From 293bff0c72572edd9c8e642fa8784ae21b7fea3e Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Wed, 18 Nov 2020 13:31:54 +0530 Subject: [PATCH] Allow toggling auth for prometheus metrics Equivalent to https://github.com/jupyterhub/jupyterhub/pull/2224. Port of https://github.com/jupyter/notebook/pull/5870 Prometheus metrics can potentially leak information about the user, so they should be kept behind auth by default. However, for many JupyterHub deployments, they would need to be scraped by a centralized Prometheus instance that can not really authenticate separately to each user notebook without a lot of work. Admins can use this setting to allow unauthenticated access to the /metrics endpoint. --- jupyter_server/base/handlers.py | 6 ++++-- jupyter_server/serverapp.py | 9 +++++++++ 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/jupyter_server/base/handlers.py b/jupyter_server/base/handlers.py index bad31513d7..363230b1de 100755 --- a/jupyter_server/base/handlers.py +++ b/jupyter_server/base/handlers.py @@ -842,10 +842,12 @@ def get(self): class PrometheusMetricsHandler(JupyterHandler): """ - Return prometheus metrics for this Jupyter server + Return prometheus metrics for this notebook server """ - @web.authenticated def get(self): + if self.settings['authenticate_prometheus'] and not self.logged_in: + raise web.HTTPError(403) + self.set_header('Content-Type', prometheus_client.CONTENT_TYPE_LATEST) self.write(prometheus_client.generate_latest(prometheus_client.REGISTRY)) diff --git a/jupyter_server/serverapp.py b/jupyter_server/serverapp.py index 13bc0940be..6e6b9aafab 100755 --- a/jupyter_server/serverapp.py +++ b/jupyter_server/serverapp.py @@ -246,6 +246,7 @@ def init_settings(self, jupyter_app, kernel_manager, contents_manager, disable_check_xsrf=jupyter_app.disable_check_xsrf, allow_remote_access=jupyter_app.allow_remote_access, local_hostnames=jupyter_app.local_hostnames, + authenticate_prometheus=jupyter_app.authenticate_prometheus, # managers kernel_manager=kernel_manager, @@ -1199,6 +1200,14 @@ def _update_server_extensions(self, change): is not available. """)) + authenticate_prometheus = Bool( + True, + help="""" + Require authentication to access prometheus metrics. + """, + config=True + ) + def parse_command_line(self, argv=None): super(ServerApp, self).parse_command_line(argv)