Skip to content

[Improvement-12563]Add authentication to the Prometheus endpoint and adapt it for Kubernetes (K8S) environments. #17577

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 15 commits into
base: dev
Choose a base branch
from
Open

[Improvement-12563]Add authentication to the Prometheus endpoint and adapt it for Kubernetes (K8S) environments. #17577

wants to merge 15 commits into from

Conversation

@njnu-seafish
Copy link
Contributor

Purpose of the pull request

close #12563

Brief change log

Add authentication to the Prometheus endpoint and adapt it for Kubernetes (K8S) environments.

This pull request is already covered by existing tests, such as (please describe tests).

--api
curl -s 'http://127.0.0.1:12345/dolphinscheduler/actuator/prometheus' -H 'Authorization: Basic xxxxx'
--alert
curl -s 'http://127.0.0.1:50053/actuator/prometheus' -H 'Authorization: Basic xxxxx'
--master
curl -s 'http://127.0.0.1:5679/actuator/prometheus' -H 'Authorization: Basic xxxxx'
--worker
curl -s 'http://127.0.0.1:1235/actuator/prometheus' -H 'Authorization: Basic xxxxx'

Pull Request Notice

Pull Request Notice

If your pull request contains incompatible change, you should also add it to docs/docs/en/guide/upgrade/incompatible.md

ruanwenjun
ruanwenjun requested changes Oct 14, 2025
View reviewed changes
Copy link
Member

@ruanwenjun ruanwenjun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why don't directly use the security feature provided by springboot

management:
  security:
    enabled: true

@njnu-seafish
Copy link
Contributor Author

Why don't directly use the security feature provided by springboot

management:
  security:
    enabled: true

First, it didn't take effect, possibly due to issues with my testing.
Secondly, using custom logic facilitates the unification of the four services and can also be adapted to service health checks in Kubernetes (K8S) environments.

@ruanwenjun
Copy link
Member

ruanwenjun commented Oct 14, 2025
edited
Loading

Why don't directly use the security feature provided by springboot

management:
  security:
    enabled: true

First, it didn't take effect, possibly due to issues with my testing. Secondly, using custom logic facilitates the unification of the four services and can also be adapted to service health checks in Kubernetes (K8S) environments.

It didn't take effect, might due to we should add Spring Security module, and we can filter the health endpoint in security check.

@njnu-seafish
Copy link
Contributor Author

Why don't directly use the security feature provided by springboot

management:
  security:
    enabled: true

First, it didn't take effect, possibly due to issues with my testing. Secondly, using custom logic facilitates the unification of the four services and can also be adapted to service health checks in Kubernetes (K8S) environments.

It didn't take effect, might due to we should add Spring Security module, and we can filter the health endpoint in security check.

Why don't directly use the security feature provided by springboot

management:
  security:
    enabled: true

First, it didn't take effect, possibly due to issues with my testing. Secondly, using custom logic facilitates the unification of the four services and can also be adapted to service health checks in Kubernetes (K8S) environments.

It didn't take effect, might due to we should add Spring Security module, and we can filter the health endpoint in security check.

Alright, I will spend some time to test it.

@njnu-seafish
Copy link
Contributor Author

@ruanwenjun @SbloodyS Could u plz help review when available? Thanks.

github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 31, 2025
View reviewed changes
...r-common/src/main/java/org/apache/dolphinscheduler/common/config/ActuatorSecurityConfig.java
}

// Disable CSRF for actuator endpoints as they are typically accessed by scripts or monitoring tools
http.csrf().disable();

Check failure

Code scanning / CodeQL

Disabled Spring CSRF protection High

CSRF vulnerability due to protection being disabled.
@sonarqubecloud
Copy link

Quality Gate Failed Quality Gate failed

Failed conditions
0.0% Coverage on New Code (required ≥ 60%)

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SbloodyS SbloodyS Awaiting requested review from SbloodyS SbloodyS is a code owner

@Gallardot Gallardot Awaiting requested review from Gallardot Gallardot is a code owner

@caishunfeng caishunfeng Awaiting requested review from caishunfeng caishunfeng is a code owner

@ruanwenjun ruanwenjun Awaiting requested review from ruanwenjun ruanwenjun is a code owner

@EricGao888 EricGao888 Awaiting requested review from EricGao888 EricGao888 is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

@njnu-seafish njnu-seafish

Labels

backend document kubernetes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Improvement][Security] Enable authentication for metrics url

2 participants

@njnu-seafish @ruanwenjun