Spring Boot and Micrometer with Prometheus Part 6: Securing metrics
Previously we successfully spun up our Spring Boot application With Prometheus. An endpoint in our Spring application is exposing our metric data so that prometheus is able to retrieve them.
The main question that comes to mind is how to secure this information.
Spring already provides us with its great security framework
so it will be fairly easy to use it for our application. The goal would be to use basic authentication for the actuator/prometheus endpoints and also configure prometheus in order to access that information using basic authentication.
So the first step is to enable the security on our app. The first step is to add the security jar.
1 2 3 4 | < dependency > < groupId >org.springframework.boot</ groupId > < artifactId >spring-boot-starter-security</ artifactId > </ dependency > |
The Spring boot application will get secured on its own by generating a password for the default user.
However we do want to have control over the username and password so we are going to use some environment variables.
By running the application with the credentials for the default user we have the prometheus endpoints secured with a minimal configuration.
1 | SPRING_SECURITY_USER_NAME= test -user SPRING_SECURITY_USER_PASSWORD= test -password mvn spring-boot:run |
So now that we have the security setup on our app, it’s time to update our prometheus config.
1 2 3 4 5 6 7 8 9 | scrape_configs: - job_name: 'prometheus-spring' scrape_interval: 1m metrics_path: '/actuator/prometheus' static_configs: - targets: [ 'my.local.machine:8080' ] basic_auth: username: "test-user" password: "test-password" |
So let’s run again prometheus as described previously.
To sum app after this change prometheus will gather metrics data for our application in a secure way.
Published on Java Code Geeks with permission by Emmanouil Gkatziouras, partner at our JCG program. See the original article here: Spring Boot and Micrometer with Prometheus Part 6: Securing metrics Opinions expressed by Java Code Geeks contributors are their own. |