Skip to content

bitsbeats/prometheus-acls

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
internal
internal
 
 
vendor
vendor
 
 
.Dockerignore
.Dockerignore
 
 
.drone.yml
.drone.yml
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 
prometheus-acls.yml
prometheus-acls.yml
 
 

Repository files navigation

prometheus-acls

Build Status Docker Pulls Go Report Card

A reverse proxy for prometheus that provides label based acls via oidc.

Prequisites

  • Running prometheus server
  • OpenID Connect server (i.e. Keycloak) with option to set custom fields in the Access Token
  • Grafana instance that authentificates with OpenID Connect

Configuration

Environment

Via environment you can configure all settings.

  • LISTEN: IP and port to to listen on (default :8080)
  • URL: URL for prometheus-acls, used to generate redirects, login and callback routes (e.g. https://promacl.example.com)
  • COOKIE_SECRET: Cookie Secret (should be 32 or 64 chars), autogenerated if empty
  • PROMETHEUS_URL: URL to the upstream Prometheus (default http://localhost:9090)
  • OIDC_ISSUER: URL to the OpenID Connect Sever (e.g. https://auth.example.com/auth/realms/users)
  • OIDC_CLIENT_ID: Oauth Client ID (e.g. grafana)
  • OIDC_CLIENT_SECRET: Oauth Client Secret (e.g. 12345678-1234-1234-1234-123456789abc)
  • OIDC_ROLES_CLAIM: Field in Acces Token to load the users role (default roles)
  • ACL_FILE: Full or relative path to acl configuration file (default prometheus-acls.yml)

prometheus-acls.yml:

The prometheus-acls.yml file is used to map roles to access rights.

# syntax:
#
# <rolename>:
#   <metricname>: <prometheus label matches>
#   # or
#   re!<regex>: <prometheus label matches>

developer:                # The keys match the OIDC_ROLES_CLAIM field of the access token.

  re!^awesome_app_:       # regex match for all metrics that stat with awesome_app_
    env=dev               # prometheus label match for dev env

  re!^node_:              # regex match for node exporter
    instance=~'.*\.lan$'  # prometheus label match for instances that end with .lan

  up: env!=dev,app=hal    # prometheus labels are handled by prometheus, so their complete
                          # syntax is supported

admin:                    # The keys match the OIDC_ROLES_CLAIM field of the access token.

  secret_app_:            # exact metric name
    ~                     # yaml null value will bock access to a metric

  '*':                    # wildchard match for all metrics
    ''                    # emty prometheus label match for NO RESTRICTIONS

Order of metric name matching:

  • Exact metric name
  • Regex metric name
  • Wildcard metric name
  • Default deny access

Best Practices:

  • Metric regex matches should be started with ^
  • Regex label matches are slower than exact matches

OIDC Provider

Example for keycloak:

  • Create a new client with Access Type confidential
  • Go to the clients mappers and add a new one
  • Most mappers should work e.g User Client Role
  • Set Token Claim Name to roles (if you change this you also need to supply $OIDC_ROLES_CLAIM to prometheus-acls)
  • Claim JSON Type is String
  • Add to access token must be on
  • Configure both Grafana and prometheus-acls with the same settings OIDC settings

Note: When you have multiple roles, the first one that is mentioned in prometheus-acls will be used. We currently use per client roles to avoid any conflics.

About

prometheus oauth acl reverse proxy

Topics

golang oauth grafana acl prometheus oidc

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

38 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases 3

v0.1.2 Latest
Jul 30, 2020
+ 2 releases

Packages

No packages published

Languages