add metrics_authentication decorator to /metrics API

2025-10-08 02:24:08 +00:00 · 2018-10-07 13:38:32 +05:30
parent cff066a7be
commit b0b7e8d25d
4 changed files with 18 additions and 0 deletions
--- a/jupyterhub/app.py
+++ b/jupyterhub/app.py
@@ -618,6 +618,9 @@ class JupyterHub(Application):
        """
    ).tag(config=True)

+    authenticate_prometheus = Bool(True,
+        help="Authentication for prometheus metrics").tag(config=True)
+
    @observe('api_tokens')
    def _deprecate_api_tokens(self, change):
        self.log.warning("JupyterHub.api_tokens is pending deprecation"
@@ -1621,6 +1624,7 @@ class JupyterHub(Application):
            concurrent_spawn_limit=self.concurrent_spawn_limit,
            spawn_throttle_retry_range=self.spawn_throttle_retry_range,
            active_server_limit=self.active_server_limit,
+            authenticate_prometheus=self.authenticate_prometheus
        )
        # allow configured settings to have priority
        settings.update(self.tornado_settings)
--- a/jupyterhub/handlers/base.py
+++ b/jupyterhub/handlers/base.py
@@ -206,6 +206,10 @@ class BaseHandler(RequestHandler):
    def redirect_to_server(self):
        return self.settings.get('redirect_to_server', True)

+    @property
+    def authenticate_prometheus(self):
+        return self.settings.get('authenticate_prometheus', True)
+
    def get_auth_token(self):
        """Get the authorization token from Authorization header"""
        auth_header = self.request.headers.get('Authorization', '')
--- a/jupyterhub/handlers/metrics.py
+++ b/jupyterhub/handlers/metrics.py
@@ -2,11 +2,13 @@ from prometheus_client import REGISTRY, CONTENT_TYPE_LATEST, generate_latest
 from tornado import gen

 from .base import BaseHandler
+from ..utils import metrics_authentication

 class MetricsHandler(BaseHandler):
    """
    Handler to serve Prometheus metrics
    """
+    @metrics_authentication
    async def get(self):
        self.set_header('Content-Type', CONTENT_TYPE_LATEST)
        self.write(generate_latest(REGISTRY))
--- a/jupyterhub/utils.py
+++ b/jupyterhub/utils.py
@@ -247,6 +247,14 @@ def admin_only(self):
    if user is None or not user.admin:
        raise web.HTTPError(403)

+@auth_decorator
+def metrics_authentication(self):
+    """Decorator for restricting access to metrics"""
+    user = self.get_current_user()
+    authenticate_prometheus = self.authenticate_prometheus()
+    if user is None and not user.authenticate_prometheus:
+        raise web.HTTPError(403)
+

 # Token utilities