prometheus-acls

A reverse proxy for prometheus that provides label based acls via oidc.

Prequisites

• Running prometheus server
• OpenID Connect server (i.e. Keycloak) with option to set custom fields in the Access Token
• Grafana instance that authentificates with OpenID Connect

Configuration

Environment

Via environment you can configure all settings.

• LISTEN: IP and port to to listen on (default :8080)
• URL: URL for prometheus-acls, used to generate redirects, login and callback routes (e.g. https://promacl.example.com)
• COOKIE_SECRET: Cookie Secret (should be 32 or 64 chars), autogenerated if empty
• PROMETHEUS_URL: URL to the upstream Prometheus (default http://localhost:9090)
• OIDC_ISSUER: URL to the OpenID Connect Sever (e.g. https://auth.example.com/auth/realms/users)
• OIDC_CLIENT_ID: Oauth Client ID (e.g. grafana)
• OIDC_CLIENT_SECRET: Oauth Client Secret (e.g. 12345678-1234-1234-1234-123456789abc)
• OIDC_ROLES_CLAIM: Field in Acces Token to load the users role (default roles)
• ACL_FILE: Full or relative path to acl configuration file (default prometheus-acls.yml)

prometheus-acls.yml:

The prometheus-acls.yml file is used to map roles to access rights.

# syntax:
#
# <rolename>:
#   <metricname>: <prometheus label matches>
#   # or
#   re!<regex>: <prometheus label matches>

developer:                # The keys match the OIDC_ROLES_CLAIM field of the access token.

  re!^awesome_app_:       # regex match for all metrics that stat with awesome_app_
    env=dev               # prometheus label match for dev env

  re!^node_:              # regex match for node exporter
    instance=~'.*\.lan$'  # prometheus label match for instances that end with .lan

  up: env!=dev,app=hal    # prometheus labels are handled by prometheus, so their complete
                          # syntax is supported

admin:                    # The keys match the OIDC_ROLES_CLAIM field of the access token.

  secret_app_:            # exact metric name
    ~                     # yaml null value will bock access to a metric

  '*':                    # wildchard match for all metrics
    ''                    # emty prometheus label match for NO RESTRICTIONS

Order of metric name matching:

• Exact metric name
• Regex metric name
• Wildcard metric name
• Default deny access

Best Practices:

• Metric regex matches should be started with ^
• Regex label matches are slower than exact matches

OIDC Provider

Example for keycloak:

• Create a new client with Access Type confidential
• Go to the clients mappers and add a new one
• Most mappers should work e.g User Client Role
• Set Token Claim Name to roles (if you change this you also need to supply $OIDC_ROLES_CLAIM to prometheus-acls)
• Claim JSON Type is String
• Add to access token must be on
• Configure both Grafana and prometheus-acls with the same settings OIDC settings

Note: When you have multiple roles, the first one that is mentioned in prometheus-acls will be used. We currently use per client roles to avoid any conflics.