-
Notifications
You must be signed in to change notification settings - Fork 641
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow configuring SNMP version and credentials through parameters #762
Comments
I think we already have a proposal for splitting the auth and walk/metric mapping in the config. This would allow for less redundancy in the configuration. We do not want to support passing community/auth params directly via the URL as this is extremely insecure as Prometheus does not protect scrape URLs as secrets. |
Ah, I think you're referring to #619? |
Yes, that's the one. |
That looks to have stalled a bit from what I can gather. I can completely understand not wanting to expose the SNMPv3 credentials through a URL, but given the version isn't secret and the community string is essentially public, would a PR to add those in the mean time be acceptable? |
I disagree that "the community string is essentially public". Another reason why this approach is cited as an anti-pattern in other places is that if you control the content sent to targets via URL, not via config access, you can exploit remote vulnerabilities; made even worse by that fact that exporters are usually in privileged networks / allowlisted in ACLs/firewalls, etc. Access to said exporters is commonly allowed from less privileged networks. Would you be willing to work on a PR implementing #619 to pass auth & change auth that way? |
So looking at #619 I'm a bit fuzzy on what would the solution would end up looking like. The Google doc states the issue about auth being stored in If someone could spec out an example of what a "new style" configuration would look like and how we envision overriding auth for a module would work, I might get a better sense of we're building towards. |
I know we documented it somewhere, but I am unable to find it off-hand. Re-typing from memory: Old:
New, after the PR:
As you can see this poses an interesting problem as
|
That definitely helps, thanks! One thing I'm still wondering about, how do we make this reusable? Imagine a scenario where for whatever reason there's 2 sets of devices, both queryable using if_mib but one needs SNMPv1 and the other SNMPv2 (this happens to be my reality because some D-Link devices are terrible). Based on the new proposed format, though we can lift the |
You would use |
Right, yes. I have no idea why this didn't click for me earlier. This makes sense. I might take a stab at a PR for this. On the format, you mentioned initially still supporting the format where the modules were at the root, i.e not children of the |
We would make a new version that did not support the old style, only the new style. Users would be required to convert their configs. |
I am fine either way, requiring a change seems long term cleanest.
The generator would also need to support the new format.
Sent by mobile; please excuse my brevity.
…On Thu, Jun 2, 2022, 07:54 Ben Kochie ***@***.***> wrote:
We would make a new version that did not support the old style, only the
new style. Users would be required to convert their configs.
—
Reply to this email directly, view it on GitHub
<#762 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAFYII4Y27MNGFD47OKEZPDVNBECRANCNFSM5XK54TIA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
We seem to have the same problem with That seems to leave us with the need for another top-level key. I can't really come up with a descriptive name beyond The final format would then be: auth:
foo: {}
parmeters:
foo: {}
modules:
if_mib: {} A combination of module, auth configuration and walk parameters can then be selected through URL args. |
I'm also wondering if we should stick |
Retries and timeout seem linked to the module, to me. Even if it's the same hardware, some with full tables and some with route reflector clients, this is arguably a different model from the point of view of the operator and thus Prometheus. |
I don't quite see how. From where I'm standing a module should define what to query, and potentially how to associate data with each other. Why would retries and timeouts be part of that? |
Thinking more about this, it feels like retry and timeout should be query parameters on the target, instead of a named parameter group. So you'd end up with: One of the main reasons the current format is frustrating and results in a lot of duplication is that it confounds the what to query and the how to query. Without cleanly splitting that up we'll continue to have tons of duplication in the |
Weird thought, but what if URLs or certain data could be pre-signed with encrypted credentials and the authentication data in them is also encrypted with those credentials? The authentication content sent to the targets could then not be modified or tampered with without access to some key that is there when the URL is generated. Admittedly, I haven't really thought out or fleshed out this idea but it's like pre-signed AWS API, S3, and so on URLs/requests in my head. |
how to add new module ? and how it is works? |
Having |
This makes retries, timeout and SNMP version configurable per job. It overrides the module's equivalent WalkParams if they're present as query attributes. Partially addresses: prometheus#762
Both |
We've now implemented splitting modules and auths in #859 |
With the current design, the SNMP version to use, the community string and auth credentials (for v3) are part of the module that the generator creates. If my understanding of how this works is correct, it implies that if you want to scrape 2 devices but they have a different SNMP community (or one that has been reconfigured away from the 'public' default), you end up needing to add a new module.
This results in a ton of duplication in
snmp.yml
, where the only difference is theversion
field or some keys of theauth
dictionary. For example a couple of my D-Link switches are perfectly happy to be queried usingif_mib
, but only support SNMPv1.This would add a bunch of parameters on
snmp_exporter/main.go
Lines 72 to 87 in 8678b60
version
,auth_community
etc. if there's a need to override the default for a target.I'm wondering if:
The text was updated successfully, but these errors were encountered: