kortov
commented
4 years ago We stumbled upon the same issue with Jira (prometheus can't login via basic auth with our Jira), but I don't think that no auth is a good thing.
Closed Emptyfruit closed 4 years ago
kortov
commented
4 years ago We stumbled upon the same issue with Jira (prometheus can't login via basic auth with our Jira), but I don't think that no auth is a good thing.
Emptyfruit
commented
4 years ago It can be a problem for public sites. There is always an option to add some static token authorisation (as in plugin a gave a link to). But in our case it is not a problem, because our jira instance in inside vpn. And actually this data is not that private..
I looked into plugin code and found that there is a parameter to disable plugin auth, but i tried to set it through web.xml (as instructed) and it didn't work.
evernat
commented
4 years ago @Emptyfruit The Prometheus formatter url won't be free from auth by default.
And there is indeed a parameter to disable plugin auth.
In case of JIRA/Confluence/Bitbucket/Bamboo, I suggest to add the parameter in system properties.
For that, you can add -Djavamelody.plugin-authentication-disabled=true in bin/setenv.sh for example (bin/setenv.bat in Windows).
Then there is no token currently, but I suggest to add basic auth to replace native JIRA auth in the javamelody plugin.
For that, you can add -Djavamelody.authorized-users=my_username:my_plain_text_password_here
in bin/setenv.sh for example (bin/setenv.bat in Windows), then use basic auth with my_username and my_plain_text_password_here in Prometheus scrape config. There is an example at:
https://github.com/javamelody/javamelody/wiki/UserGuideAdvanced#example-scrape_config
If you want to restrict even more for security, you may also add in JIRA a system property like -Djavamelody.allowed-addr-pattern=10\.10\..*|192\.168\..* with a regexp of the ip address of internal network, including the Prometheus server.
evernat
commented
4 years ago Note that the password in -Djavamelody.authorized-users=my_username:my_password needs not be in clear text and it can be hashed since 1.83.0.
See the end of the chapter at https://github.com/javamelody/javamelody/wiki/UserGuide#16-security
Unable to use prometheus compatible format (/monitoring?format=prometheus) because it is available only for authorised users which doesn't seem possible to do from prometheus. Ideally it should have a setting for some constant security token (as in https://marketplace.atlassian.com/apps/1217960/prometheus-exporter-for-jira) but making this servlet open will suffice also.