Skip to content

[metrics][docs] Support Basic Auth for Prometheus PushGateway reporter#3552

Merged
luoyuxia merged 4 commits into
apache:mainfrom
Guosmilesmile:prometheus_author
Jul 3, 2026
Merged

[metrics][docs] Support Basic Auth for Prometheus PushGateway reporter#3552
luoyuxia merged 4 commits into
apache:mainfrom
Guosmilesmile:prometheus_author

Conversation

@Guosmilesmile

@Guosmilesmile Guosmilesmile commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Purpose

Linked issue: close #3561

Currently PrometheusPushGatewayReporter sends metrics to the Prometheus PushGateway anonymously. In production, PushGateway is often placed behind has its own basic auth enabled, which makes the reporter unusable in secured deployments.

This PR adds first-class support for Basic Auth on the prometheus-push reporter.

Brief change log

  • Add two new config options:
    • metrics.reporter.prometheus-push.username
    • metrics.reporter.prometheus-push.password
  • PrometheusPushGatewayReporter now injects
    io.prometheus.client.exporter.BasicAuthHttpConnectionFactory into the underlying PushGateway when a username is configured; otherwise the behavior is unchanged (no Authorization header is sent).
  • PrometheusPushGatewayReporterPlugin reads the two new options and passes them to the reporter. A basicAuthEnabled flag is logged instead of the raw credentials, so passwords are never printed.

Tests

API and Format

Documentation

Add the config to the doc

this.pushInterval = pushInterval;
if (username != null && !username.isEmpty()) {
this.pushGateway.setConnectionFactory(
basicAuthConnectionFactory(username, password == null ? "" : password));

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do not reuse Prometheus' built-in BasicAuthHttpConnectionFactory because it relies on javax.xml.bind.DatatypeConverter for Base64 encoding, which has been removed from the JDK since Java 9 (JEP 320). Using java.util.Base64 keeps this reporter compatible with JDK 8+.

This issue has been resolved at the underlying level in higher versions of the Prometheus dependency, but the current 0.8 version does not include the fix. Upgrading the version rashly may cause problems, so we resolve it here with our own implementation.

@Guosmilesmile Guosmilesmile changed the title [metrics] Support Basic Auth for Prometheus PushGateway reporter [metrics][docs] Support Basic Auth for Prometheus PushGateway reporter Jul 1, 2026
@Guosmilesmile

Guosmilesmile commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

Hey @luoyuxia , if you have time, could you please help me review this?
Thank you.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds Basic Auth support to the Prometheus PushGateway metrics reporter so Fluss can push metrics to secured PushGateway deployments. It introduces new configuration options, wires them through the reporter plugin into the reporter implementation, and updates the documentation and tests accordingly.

Changes:

  • Added metrics.reporter.prometheus-push.username / metrics.reporter.prometheus-push.password configuration options and documented them.
  • Updated PrometheusPushGatewayReporterPlugin and PrometheusPushGatewayReporter to attach an Authorization: Basic … header when a username is configured.
  • Added unit tests that validate the presence/absence of the Authorization header and plugin wiring.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
website/docs/maintenance/observability/metric-reporters.md Documents the new PushGateway Basic Auth configuration keys and example usage.
website/docs/maintenance/configuration.md Adds the new configuration options to the central configuration reference table.
fluss-metrics/fluss-metrics-prometheus/src/test/java/org/apache/fluss/metrics/prometheus/PrometheusPushGatewayReporterTest.java Introduces tests verifying Authorization header behavior and plugin propagation.
fluss-metrics/fluss-metrics-prometheus/src/main/java/org/apache/fluss/metrics/prometheus/PrometheusPushGatewayReporterPlugin.java Reads new config keys and passes credentials (when enabled) into the reporter.
fluss-metrics/fluss-metrics-prometheus/src/main/java/org/apache/fluss/metrics/prometheus/PrometheusPushGatewayReporter.java Implements Basic Auth header injection via a custom HttpConnectionFactory.
fluss-common/src/main/java/org/apache/fluss/config/ConfigOptions.java Defines the two new config options for PushGateway Basic Auth.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +96 to +101
private static HttpConnectionFactory basicAuthConnectionFactory(String user, String password) {
final String header =
"Basic "
+ Base64.getEncoder()
.encodeToString(
(user + ":" + password).getBytes(StandardCharsets.UTF_8));

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#3552 (comment) Reason see this.

Comment thread fluss-common/src/main/java/org/apache/fluss/config/ConfigOptions.java Outdated

@luoyuxia luoyuxia left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Guosmilesmile Thanks for the pr. Just left one comment. PTAL

Comment thread fluss-common/src/main/java/org/apache/fluss/config/ConfigOptions.java Outdated
@luoyuxia luoyuxia merged commit 6238daa into apache:main Jul 3, 2026
8 checks passed
@Guosmilesmile Guosmilesmile deleted the prometheus_author branch July 3, 2026 08:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Support Basic Auth for Prometheus PushGateway reporter

3 participants