[metrics][docs] Support Basic Auth for Prometheus PushGateway reporter#3552
Conversation
| this.pushInterval = pushInterval; | ||
| if (username != null && !username.isEmpty()) { | ||
| this.pushGateway.setConnectionFactory( | ||
| basicAuthConnectionFactory(username, password == null ? "" : password)); |
There was a problem hiding this comment.
We do not reuse Prometheus' built-in BasicAuthHttpConnectionFactory because it relies on javax.xml.bind.DatatypeConverter for Base64 encoding, which has been removed from the JDK since Java 9 (JEP 320). Using java.util.Base64 keeps this reporter compatible with JDK 8+.
This issue has been resolved at the underlying level in higher versions of the Prometheus dependency, but the current 0.8 version does not include the fix. Upgrading the version rashly may cause problems, so we resolve it here with our own implementation.
|
Hey @luoyuxia , if you have time, could you please help me review this? |
There was a problem hiding this comment.
Pull request overview
This PR adds Basic Auth support to the Prometheus PushGateway metrics reporter so Fluss can push metrics to secured PushGateway deployments. It introduces new configuration options, wires them through the reporter plugin into the reporter implementation, and updates the documentation and tests accordingly.
Changes:
- Added
metrics.reporter.prometheus-push.username/metrics.reporter.prometheus-push.passwordconfiguration options and documented them. - Updated
PrometheusPushGatewayReporterPluginandPrometheusPushGatewayReporterto attach anAuthorization: Basic …header when a username is configured. - Added unit tests that validate the presence/absence of the
Authorizationheader and plugin wiring.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| website/docs/maintenance/observability/metric-reporters.md | Documents the new PushGateway Basic Auth configuration keys and example usage. |
| website/docs/maintenance/configuration.md | Adds the new configuration options to the central configuration reference table. |
| fluss-metrics/fluss-metrics-prometheus/src/test/java/org/apache/fluss/metrics/prometheus/PrometheusPushGatewayReporterTest.java | Introduces tests verifying Authorization header behavior and plugin propagation. |
| fluss-metrics/fluss-metrics-prometheus/src/main/java/org/apache/fluss/metrics/prometheus/PrometheusPushGatewayReporterPlugin.java | Reads new config keys and passes credentials (when enabled) into the reporter. |
| fluss-metrics/fluss-metrics-prometheus/src/main/java/org/apache/fluss/metrics/prometheus/PrometheusPushGatewayReporter.java | Implements Basic Auth header injection via a custom HttpConnectionFactory. |
| fluss-common/src/main/java/org/apache/fluss/config/ConfigOptions.java | Defines the two new config options for PushGateway Basic Auth. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| private static HttpConnectionFactory basicAuthConnectionFactory(String user, String password) { | ||
| final String header = | ||
| "Basic " | ||
| + Base64.getEncoder() | ||
| .encodeToString( | ||
| (user + ":" + password).getBytes(StandardCharsets.UTF_8)); |
luoyuxia
left a comment
There was a problem hiding this comment.
@Guosmilesmile Thanks for the pr. Just left one comment. PTAL
Purpose
Linked issue: close #3561
Currently
PrometheusPushGatewayReportersends metrics to the Prometheus PushGateway anonymously. In production, PushGateway is often placed behind has its own basic auth enabled, which makes the reporter unusable in secured deployments.This PR adds first-class support for Basic Auth on the
prometheus-pushreporter.Brief change log
metrics.reporter.prometheus-push.usernamemetrics.reporter.prometheus-push.passwordPrometheusPushGatewayReporternow injectsio.prometheus.client.exporter.BasicAuthHttpConnectionFactoryinto the underlyingPushGatewaywhen a username is configured; otherwise the behavior is unchanged (noAuthorizationheader is sent).PrometheusPushGatewayReporterPluginreads the two new options and passes them to the reporter. AbasicAuthEnabledflag is logged instead of the raw credentials, so passwords are never printed.Tests
API and Format
Documentation
Add the config to the doc