prometheus-acls

command module

v0.1.2 Latest Latest Go to latest Published: Jul 30, 2020 License: Apache-2.0 Imports: 8 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/bitsbeats/prometheus-acls

Links

Open Source Insights

README ¶

prometheus-acls

A reverse proxy for prometheus that provides label based acls via oidc.

Prequisites

Running prometheus server
OpenID Connect server (i.e. Keycloak) with option to set custom fields in the Access Token
Grafana instance that authentificates with OpenID Connect

Configuration

Environment

Via environment you can configure all settings.

LISTEN: IP and port to to listen on (default :8080)
URL: URL for prometheus-acls, used to generate redirects, login and callback routes (e.g. https://promacl.example.com)
COOKIE_SECRET: Cookie Secret (should be 32 or 64 chars), autogenerated if empty
PROMETHEUS_URL: URL to the upstream Prometheus (default http://localhost:9090)
OIDC_ISSUER: URL to the OpenID Connect Sever (e.g. https://auth.example.com/auth/realms/users)
OIDC_CLIENT_ID: Oauth Client ID (e.g. grafana)
OIDC_CLIENT_SECRET: Oauth Client Secret (e.g. 12345678-1234-1234-1234-123456789abc)
OIDC_ROLES_CLAIM: Field in Acces Token to load the users role (default roles)
ACL_FILE: Full or relative path to acl configuration file (default prometheus-acls.yml)

`prometheus-acls.yml`:

The prometheus-acls.yml file is used to map roles to access rights.

# syntax:
#
# <rolename>:
#   <metricname>: <prometheus label matches>
#   # or
#   re!<regex>: <prometheus label matches>

developer:                # The keys match the OIDC_ROLES_CLAIM field of the access token.

  re!^awesome_app_:       # regex match for all metrics that stat with awesome_app_
    env=dev               # prometheus label match for dev env

  re!^node_:              # regex match for node exporter
    instance=~'.*\.lan$'  # prometheus label match for instances that end with .lan

  up: env!=dev,app=hal    # prometheus labels are handled by prometheus, so their complete
                          # syntax is supported

admin:                    # The keys match the OIDC_ROLES_CLAIM field of the access token.

  secret_app_:            # exact metric name
    ~                     # yaml null value will bock access to a metric

  '*':                    # wildchard match for all metrics
    ''                    # emty prometheus label match for NO RESTRICTIONS

Order of metric name matching:

Exact metric name
Regex metric name
Wildcard metric name
Default deny access

Best Practices:

Metric regex matches should be started with ^
Regex label matches are slower than exact matches

OIDC Provider

Example for keycloak:

Create a new client with Access Type confidential
Go to the clients mappers and add a new one
Most mappers should work e.g User Client Role
Set Token Claim Name to roles (if you change this you also need to supply $OIDC_ROLES_CLAIM to prometheus-acls)
Claim JSON Type is String
Add to access token must be on
Configure both Grafana and prometheus-acls with the same settings OIDC settings

Note: When you have multiple roles, the first one that is mentioned in prometheus-acls will be used. We currently use per client roles to avoid any conflics.