please add a authentication in exporter

[xuanyu-h]

the metrics endpoint is opened and have no authentication.

I use a block to auth this block to solve this, and in my Rails app, it used like this

    config.middleware.use Prometheus::Middleware::Exporter, authentication: ->(env) do
      ActiveSupport::SecurityUtils.secure_compare(
        Rack::Request.new(env).params['secret'].to_s,
        YOUR_SECRET
      )
    end

module Prometheus
  module Middleware
    class Exporter
      attr_reader :app, :registry, :path

      FORMATS  = [Client::Formats::Text].freeze
      FALLBACK = Client::Formats::Text
      DEFAULT_AUTHENTICATION = ->(_) { true }

      def initialize(app, options = {})
        @app = app
        @registry = options[:registry] || Client.registry
        @path = options[:path] || '/metrics'
        @acceptable = build_dictionary(FORMATS, FALLBACK)
        @authentication = options[:authentication] || DEFAULT_AUTHENTICATION
      end

      def call(env)
        if env['PATH_INFO'] == @path
          if !!@authentication.call(env)
            format = negotiate(env, @acceptable)
            format ? respond_with(format) : not_acceptable(FORMATS)
          else
            authentication_failed!
          end
        else
          @app.call(env)
        end
      end

      private

      def authentication_failed!
        [ 401,
          { 'Content-Type' => 'text/plain' },
          ["Authentication Failed"]
        ]
      end
    end
  end
end

[grobie]

The beauty of rack middlewares is that you can combine them, there is no reason to implement the same features like authentication again and again.

Use rack's basic auth middleware in your application:

use Rack::Auth::Basic, 'My appliation' do |username, password|
  Rack::Utils.secure_compare('supersecret', password)
end

If you want to only use that middleware on the /metrics path, you could use the rack app builder:

rackapp = Rack::Builder.app do
  use Prometheus::Middleware::Collector

  map '/metrics' do
    use Rack::Auth::Basic, 'Prometheus Metrics' do |username, password|
      Rack::Utils.secure_compare('supersecret', password)
    end
    use Rack::Deflater
    use Prometheus::Middleware::Exporter, path: ''
    run ->(_) { [500, { 'Content-Type' => 'text/html' }, ['Unreachable!']] }
  end

  run your_app
end
run rackapp

[scarroll32]

Thanks for this, but where does this code go and how to configure Prometheus to pass the login? I assume this needs to be over HTTPS.

[scarroll32]

Some more docs have been added with #92