[
https://issues.apache.org/jira/browse/FLINK-38309?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18017636#comment-18017636
]
Doguscan Namal commented on FLINK-38309:
----------------------------------------
Hi Kumar, thanks for opening this issue. I believe this is an important
addition to Flink ecosystem.
I would like to understand the real pain point on your side though. If our goal
is to "enable users to securely export metrics to protected OTLP/HTTP
endpoints", authentication may not be the only thing we are looking for. We
must also ensure "Encryption on transit" which is as important since the metric
data could contain Personally Identifiable Information.
If we do not have the encryption first, even if you authenticate the principal
your data will be open for threads on the transportation layer. I believe, we
should address that concern first by supporting TLS on metric exportation, i.e.
HTTPS.
However, if your goal is to only integrate with a specific monitoring system
and if it requires a basic authentication and the TLS is not your concern, then
of course we could just go ahead and implement the provided solution.
> Add Basic Authentication Support to OpenTelemetry HTTP Metrics Reporter
> -----------------------------------------------------------------------
>
> Key: FLINK-38309
> URL: https://issues.apache.org/jira/browse/FLINK-38309
> Project: Flink
> Issue Type: Improvement
> Components: Runtime / Metrics
> Reporter: Kumar Mallikarjuna
> Priority: Major
>
> h3. Background
> The {{OpenTelemetryMetricReporter}} supports both HTTP and gRPC. Many
> production-grade OTLP receiver endpoints, such as those used in cloud
> monitoring platforms such as Prometheus have secure ingestion endpoints. A
> common requirement is for clients to authenticate using {*}HTTP Basic
> Authentication{*}.
> Currently, the reporter implementation does not provide a way to add custom
> headers, which is necessary to send the {{Authorization}} header required for
> Basic Auth. This limitation prevents users from integrating Flink with these
> secured monitoring systems.
> h3. Goal
> This ticket proposes adding native support for Basic Authentication to the
> Otel HTTP metrics reporter. This will enable users to securely export metrics
> to protected OTLP/HTTP endpoints by simply providing a username and password
> in the Flink configuration.
> h3. Acceptance Criteria
> * New configuration keys are introduced to the
> {{OpenTelemetryMetricReporter}} for specifying a username and password
> {code:java}
> metrics.reporter.otel.exporter.http.authentication.username
> metrics.reporter.otel.exporter.http.authentication.password {code}
> * When both a username and password are provided in the configuration, the
> reporter *must* add an {{Authorization: Basic <base64-encoded-credentials>}}
> header to every outgoing OTLP/HTTP request.
> * If the username and password configurations are not set, the reporter
> *must not* add an {{Authorization}} header.
> * The official Flink documentation for Metric Reporters is updated to
> include these new configuration options with a clear example.
> * Unit tests are added to validate that the {{Authorization}} header is
> correctly formatted and attached if and only if credentials are provided.
> h3. Proposed Implementation
> # Modify the {{OpenTelemetryMetricReporterFactory}} to read the new
> configuration values for username and password.
> # If the credentials are present, combine them in the format
> {{username:password}} and apply Base64 encoding.
> # Use the {{OtlpHttpMetricExporterBuilder.addHeader("Authorization", "Basic
> " + encodedString)}} method to configure the {{OtlpHttpMetricExporter}}
> instance.
> # Ensure that this logic is only applied when the exporter is configured for
> HTTP, not gRPC.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
