search

aparo / opensearch-prometheus-exporter

OpenSearch Prometheus Exporter (fork of https://github.com/vvanholl/elasticsearch-prometheus-exporter)
Apache License 2.0
42 stars 17 forks source link

Add documentation for Security configuration #4

Open mvanderlee opened 2 years ago

mvanderlee commented 2 years ago

It would be great if you could expand upon this with an example config of a role with minimum permissions needed to access the metrics endpoint.

If you enable security in OpenSearch, remember to set up the credentials also in Prometheus configuration.

mvanderlee commented 2 years ago

This role seems to do the trick:

metrics_access:
  reserved: true
  cluster_permissions:
    - 'cluster_monitor'
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - 'indices_monitor'
rursprung commented 2 years ago

i have a similar ticket open in the original ES exporter which hasn't been answered yet: vvanholl/elasticsearch-prometheus-exporter#324

the same questions i asked there also apply here and expand a bit on your question as it's a two-fold problem:

and i just realised a 3rd point: the metrics endpoint should IMHO only be reachable for the prometheus scraper while the rest of opensearch should only be reachable for its consumers (using network policies in kubernetes this is quite easy to do - if you are running the things on separate ports). i think if the plugin would be updated to run its own small HTTP server (with a dedicated port) and expose the endpoint there then it can be configured to run as HTTP and w/o authentication even if the rest of opensearch has HTTPS and requires authentication. then the only thing left to configure is that it uses some login information which can access the cluster metrics.

regarding the login information: does this have to be basic authentication (i.e. username/password for a user in the internal user realm) or could it also be something else (e.g. callback to a configured script which could then fetch an authentication token (i'm thinking about JWT here) or certificate-based authentication)?

BlackMetalz commented 2 years ago

Update for anyone who has no idea about Prometheus config

  - job_name: opensearch
    scrape_interval: 30s
    metrics_path: "/_prometheus/metrics"
    static_configs:
    - targets:
      - ip:9200
    basic_auth:
      username: 'user'
      password: 'pass'

and setup user with info via Dashboard

metrics_access:
  reserved: true
  cluster_permissions:
    - 'cluster_monitor'
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - 'indices_monitor'