-
Notifications
You must be signed in to change notification settings - Fork 5.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prometheus metrics path /minio/v2/metrics/cluster returns 403 with generated bearer token #12975
Comments
The user that is configured I have been generating and testing this locally works fine all scenarios - just use the credentials that has sufficient permissions. |
This is not mentioned in the documentation anywhere, that should probably be fixed. Not only because this permission is required, but also because it's now clear to me that the bearer token does not have a policy applied to it to restrict permissions to only what's required for the metrics endpoint, making it a security concern. That said, I've done further testing based on your feedback, and the problem appears to be that if you're logged in via a service account, no matter what permissions you have, the generated bearer token is unable to authenticate. It does work if you're logged in as the parent account. |
Service Accounts cannot be used and they are never to be used here. Service Accounts are meant for S3 API access, authenticate with a real parent user for Prometheus. We may extend support for that in the future. |
Again, entirely undocumented, and very confusing. An error message on generate in this case would be welcomed. |
We never documented the way you are trying to use it and do not intend to until it's finalized in terms of behavior, so not sure where you found the idea to use it in this manner. |
I didn't "find the idea", I just happened to be authenticating from the CLI via a service token, which does not seem that unusual. If there are requirements for a feature to work, either documenting what they are, or including error handling to prevent non-functional operation would greatly improve the user experience. |
when use /minio/prometheus/metrics replace /minio/v2/metrics/cluster ,it is ok! curl -v -sSL -H 'Authorization: Bearer ${TOKEN}' http://IP:9000/minio/prometheus/metrics but the metrics data is not adapt to https://grafana.com/grafana/dashboards/13502 |
I'm still confused what the fix is here. I'm trying to use the generated config, but I'm pretty new to minio and don't understand the aliases. Are the credentials specific to the alias? I was using the |
|
Thank you that worked. Is an alias just a credential set then? |
yes |
Expected Behavior
As documented in the README, the default authentication mode for this path is JWT, and a bearer token with config snippet can be generated via
mc admin prometheus generate <alias>
, to authenticate against the endpoint when JWT auth is enabled.Current Behavior
After generating the config snippet and adding it to the prometheus configuration, the scraper fails, indicating a 403 error. Attempting to authenticate using the generated bearer token via the CLI confirms that it is not possible to authenticate with this token (sanitized):
Possible Solution
Setting
MINIO_PROMETHEUS_AUTH_TYPE="public"
allows access to the metrics by disabling authorization, but this is undesirable.Steps to Reproduce (for bugs)
MINIO_PROMETHEUS_AUTH_TYPE
unset, or explicitly set tojwt
mc admin prometheus generate
/minio/v2/metrics/cluster
using tokenYour Environment
The text was updated successfully, but these errors were encountered: