I have a Spring Boot 2 with Spring Security microservice that I have configured with Micometer/Spring Actuator. All is well when I permitAll() on the antMatcher("/actuator/**") end points. I am able to retrieve the Prometheus metrics via a properly configured Prometheus yaml file.
But, my microservice is not behind a firewall and thus open to the world. I only want Prometheus to be able to access my microservice "/actuator/prometheus" end point.
I have the following configurations:
In my Spring Boot 2 microservice ResourceServerConfig
class:
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Autowired
private JdbcTokenStore tokenStore;
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId("springsecurity").tokenStore(tokenStore);
}
public void configure(HttpSecurity http) throws Exception {
http.anonymous().and().authorizeRequests()
.antMatchers("/actuator/**").hasRole("ENDPOINT_ADMIN")
.antMatchers("/**").authenticated();
}
For the application.properties
file I have:
spring.security.user.name=user
spring.security.user.password=password
spring.security.user.roles=ENDPOINT_ADMIN
# For Prometheus (and other data loggers)
management.endpoint.metrics.enabled=true
management.endpoints.web.exposure.include=*
management.endpoint.prometheus.enabled=true
management.metrics.export.prometheus.enabled=true
Then for my Prometheus YAML file I have this:
global:
scrape_interval: 15s
scrape_configs:
- job_name: "prometheus"
static_configs:
- targets: ["localhost:9090"]
- job_name: 'myservice'
metrics_path: '/actuator/prometheus'
scrape_interval: 5s
static_configs:
- targets: ['localhost:8080']
basic_auth:
username: 'user'
password: 'password'
When I go to /targets in Prometheus I get "server returned HTTP status 401".
I fully assume I'm not understanding something quite right. Is there a way for me to properly do this? Thank you so much.
Was the prometheus system and the services system in the internal network. If they was in the same internal network, you can use internal IP to get actuator data.
You must specify the credentials which are the same as
spring.security.user.name
spring.security.user.password
to Prometheus, in order to pass
-job_name:
...
basic_auth:
username: "username"
password: "password"
you can used htpasswd to crypt password after to set in prometheus
I have had the same need and I have solved it in the following way, it is quite simple.
First, it is necessary to configure a username and password in the Spring Security section of the microservice within the application.yml
spring:
security:
user:
name: prometheus
password: prometheus
Afterwards, you configure that username and password in the prometheus.yml just as you have it
- job_name: 'iot-processor'
metrics_path: '/actuator/prometheus'
static_configs:
- targets: ['iot-processor:8080']
basic_auth:
username: "prometheus"
password: "prometheus"
You can limit the exposed points or enable them all, I have the following configuration for my needs:
management:
endpoint:
health:
enabled: true
show-details: always
endpoints:
web:
exposure:
include: '*'
jmx:
exposure:
include: '*'
That's all, if I access without username and password I would see the following page
Hope it can help you
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.