Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/bitsbeats/prometheus-acls
prometheus oauth acl reverse proxy
https://github.com/bitsbeats/prometheus-acls
acl golang grafana oauth oidc prometheus
Last synced: 2 months ago
JSON representation
prometheus oauth acl reverse proxy
- Host: GitHub
- URL: https://github.com/bitsbeats/prometheus-acls
- Owner: bitsbeats
- License: apache-2.0
- Created: 2019-12-09T13:23:55.000Z (about 5 years ago)
- Default Branch: master
- Last Pushed: 2021-09-17T01:14:56.000Z (over 3 years ago)
- Last Synced: 2024-08-01T13:27:13.576Z (5 months ago)
- Topics: acl, golang, grafana, oauth, oidc, prometheus
- Language: Go
- Size: 2.15 MB
- Stars: 38
- Watchers: 2
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-ccamel - bitsbeats/prometheus-acls - prometheus oauth acl reverse proxy (Go)
README
# prometheus-acls
[](https://cloud.drone.io/bitsbeats/prometheus-acls)
[](https://hub.docker.com/r/bitsbeats/prometheus-acls)
[](https://goreportcard.com/report/github.com/bitsbeats/prometheus-acls)
A reverse proxy for prometheus that provides label based acls via oidc.
## Prequisites
* Running prometheus server
* OpenID Connect server (i.e. Keycloak) with option to set custom fields in the Access Token
* Grafana instance that authentificates with OpenID Connect
## Configuration
### Environment
Via environment you can configure all settings.
* `LISTEN`: IP and port to to listen on (default `:8080`)
* `URL`: URL for prometheus-acls, used to generate redirects, login and callback routes (e.g. https://promacl.example.com)
* `COOKIE_SECRET`: Cookie Secret (should be 32 or 64 chars), autogenerated if empty
* `PROMETHEUS_URL`: URL to the upstream Prometheus (default http://localhost:9090)
* `OIDC_ISSUER`: URL to the OpenID Connect Sever (e.g. https://auth.example.com/auth/realms/users)
* `OIDC_CLIENT_ID`: Oauth Client ID (e.g. `grafana`)
* `OIDC_CLIENT_SECRET`: Oauth Client Secret (e.g. `12345678-1234-1234-1234-123456789abc`)
* `OIDC_ROLES_CLAIM`: Field in Acces Token to load the users role (default `roles`)
* `ACL_FILE`: Full or relative path to acl configuration file (default `prometheus-acls.yml`)
### `prometheus-acls.yml`:
The `prometheus-acls.yml` file is used to map roles to access rights.
```yaml
# syntax:
#
# :
# :
# # or
# re!:
developer: # The keys match the OIDC_ROLES_CLAIM field of the access token.
re!^awesome_app_: # regex match for all metrics that stat with awesome_app_
env=dev # prometheus label match for dev env
re!^node_: # regex match for node exporter
instance=~'.*\.lan$' # prometheus label match for instances that end with .lan
up: env!=dev,app=hal # prometheus labels are handled by prometheus, so their complete
# syntax is supported
admin: # The keys match the OIDC_ROLES_CLAIM field of the access token.
secret_app_: # exact metric name
~ # yaml null value will bock access to a metric
'*': # wildchard match for all metrics
'' # emty prometheus label match for NO RESTRICTIONS
```
Order of metric name matching:
* Exact metric name
* Regex metric name
* Wildcard metric name
* **Default** deny access
Best Practices:
* Metric regex matches should be started with `^`
* Regex label matches are slower than exact matches
### OIDC Provider
Example for keycloak:
* Create a new client with Access Type `confidential`
* Go to the clients mappers and add a new one
* Most mappers should work e.g `User Client Role`
* Set `Token Claim Name` to `roles` (if you change this you also need to supply `$OIDC_ROLES_CLAIM` to prometheus-acls)
* `Claim JSON Type` is `String`
* `Add to access token` must be `on`
* Configure both Grafana *and* prometheus-acls with the same settings OIDC settings
**Note**: When you have multiple roles, the first one that is mentioned in `prometheus-acls` will be used.
We currently use per client roles to avoid any conflics.