-
Notifications
You must be signed in to change notification settings - Fork 635
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FEATURE] Separation of MIB definitions and auth info #221
Comments
URL parameters are not considered secure in the Prometheus security model, so that is not an appropriate solution. What I'd suggest is putting placeholders in your generator.yml, and then getting your configuration management system to replace them in the snmy.yml. |
Sure, but I don't see how that applies here. I'm not proposing passing any secrets in the URL parameter; only a label such as "auth=London1" which references a named bundle of values in the auth config, that contains the actual auth config. It is true that if the snmp_exporter is visible to me, I can send a request for
and this will trigger an outbound SNMP query to my IP address containing the credentials which I can easily capture (apart from SNMPv3). But this is a security problem with snmp_exporter today, and what I propose makes no difference to this.
This doesn't conveniently address the case where I have two or more groups of devices which require the same MIBs, but different credentials. I would have to replicate the snmp.yml section N times, with N different sets of creds, and generate N different module names. If I have M modules and N sets of creds, I could pre-generate MxN modules with names like But I'd also like to get to the point where I could publish snmp.yml modules for different types of devices, and people could use them without having to modify them (specifically without having to turn them into templates which are expanded N times) |
Yes, that's how to do it.
That's something I encourage, though you're going to always need to customise it for auth. |
If the auth were separated out, customisation would no longer be required. I could just cat together some published files to make snmp.yml:
Define my auth setting(s):
And scrape:
|
This is not something we're likely to add. It's presumed you have a configuration management system to deal with this. |
Amenable to contrib, or not? |
No, this would complicate the configuration for simple uses cases and make configuration management more complicated for the typical user. Our configuration files are meant to be quite dumb. |
I'm on the fence about this. I know it's just an example, but if you have a location-dependent auth, it would be best to have a snmp_exporter dedicated in that location. SNMP is very chatty, and UDP. We see lots of problems trying to send SNMP packets cross-datacenter. But, I can see the appeal of separating the auth from the walk. The difficulty is we want "one" good way to do things. |
"One good way" makes sense! It does seem to me that "which MIBs to walk" and "which auth creds to use" are naturally orthogonal. One is the property of the device type, as built by the manufacturer, and is the same for all such devices; the other is a property of the actual device instance(s) you own, as per the way you have configured them. Also, "which MIBs to walk" is potentially composable:
Anyway, I'll just outline my specific use case, which is to build a front-end to Prometheus which acts as a simple but scalable Cacti/LibreNMS replacement. I would of course expect that adding a new type of device would require creating/installing new snmp.yml entries (and similarly new alerting rules etc). Adding a new instance of a device is something that would normally happen just via target scraping config, which in turn could be picked up from file_sd_config or consul_sd_config or whatever. Ideally this wouldn't need to touch snmp.yml or restart snmp_exporter. So when the user goes to the UI and says "add device x.x.x.x, poll it using module Foo and auth type Bar", the front-end just adds x.x.x.x to the snmp_Foo_Bar scrape job (or creates a new scrape job, if this is the first device like that) I do realise that I need to create the snmp_Foo_Bar scrape jobs (*), and I could therefore generate the Foo_Bar snmp modules at the same time. It involves injecting the creds into the right places in the yaml, concatenating the modules, restarting snmp_exporter etc. This is of course doable, although more tricky if snmp_exporter is remote. I just thought that the SOC was a good thing to do in any case. (*) because there are no per-target overrides of params in prometheus. Observation: the job name is part of the time series definition. So if you change the community string on a device, and move it from scrape job snmp_cisco_London1 to snmp_cisco_London2, then this will create new time series for all its metrics. It should be possible to force the job name to |
It's not in the default example, but you can override the params on a per-target basis with regexp matching in the |
Do you mean Google for "prometheus rewrite_configs" doesn't turn up anything, and the string Is it possible to change the label |
Here is another suggestion: what about being able to PUT or POST to I'd still need to expand/merge templates, but at least there would be an easy way to deploy them. Authorisation potentially an issue, but see #225. |
Not quite. Noone has requested it yet, but some devices let you select VLAN via the community strings.
Our one way of doing this is via a file. You can setup something yourself to permit this. |
Sorry, yes, I meant
|
The size of the configuration file is not important, it's autogenerated. I'm against making this more complicated, it's a matter for configuration management. |
As the configuration is autogenerated, I would not necessarily separate the authentication from the main configuration as it adds another file one would need to manage and generate. In my specific scenario, we don't have many different communities or authentication ways, as it is already walled of by ACLs. |
My thought was not an additional file, but a separate section in the same file. |
I prefer to avoid indirection like that, it makes the config harder to read and create for a human. Also most environments will not need it, as it'll be at most one set of auth per device type. |
If this is something you want you're free to build tooling on top of the snmp exporter/generator, but I intend to keep things simple in order to keep both typical use and development of such tooling easy. |
JFTR, this has been requested in the past. Now that generator will include a way to do multiple lookups soon(tm), I foresee that the use case of "can you send me your manual config as a paste" will fall off dramatically. |
It occurs to me that there is another approach: merging YAML references using the << merge key (spec). This is an optional part of YAML so I don't know if the go YAML parser supports it. It looks something like this:
Using Python's yaml parser I get:
Conveniently, the references point to the same underlying object, so the storage is shared.
|
Yes, you're right, yaml merging is a good option. I tested this with the |
@brian-brazil @SuperQ |
Currently a named "module" in
snmp.yml
defines the MIBs to walk / extraction of metrics, plus the authentication parameters to connect to a device.I would like to separate out the authentication parameters, so that I could scrape e.g. [^1]:
This means that if I have multiple instances of the same type of device but using different secrets, I don't need to duplicate the module definition. And conversely, if I'm using the same secret across multiple types of device, I don't need to modify every module definition just to insert the same secret.
One approach is to have a separate file auth.yml like this:
That has a number of benefits:
However, I am also amenable to snmp.yml having separate
modules
andauth
sections if that's preferred. I do note thatgenerator.yml
already has a top-levelmodules
section.[^1] I realise I still have to define a separate scrape job for all targets which share the same params. It would be nice to be able to override params on a per-target basis, but that's a separate issue.
[^2] And these can be published by anyone who wants to, à la Nagios Plugin Exchange
The text was updated successfully, but these errors were encountered: