opensearch-prometheus-exporter icon indicating copy to clipboard operation
opensearch-prometheus-exporter copied to clipboard

Published 20 hours ago verified publisher icon aparo

Add documentation for Security configuration

Open mvanderlee opened this issue 3 years ago • 3 comments

It would be great if you could expand upon this with an example config of a role with minimum permissions needed to access the metrics endpoint.

If you enable security in OpenSearch, remember to set up the credentials also in Prometheus configuration.

mvanderlee avatar Oct 18 '21 02:10 mvanderlee

This role seems to do the trick:

metrics_access:
  reserved: true
  cluster_permissions:
    - 'cluster_monitor'
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - 'indices_monitor'

mvanderlee avatar Oct 18 '21 02:10 mvanderlee

i have a similar ticket open in the original ES exporter which hasn't been answered yet: vvanholl/elasticsearch-prometheus-exporter#324

the same questions i asked there also apply here and expand a bit on your question as it's a two-fold problem:

  • how to let the prometheus scraper access this endpoint w/o HTTPS (self-signed certs) & authentication (the scraper expects the endpoints to be unsecured)
  • how to let the plugin access the opensearch metrics

and i just realised a 3rd point: the metrics endpoint should IMHO only be reachable for the prometheus scraper while the rest of opensearch should only be reachable for its consumers (using network policies in kubernetes this is quite easy to do - if you are running the things on separate ports). i think if the plugin would be updated to run its own small HTTP server (with a dedicated port) and expose the endpoint there then it can be configured to run as HTTP and w/o authentication even if the rest of opensearch has HTTPS and requires authentication. then the only thing left to configure is that it uses some login information which can access the cluster metrics.

regarding the login information: does this have to be basic authentication (i.e. username/password for a user in the internal user realm) or could it also be something else (e.g. callback to a configured script which could then fetch an authentication token (i'm thinking about JWT here) or certificate-based authentication)?

rursprung avatar Oct 28 '21 11:10 rursprung

Update for anyone who has no idea about Prometheus config

  - job_name: opensearch
    scrape_interval: 30s
    metrics_path: "/_prometheus/metrics"
    static_configs:
    - targets:
      - ip:9200
    basic_auth:
      username: 'user'
      password: 'pass'

and setup user with info via Dashboard

metrics_access:
  reserved: true
  cluster_permissions:
    - 'cluster_monitor'
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - 'indices_monitor'

BlackMetalz avatar Jan 12 '22 09:01 BlackMetalz