New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Endpoint authentication in jmx_exporter #664
Comments
I'm currently playing around with a new config format, my current sketch looks like this: 2021-12-16: Updated with the current contents of my sketch file startDelaySeconds: 0
collector:
hostPort: 127.0.0.1:1234
jmxUrl: service:jmx:rmi:///jndi/rmi://127.0.0.1:1234/jmxrmi
username:
password:
sslEnabled: true
sslClientAuth: true # Default is taken from the System property: com.sun.management.jmxremote.ssl.need.client.auth
sslKeyAlias: jmx # see Tomcat's keyAlias
httpServer:
address: 0.0.0.0
port: 8080
username: admin
password: admin
sslEnabled: true
sslClientAuth: true # Note: In Tomcat, possible values are 'true', 'false', and 'want'.
sslKeyAlias: server # see Tomcat's keyAlias
# The SSL section is an alternative to the standard System properties.
# Defaults are taken from the System properties.
ssl:
sslKeyStore: /etc/my-keystore # System property: javax.net.ssl.keyStore
sslKeyStorePassword: changeit # System property: javax.net.ssl.keyStorePassword
sslTrustStore: /etc/my-trust-store # javax.net.ssl.trustStore
sslTrustStorePassword: changeit # System property: javax.net.ssl.trustStorePassword
jmxBeanFilter:
include:
- org.apache.cassandra.metrics:*
exclude:
- org.apache.cassandra.metrics:type=ColumnFamily,*
metricFilter:
nameMustNotBeEqualTo:
- jvm_threads_deadlocked
- io_prometheus_jmx_tabularData_Server_1_Disk_Usage_Table_avail
- java_lang_Memory_HeapMemoryUsage_used
- jmx_config_reload_success_total
- java_specification_version
lowercaseOutputName: false
lowercaseOutputLabelNames: false
rules:
- pattern: 'org.apache.cassandra.metrics<type=(\w+), name=(\w+)><>Value: (\d+)'
name: cassandra_$1_$2
value: $3
valueFactor: 0.001
labels: {}
help: "Cassandra metric $1 $2"
cache: false
type: GAUGE
attrNameSnakeCase: false It's still early stages though, I'm extending the The implementation would be backwards compatible, so if anyone uses the old config What do you think? |
@fstab I think it looks really good. I would like the authentication to be pluggable by an end-user if possible. A pluggable model would allow an end-user to do more than would ever be provided by packaged
Example
Example
Example
|
I updated the yaml config sketch above. I'm not sure about the pluggable authenticator. That would mean that the |
Given the recent Log4J issue, I understand the concern around pluggability/dynamic classloading. |
I did a bit of monkey work and created a It can also read the old format for backwards compatibility. I didn't test it extensively though, so there might be bugs. |
Looks pretty good. Thoughts on making Thoughts on adding
|
I noticed that the example above doesn't include sslContextType or sslKeystoreType. I think these should be added with defaults of TLSv1.2 and PKCS12. |
Happy to report the new-config branch allows me to auth correctly with JBoss EAP and it's service:jmx:remote+http: url |
@fstab I have managed to find time during Christmas break to create an initial implementation of HTTP Basic authentication and HTTPS support. Please review. https://github.com/dhoard/jmx_exporter/tree/basic-authentication-and-ssl Notes: I used a different configuration format...
I like flags to enable/disable functionality. Running the test suite
Java agent tests
Note: due to TLS issues on ibmjava:8 and ticketfly/java:6 containers, HTTPS is not supported with these JVMs Java HttpServer tests
Note: due to TLS issues on ibmjava:8 and ticketfly/java:6 containers, HTTPS is not supported with these JVMs |
Hi @dhoard, thanks for your work on this. I didn't look at the code yet, but looking at the config sample, I see a difference between yours and the one in the jmx_exporter/collector/src/test/resources/test-config-new.yaml Lines 3 to 25 in 8edfeea
There are two places where SSL can be used:
However, I think you can only configure one keystore in Java applications. If you want different keys for exporting and scraping, you need to add both keys to the same keystore and make them accessible with different aliases. So in the config in the Does this make sense? |
@fstab the goal of the The code, as currently written, allows two separate keystores to prevent existing installations from changing JMX SSL configuration. If the goal is a single keystore / truststore... I can go down that path. With the current version in my branch, all you have to do to get Basic authentication and HTTPS is add...
JMX uses the keystore defined as Java properties:
The HTTP server uses the values in the configuration YAML to create its own Relevant test... and configuration... If this conversation is best moved to the mailing list, let me know. I know that a lot of users / requesters of this feature watch GitHub issues, but may not follow the mailing list. |
Added more test classes.
Notes
|
|
see #688 |
This is targeted for the next (post 0.18.0) release |
Given the merge of prometheus/client_java#682, authentication to endpoints in
jmx_exporter
can now be implemented.Ideally, I think we should make the authentication pluggable, with a default
BasicAuthentication
implementation built-in.Thoughts on pluggability/configuration parameters?
The text was updated successfully, but these errors were encountered: