Revisit: plugable Authenticator for jmx_exporter agent, for use in containers
22 views
Skip to first unread message
Gary Tully
Oct 5, 2024, 8:17:02 AM10/5/24
to Prometheus Users
hello,
first, thanks for a great project.
The idea of a plugable Autheticator was proposed and considered a while back in #664 and the comment resonated then. I guess it still does. https://github.com/prometheus/jmx_exporter/issues/664#issuecomment-995943112
My use case is in a container, where the classPath is locked down and the file system is readonly. It is a low risk classloading environment.
for some context:
my jvm running a broker has the jolokia agent with a plugable Authenticator that delegates to JAAS. ideally I would be able to use the same Authenticator with this lovely prometheus exporter, but alas not at this time.
my jolokia config has property:
authClass=[org.apache.activemq.artemis.spi.core.security.jaas.HttpServerAuthenticator](https://github.com/apache/activemq-artemis/blob/main/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/HttpServerAuthenticator.java)
This allows Artemis to do the RBAC of the https endpoint based in the client cert in a convenient way. Access the jvm mbean server is restricted to authenticated users.
Is it worth working up a PR to make this possible? i.e: adding config to specify the class of Authenticator to dynamically load?
The idea of a plugable Autheticator was proposed and considered a while back in #664 and the comment resonated then. I guess it still does. https://github.com/prometheus/jmx_exporter/issues/664#issuecomment-995943112
My use case is in a container, where the classPath is locked down and the file system is readonly. It is a low risk classloading environment.
for some context:
my jvm running a broker has the jolokia agent with a plugable Authenticator that delegates to JAAS. ideally I would be able to use the same Authenticator with this lovely prometheus exporter, but alas not at this time.
my jolokia config has property:
authClass=[org.apache.activemq.artemis.spi.core.security.jaas.HttpServerAuthenticator](https://github.com/apache/activemq-artemis/blob/main/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/HttpServerAuthenticator.java)
This allows Artemis to do the RBAC of the https endpoint based in the client cert in a convenient way. Access the jvm mbean server is restricted to authenticated users.
Is it worth working up a PR to make this possible? i.e: adding config to specify the class of Authenticator to dynamically load?
Kind regards and thanks for your time,
gary.
gary.
Gary Tully
Oct 7, 2024, 5:22:11 AM10/7/24
to Prometheus Users
to follow up, I have pushed two PRs to make this possible. I have kept the integration point as the Autenticator interface, in favour of a factory, to allow some dependency independence.
https://github.com/prometheus/jmx_exporter/pull/1002 - adds config to jmx_exporter to allow a custom authenticator to be configured
https://github.com/prometheus/client_java/pull/1089 for the case that a custom authenticator requires a doAs call
they depend on each other, so client_java will need a release first. I guess those pr's are the best place to have any conversation.
kind regards,
gary.
Reply all
Reply to author
Forward
0 new messages