Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add documentation for Security configuration #4

Open
mvanderlee opened this issue Oct 18, 2021 · 3 comments
Open

Add documentation for Security configuration #4

mvanderlee opened this issue Oct 18, 2021 · 3 comments

Comments

@mvanderlee
Copy link

It would be great if you could expand upon this with an example config of a role with minimum permissions needed to access the metrics endpoint.

If you enable security in OpenSearch, remember to set up the credentials also in Prometheus configuration.
@mvanderlee
Copy link
Author

This role seems to do the trick:

metrics_access:
  reserved: true
  cluster_permissions:
    - 'cluster_monitor'
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - 'indices_monitor'

@rursprung
Copy link

i have a similar ticket open in the original ES exporter which hasn't been answered yet: vvanholl/elasticsearch-prometheus-exporter#324

the same questions i asked there also apply here and expand a bit on your question as it's a two-fold problem:

  • how to let the prometheus scraper access this endpoint w/o HTTPS (self-signed certs) & authentication (the scraper expects the endpoints to be unsecured)
  • how to let the plugin access the opensearch metrics

and i just realised a 3rd point: the metrics endpoint should IMHO only be reachable for the prometheus scraper while the rest of opensearch should only be reachable for its consumers (using network policies in kubernetes this is quite easy to do - if you are running the things on separate ports).
i think if the plugin would be updated to run its own small HTTP server (with a dedicated port) and expose the endpoint there then it can be configured to run as HTTP and w/o authentication even if the rest of opensearch has HTTPS and requires authentication. then the only thing left to configure is that it uses some login information which can access the cluster metrics.

regarding the login information: does this have to be basic authentication (i.e. username/password for a user in the internal user realm) or could it also be something else (e.g. callback to a configured script which could then fetch an authentication token (i'm thinking about JWT here) or certificate-based authentication)?

@rursprung rursprung mentioned this issue Oct 28, 2021
Open
@BlackMetalz
Copy link

Update for anyone who has no idea about Prometheus config

  - job_name: opensearch
    scrape_interval: 30s
    metrics_path: "/_prometheus/metrics"
    static_configs:
    - targets:
      - ip:9200
    basic_auth:
      username: 'user'
      password: 'pass'

and setup user with info via Dashboard

metrics_access:
  reserved: true
  cluster_permissions:
    - 'cluster_monitor'
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - 'indices_monitor'

@rursprung rursprung mentioned this issue Jun 2, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mvanderlee @BlackMetalz @rursprung