Home » Java » java – Securing Spring Boot 2 Actuator Prometheus End Points-Exceptionshub

java – Securing Spring Boot 2 Actuator Prometheus End Points-Exceptionshub

Posted by: admin February 25, 2020 Leave a comment

Questions:

I have a Spring Boot 2 with Spring Security microservice that I have configured with Micometer/Spring Actuator. All is well when I permitAll() on the antMatcher(“/actuator/**”) end points. I am able to retrieve the Prometheus metrics via a properly configured Prometheus yaml file.

But, my microservice is not behind a firewall and thus open to the world. I only want Prometheus to be able to access my microservice “/actuator/prometheus” end point.

I have the following configurations:

In my Spring Boot 2 microservice ResourceServerConfig class:

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

  @Autowired
  private JdbcTokenStore tokenStore;

  @Override
  public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
    resources.resourceId("springsecurity").tokenStore(tokenStore);
  }

  public void configure(HttpSecurity http) throws Exception {
    http.anonymous().and().authorizeRequests()
      .antMatchers("/actuator/**").hasRole("ENDPOINT_ADMIN")
      .antMatchers("/**").authenticated();
  }

For the application.properties file I have:

spring.security.user.name=user
spring.security.user.password=password
spring.security.user.roles=ENDPOINT_ADMIN

# For Prometheus (and other data loggers)
management.endpoint.metrics.enabled=true
management.endpoints.web.exposure.include=*
management.endpoint.prometheus.enabled=true
management.metrics.export.prometheus.enabled=true

Then for my Prometheus YAML file I have this:

global:
  scrape_interval: 15s

scrape_configs:
  - job_name: "prometheus"
    static_configs:
    - targets: ["localhost:9090"]

  - job_name: 'myservice'
    metrics_path: '/actuator/prometheus'
    scrape_interval: 5s
    static_configs:
      - targets: ['localhost:8080']
    basic_auth:
      username: 'user'
      password: 'password'

When I go to /targets in Prometheus I get “server returned HTTP status 401”.

I fully assume I’m not understanding something quite right. Is there a way for me to properly do this? Thank you so much.

How to&Answers:

Was the prometheus system and the services system in the internal network.
If they was in the same internal network, you can use internal IP to get actuator data.