sentry-prometheus-exporter icon indicating copy to clipboard operation
sentry-prometheus-exporter copied to clipboard

Published 20 hours ago verified publisher icon italux

Use token, organization and project from the request

Open Nowaker opened this issue 3 years ago • 4 comments

Describe the solution you'd like

  1. Pass organization and Sentry token via query parameters or headers, e.g. http://0.0.0.0:9790/metrics/?token=sentry-token&org=org-name&project=project-name-or-id
  2. Get the metrics using the given token in the given organization and the project, if passed

Describe alternatives you've considered

An alternative is to deploy multiple sentry-prometheus-exporters, each for a given org. Given sentry-prometheus-exporter is just a proxy to Sentry API and doesn't perform any caching, a single instance of sentry-prometheus-exporter would work fine for multiple orgs.

Moreover, by passing a token in each request to the exporter, we don't need to password-protect the exported data as you don't get any if you don't have a token.

Nowaker avatar May 13 '21 15:05 Nowaker

Hey, @Nowaker, thanks for contributing and sorry for my late reply. But, trafficking the API token as a text-plain doesn't look like a good idea for me, could you please elaborate more about your use case here? So we can think about the alternatives

italux avatar Mar 22 '22 21:03 italux

I don't see a reason why it's not a good idea. Proxy is not a controversial or novel concept in general. Vault-UI and many other tools aren't questioned for taking this approach.

Nowaker avatar Mar 22 '22 21:03 Nowaker

My point here is the API token will be over HTTP traffic, even in an internal network there is a risk involved, the reason why I'd like to understand the use case you're trying to apply so I can realize how the implementation should go.

italux avatar Mar 23 '22 20:03 italux

My point here is the API token will be over HTTP traffic, even in an internal network there is a risk involved

Basic HTTP Authentication credentials go over HTTP traffic too, and that's not a concern either, even though HTTP credentials are as confidential as a Sentry token.

It's a no-issue because this application isn't a fully-fledged web server, and it wouldn't be reasonable to expect that this application turns into one. Rather, it's an application that has one purpose, perfect as-is, and there's other infrastructural building blocks like Nginx or Kubernetes Ingress that users will use (or not) to realize their goals (incl. security goals).

Nowaker avatar Mar 23 '22 20:03 Nowaker