search

epoch8 / airflow-exporter

Airflow plugin to export dag and task based metrics to Prometheus.
Other
247 stars 75 forks source link

feature: exporter does not require authentication #54

Closed greenpau closed 4 years ago

greenpau commented 5 years ago

What is the quickest way to add authentication to the plugin? e.g. modifying the path?

greenpau commented 5 years ago

One way to get this working ...

Add is_valid_token below to prometheus_exporter.py:

from functools import wraps
from flask import request, abort

def is_valid_token(f):
    @wraps(f)
    def decorated_function(*args, **kwargs):
        auth_header = None
        auth_headers = ['Authorization', 'X-Auth-Token', 'X-Token', 'x-token', 'access_token']
        for h in auth_headers:
            if h in request.headers:
                auth_header = h
                break
        if not auth_header:
            abort(401)
        data = request.headers[auth_header].encode('ascii','ignore')
        token = str.replace(str(data), 'Bearer ','').replace('bearer ','')
        if token != '8d4648d9-f7cd-4c88-b80f-72f699afa695':
            abort(401)
        return f(*args, **kwargs)
    return decorated_function

Then add is_valid_token decorator to the index function:

class Metrics(BaseView):
    @expose('/')
    @is_valid_token
    def index(self):
        return Response(generate_latest(), mimetype='text/plain')

Then, access the interface with the token:

curl -H 'X-Auth-Token: 8d4648d9-f7cd-4c88-b80f-72f699afa695' -v https://localhost/admin/metrics/

# TYPE python_info gauge
python_info{implementation="CPython",major="2",minor="7",patchlevel="5",version="2.7.5"} 1.0
greenpau commented 5 years ago

There is probably an easy way to store the token in airflow config file. Will look it up.

greenpau commented 5 years ago

Also, this method has to (but does not) account for someone viewing the metrics from UI. If a UI user have a valid session, then allow them in.

image

greenpau commented 5 years ago

With the latest commit, the exporter allows authenticated users to view Metrics page.

https://github.com/epoch8/airflow-exporter/blob/5d100a67b559d93f11cf51c17c91fa4fcc1d71b8/airflow_exporter/__init__.py#L253-L255

elephantum commented 4 years ago

Closing this with "wont fix", I believe that metrics are a part of infrastructure, if you need to limit access, use any pre-existing reverse http-proxy like nginx or caddy to setup http auth.