Authentication bearer token

[Traver72]

Thanks for all the work on this great gem. Is there a simple way to protect the "/metrics" endpoint using a bearer token? Or is it the way to go to use a middleware for this? As far as I know, it is possible to configure prometheus server so that you can use bearer token for scraping servers.

[Envek]

Yabeda exporter extends exporter from Prometheus Ruby client which is a Rack middleware.

Probably, easiest way is to just place bearer checking middleware (like this one: https://github.com/yujideveloper/rack-bearer_auth) before exporter with the same path.

Something like this:

use Rack::BearerAuth::Middleware do
  match path: "/metrics", token: "very_secret"
end

use Yabeda::Prometheus::Exporter

[Traver72]

Thank you very much for your quick reply. I may rephrase my question. What is the best practice not to make the metrics path publicly accessible? Especially via a bearer token, or is another way more common?

[luizkowalski]

hey 👋🏻

here is an idea that I'm using at the moment:

constraints ->(request) { request.authorization&.match?(/^Bearer\s+#{ENV.fetch('PROMETHEUS_TOKEN', nil)}$/) } do
  mount Yabeda::Prometheus::Exporter, at: "metrics"
end

Then curl -H "Authorization: Bearer $TOKEN" localhost:3000/metrics. without the token, it returns 404