhwong commented Mar 3, 2022

What are you trying to achieve?
In the current spec for the Prometheus exporter https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/metrics/sdk_exporters/prometheus.md, it doesn't mention anything about securing the metrics endpoint.

When using the automatic instrumentation opentelemetry-javaagent.jar and the Prometheus exporter is enabled, the metrics endpoint (e.g. http://localhost:9464/) is not protected.

What did you expect to see?
There should be an option to use https and have the metrics endpoint protected by

  • username/password
  • OpenShift service account token

Additional context.

Add any other context about the problem here. If you followed an existing documentation, please share the link to it.
@fmhwong fmhwong added the spec:metrics Related to the specification/metrics directory label Mar 3, 2022
@fmhwong fmhwong mentioned this issue Mar 3, 2022
Closed
@yurishkuro yurishkuro added the help wanted Extra attention is needed label Mar 3, 2022
@reyang reyang added area:sdk Related to the SDK release:allowed-for-ga Editorial changes that can still be added before GA since they don't require action by SIGs labels Mar 11, 2022
@sandeepsharat
Copy link

sandeepsharat commented Aug 16, 2023
edited
Loading

Under which version is this feature released?...

@dyladan
Copy link
Member

dyladan commented Aug 21, 2023

@sandeepsharat it is no released. This is a feature request

@dashpole dashpole mentioned this issue Feb 8, 2024
Open
@mtwo mtwo added triage:deciding:community-feedback Open to community discussion. If the community can provide sufficient reasoning, it may be accepted and removed release:allowed-for-ga Editorial changes that can still be added before GA since they don't require action by SIGs labels Jul 9, 2024
@mtwo
Copy link
Member

mtwo commented Jul 9, 2024

Chiming in during triage - this seems very useful. Tagging @open-telemetry/wg-prometheus for their comments.

@dashpole
Copy link
Contributor

dashpole commented Jul 9, 2024

This is a good idea, but might only apply to auto-instrumentation. From looking at manual instrumentation in a few languages, it looks like most allow you to either replace the HTTP handler, serve the endpoint using the prometheus client library, or require you to serve the http endpoint yourself.

@github-actions github-actions bot added the triage:followup Needs follow up during triage label Sep 19, 2024
@trask
Copy link
Member

trask commented Sep 24, 2024

This is a good idea, but might only apply to auto-instrumentation. From looking at manual instrumentation in a few languages, it looks like most allow you to either replace the HTTP handler, serve the endpoint using the prometheus client library, or require you to serve the http endpoint yourself.

@dashpole do you think there's something we should add to the spec to support this, or should people open issues directly with various implementations to support it? thanks

@trask trask removed the triage:followup Needs follow up during triage label Sep 24, 2024
@github-actions github-actions bot added the triage:followup Needs follow up during triage label Sep 25, 2024
@dashpole
Copy link
Contributor

dashpole commented Sep 25, 2024
edited
Loading

@dashpole do you think there's something we should add to the spec to support this, or should people open issues directly with various implementations to support it? thanks

I would recommend people open issues directly with implementations, since most prometheus exporters don't directly configure the endpoint. I'm generally a in favor of using prometheus client libraries (which is recommended by the current spec) for serving, and think any additional capabilities around securing the endpoint probably belongs in prometheus clients, rather than in OTel. For things like auto-instrumentation, where we configure the endpoint, we should try and "pass through" configuration to prometheus client libraries as much as possible, rather than re-invent the wheel, and try to direct people to the prometheus clients if there are feature gaps.

@trask
Copy link
Member

trask commented Sep 25, 2024

Thanks, makes sense, let's try this and people can loop back here as needed.

@trask trask closed this as completed Sep 25, 2024
@svrnm svrnm removed the triage:followup Needs follow up during triage label Sep 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yurishkuro yurishkuro

Labels
area:sdk Related to the SDK help wanted Extra attention is needed spec:metrics Related to the specification/metrics directory triage:deciding:community-feedback Open to community discussion. If the community can provide sufficient reasoning, it may be accepted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@trask @mtwo @svrnm @dyladan @dashpole @yurishkuro @sandeepsharat @reyang @fmhwong