[
https://issues.apache.org/jira/browse/FLINK-38309?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18018318#comment-18018318
]
Kumar Mallikarjuna commented on FLINK-38309:
--------------------------------------------
Hi [~doguscan] ,
I agree, authentication and encryption are both essential. Lucky for us
OpenTelemetry SDK, which we're using internally, already handles TLS. The
opentelemetry exporter uses okttp, which supports using the host platform’s
certificate. When users specify an HTTPS endpoint, for example
{{{}events.reporter.otel.exporter.endpoint:
[https://127.0.0.1:1337|https://127.0.0.1:1337/]{}}}, okhttp would default to
the JVM’s certificates.
Hi [~gaborgsomogyi] ,
By "secured monitoring systems," I'm referring to any OTLP/HTTP receiver
endpoint that requires credentials for data ingestion. For example a Prometheus
can be configured to only accept metrics from authenticated clients (see
https://prometheus.io/docs/guides/basic-auth/).
> Add Basic Authentication Support to OpenTelemetry HTTP Metrics Reporter
> -----------------------------------------------------------------------
>
> Key: FLINK-38309
> URL: https://issues.apache.org/jira/browse/FLINK-38309
> Project: Flink
> Issue Type: Improvement
> Components: Runtime / Metrics
> Reporter: Kumar Mallikarjuna
> Priority: Major
>
> h3. Background
> The {{OpenTelemetryMetricReporter}} supports both HTTP and gRPC. Many
> production-grade OTLP receiver endpoints, such as those used in cloud
> monitoring platforms such as Prometheus have secure ingestion endpoints. A
> common requirement is for clients to authenticate using {*}HTTP Basic
> Authentication{*}.
> Currently, the reporter implementation does not provide a way to add custom
> headers, which is necessary to send the {{Authorization}} header required for
> Basic Auth. This limitation prevents users from integrating Flink with these
> secured monitoring systems.
> h3. Goal
> This ticket proposes adding native support for Basic Authentication to the
> Otel HTTP metrics reporter. This will enable users to securely export metrics
> to protected OTLP/HTTP endpoints by simply providing a username and password
> in the Flink configuration.
> h3. Acceptance Criteria
> * New configuration keys are introduced to the
> {{OpenTelemetryMetricReporter}} for specifying a username and password
> {code:java}
> metrics.reporter.otel.exporter.http.authentication.username
> metrics.reporter.otel.exporter.http.authentication.password {code}
> * When both a username and password are provided in the configuration, the
> reporter *must* add an {{Authorization: Basic <base64-encoded-credentials>}}
> header to every outgoing OTLP/HTTP request.
> * If the username and password configurations are not set, the reporter
> *must not* add an {{Authorization}} header.
> * The official Flink documentation for Metric Reporters is updated to
> include these new configuration options with a clear example.
> * Unit tests are added to validate that the {{Authorization}} header is
> correctly formatted and attached if and only if credentials are provided.
> h3. Proposed Implementation
> # Modify the {{OpenTelemetryMetricReporterFactory}} to read the new
> configuration values for username and password.
> # If the credentials are present, combine them in the format
> {{username:password}} and apply Base64 encoding.
> # Use the {{OtlpHttpMetricExporterBuilder.addHeader("Authorization", "Basic
> " + encodedString)}} method to configure the {{OtlpHttpMetricExporter}}
> instance.
> # Ensure that this logic is only applied when the exporter is configured for
> HTTP, not gRPC.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
