Hi,
thank you for your swift response.
I fully understand the desire to keep it out of prometheus and move
this in front of prometheus, like prometheus-auth does.
AFAICT this requires a duplication of the PromQL parser code, which I
consider troubling from a security perspective. If prometheus' promql
and that of the proxy diverge, it may be possible that data is being
leaked between parties. It is also quite hard to verify correctness.
In the usecase I described, IMHO the issue of PromQL network access is
perhaps less relevant, given that (parts of) the network must work for
the user to authenticate (ldap) and access the api (http) and the
reverse proxy too. The disks may well be on a NAS too.
In my proposal, the PromQL rule evaluation, etc. would not require any
more network access than currently. *Only* Api calls.
I would definitely consider it good practice to install the
ACLEvaluator on the same machine as prometheus and deploy caching
strategies within it.
Might it be preferable to use a local socket interface instead of gRPC
to mitigate the issue of network access?
Conrad