You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Prometheus emitter cannot currently bind to a specific host. This feature is crucial for environments where binding to all interfaces (default behaviour) is not desired or poses security concerns. This ticket aims to enhance the Prometheus emitter by introducing a configurable host binding option.
Details
Problem Statement:
Currently, the Prometheus emitter binds to all available network interfaces. This behaviour might not be ideal in certain deployment scenarios, especially in multi-homed environments or where strict network security policies are enforced.
Implement a configuration option specifying a particular host/IP address to which the Prometheus emitter should bind. This option should be flexible enough to support different deployment needs (e.g., binding to localhost for local monitoring, binding to a specific interface in multi-homed setups).
Expected Outcome: Users can configure the Prometheus emitter to bind to a specific host/IP once implemented. This enhancement will provide better security and more control over network traffic management.
Use Cases:
Bind to localhost for scenarios where Prometheus metrics are only consumed locally.
Specify a particular network interface in environments with multiple network interfaces to control network exposure.
Implementation Notes:
A new configuration parameter (e.g., hostBindAddress) should be introduced.
The emitter's network binding logic should be updated to respect this new parameter. It should default to the current behaviour (binding to all interfaces) when not specified.
Security:
Reduced attack surface by preventing the Prometheus emitter from exposing metrics on all network interfaces.
Flexibility:
Users gain more control over their Prometheus emitter deployments, tailoring them to specific network requirements.
The text was updated successfully, but these errors were encountered:
Proposal
Summary
The Prometheus emitter cannot currently bind to a specific host. This feature is crucial for environments where binding to all interfaces (default behaviour) is not desired or poses security concerns. This ticket aims to enhance the Prometheus emitter by introducing a configurable host binding option.
Details
Problem Statement:
Currently, the Prometheus emitter binds to all available network interfaces. This behaviour might not be ideal in certain deployment scenarios, especially in multi-homed environments or where strict network security policies are enforced.
Reference: https://github.com/apache/druid/blob/master/extensions-contrib/prometheus-emitter/src/main/java/org/apache/druid/emitter/prometheus/PrometheusEmitter.java#L88
Proposed Solution:
Use Cases:
Bind to
localhost
for scenarios where Prometheus metrics are only consumed locally.Specify a particular network interface in environments with multiple network interfaces to control network exposure.
Implementation Notes:
A new configuration parameter (e.g.,
hostBindAddress
) should be introduced.The emitter's network binding logic should be updated to respect this new parameter. It should default to the current behaviour (binding to all interfaces) when not specified.
Security:
Reduced attack surface by preventing the Prometheus emitter from exposing metrics on all network interfaces.
Flexibility:
Users gain more control over their Prometheus emitter deployments, tailoring them to specific network requirements.
The text was updated successfully, but these errors were encountered: