Securing Spring Boot 2 Actuator Prometheus End Points

Question

I have a Spring Boot 2 with Spring Security microservice that I have configured with Micometer/Spring Actuator. All is well when I permitAll() on the antMatcher("/actuator/**") end points. I am able to retrieve the Prometheus metrics via a properly configured Prometheus yaml file.

But, my microservice is not behind a firewall and thus open to the world. I only want Prometheus to be able to access my microservice "/actuator/prometheus" end point.

I have the following configurations:

In my Spring Boot 2 microservice ResourceServerConfig class:

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

  @Autowired
  private JdbcTokenStore tokenStore;

  @Override
  public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
    resources.resourceId("springsecurity").tokenStore(tokenStore);
  }

  public void configure(HttpSecurity http) throws Exception {
    http.anonymous().and().authorizeRequests()
      .antMatchers("/actuator/**").hasRole("ENDPOINT_ADMIN")
      .antMatchers("/**").authenticated();
  }

For the application.properties file I have:

spring.security.user.name=user
spring.security.user.password=password
spring.security.user.roles=ENDPOINT_ADMIN

# For Prometheus (and other data loggers)
management.endpoint.metrics.enabled=true
management.endpoints.web.exposure.include=*
management.endpoint.prometheus.enabled=true
management.metrics.export.prometheus.enabled=true

Then for my Prometheus YAML file I have this:

global:
  scrape_interval: 15s

scrape_configs:
  - job_name: "prometheus"
    static_configs:
    - targets: ["localhost:9090"]

  - job_name: 'myservice'
    metrics_path: '/actuator/prometheus'
    scrape_interval: 5s
    static_configs:
      - targets: ['localhost:8080']
    basic_auth:
      username: 'user'
      password: 'password'

When I go to /targets in Prometheus I get "server returned HTTP status 401".

I fully assume I'm not understanding something quite right. Is there a way for me to properly do this? Thank you so much.

Answer 1

Was the prometheus system and the services system in the internal network. If they was in the same internal network, you can use internal IP to get actuator data.

Answer 2

You must specify the credentials which are the same as

spring.security.user.name
spring.security.user.password

to Prometheus, in order to pass

-job_name:
 ...
 basic_auth:
  username: "username"
  password: "password"

you can used htpasswd to crypt password after to set in prometheus

Answer 3

I have had the same need and I have solved it in the following way, it is quite simple.

First, it is necessary to configure a username and password in the Spring Security section of the microservice within the application.yml

spring:
  security:
    user:
      name: prometheus
      password: prometheus

Afterwards, you configure that username and password in the prometheus.yml just as you have it

- job_name: 'iot-processor'
    metrics_path: '/actuator/prometheus'
    static_configs:
      - targets: ['iot-processor:8080']
    basic_auth:
      username: "prometheus"
      password: "prometheus"

You can limit the exposed points or enable them all, I have the following configuration for my needs:

management:
  endpoint:
    health:
      enabled: true
      show-details: always
  endpoints:
    web:
      exposure:
        include: '*'
    jmx:
      exposure:
        include: '*'

That's all, if I access without username and password I would see the following page

Hope it can help you