Hi, I've noticed that whilst the PrometheusReportingTask can be configured for client authentication, there is no means to authorise connections to the /metrics endpoint. Given the /metrics endpoint can expose processor group and processor names, which could be sensitive in nature, should exposing endpoints like this also be authorised, for example by using the global access policies functionality?
This strikes me as being something that is maybe niche, but nevertheless without authorisation, could undermine the security aspects of NiFi by providing access to information to say an insider threat (valid client certificate, but not authorised). Would be interested to know other's thoughts on this? Michael
