Kumar Mallikarjuna created FLINK-38309:
------------------------------------------
Summary: Add Basic Authentication Support to OpenTelemetry HTTP
Metrics Reporter
Key: FLINK-38309
URL: https://issues.apache.org/jira/browse/FLINK-38309
Project: Flink
Issue Type: Improvement
Components: Runtime / Metrics
Reporter: Kumar Mallikarjuna
h3. Background
The {{OpenTelemetryMetricReporter}} supports both HTTP and gRPC. Many
production-grade OTLP receiver endpoints, such as those used in cloud
monitoring platforms such as Prometheus have secure ingestion endpoints. A
common requirement is for clients to authenticate using {*}HTTP Basic
Authentication{*}.
Currently, the reporter implementation does not provide a way to add custom
headers, which is necessary to send the {{Authorization}} header required for
Basic Auth. This limitation prevents users from integrating Flink with these
secured monitoring systems.
h3. Goal
This ticket proposes adding native support for Basic Authentication to the Otel
HTTP metrics reporter. This will enable users to securely export metrics to
protected OTLP/HTTP endpoints by simply providing a username and password in
the Flink configuration.
h3. Acceptance Criteria
* New configuration keys are introduced to the {{OpenTelemetryMetricReporter}}
for specifying a username and password. For example:
** {{metrics.reporter.otel.exporter.http.authentication.username}}
** {{metrics.reporter.otel.exporter.http.authentication.password}}
* When both a username and password are provided in the configuration, the
reporter *must* add an {{Authorization: Basic <base64-encoded-credentials>}}
header to every outgoing OTLP/HTTP request.
* If the username and password configurations are not set, the reporter *must
not* add an {{Authorization}} header.
* The official Flink documentation for Metric Reporters is updated to include
these new configuration options with a clear example.
* Unit tests are added to validate that the {{Authorization}} header is
correctly formatted and attached if and only if credentials are provided.
h3. Proposed Implementation
# Modify the {{OpenTelemetryMetricReporterFactory}} to read the new
configuration values for username and password.
# If the credentials are present, combine them in the format
{{username:password}} and apply Base64 encoding.
# Use the {{OtlpHttpMetricExporterBuilder.addHeader("Authorization", "Basic "
+ encodedString)}} method to configure the {{OtlpHttpMetricExporter}} instance.
# Ensure that this logic is only applied when the exporter is configured for
HTTP, not gRPC.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
