feat(monitoring): add HTTP Basic auth for Prometheus scrape endpoint

Protect /actuator/prometheus on GMS, MAE, and MCE with optional HTTP Basic
auth. Auth is off by default and auto-enables with safe default credentials
when Micrometer Prometheus export is enabled.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: StanDmitrievAiven

docker/monitoring/prometheus.yaml

@@ -11,6 +11,9 @@ scrape_configs:
   - job_name: 'micrometer'
     scrape_interval: 10s
     metrics_path: /actuator/prometheus
+    basic_auth:
+      username: prometheus
+      password: datahub
     static_configs:
       - targets:
         - 'datahub-gms:4319'

docker/profiles/prometheus-scrape-auth.env.example

@@ -0,0 +1,7 @@
+# Example: enable Micrometer Prometheus export with HTTP Basic auth on GMS, MAE, and MCE.
+# Copy to prometheus-scrape-auth.env (gitignored) or pass via DATAHUB_LOCAL_COMMON_ENV.
+#
+# Auth is enabled automatically when export is enabled (defaults: prometheus / datahub).
+# Override credentials in production:
+MANAGEMENT_METRICS_EXPORT_PROMETHEUS_ENABLED=true
+MANAGEMENT_METRICS_EXPORT_PROMETHEUS_AUTH_PASSWORD=change-me

docs/advanced/monitoring.md

@@ -1112,6 +1112,37 @@ scrape job for port **4319**. Outside Docker, leave `MANAGEMENT_SERVER_PORT` uns
 application port; set it when you want a separate management listener (Spring maps the env var to
 `management.server.port`).
 
+#### Securing the Micrometer Prometheus endpoint
+
+By default, Micrometer Prometheus export is **disabled** (`MANAGEMENT_METRICS_EXPORT_PROMETHEUS_ENABLED=false`).
+When you enable export on GMS, MAE consumer, or MCE consumer, HTTP Basic auth is **enabled automatically** on
+`/actuator/prometheus` with default credentials `prometheus` / `datahub`. Change the password in production.
+
+| Variable | Default | Description |
+| -------- | ------- | ----------- |
+| `MANAGEMENT_METRICS_EXPORT_PROMETHEUS_ENABLED` | `false` | Expose `/actuator/prometheus` via Micrometer |
+| `MANAGEMENT_METRICS_EXPORT_PROMETHEUS_AUTH_ENABLED` | _(auto)_ | When unset, follows export enabled. Set `false` to expose metrics without auth |
+| `MANAGEMENT_METRICS_EXPORT_PROMETHEUS_AUTH_USERNAME` | `prometheus` | Scrape username |
+| `MANAGEMENT_METRICS_EXPORT_PROMETHEUS_AUTH_PASSWORD` | `datahub` | Scrape password (startup warns if default is used) |
+
+Example Prometheus scrape config:
+
+```yaml
+scrape_configs:
+  - job_name: datahub-micrometer
+    metrics_path: /actuator/prometheus
+    basic_auth:
+      username: prometheus
+      password: datahub
+    static_configs:
+      - targets:
+          - datahub-gms:4319
+          - datahub-mae-consumer:4319
+          - datahub-mce-consumer:4319
+```
+
+For local Docker development, see [prometheus-scrape-auth.env.example](../../docker/profiles/prometheus-scrape-auth.env.example).
+
 In the JVM dashboard, you can find detailed charts based on JVM metrics like CPU/memory/disk usage. In the DataHub
 dashboard, you can find charts to monitor each endpoint and the kafka topics. Using the example implementation, go
 to http://localhost:3001 to find the grafana dashboards! (Username: admin, PW: admin)

docs/how/updating-datahub.md

@@ -156,6 +156,7 @@ Requirements:
 - **(Ingestion / Sigma — Action required) Null `DatasetUpstream.name` now tolerated.** Previously raised a Pydantic `ValidationError` warning; now counted under `chart_dataset_upstream_name_missing` with a `SourceReport.warning` titled `Sigma workbook dataset upstream dropped (name missing)`. Lineage semantics unchanged. **Action:** migrate any alert keyed on the old Pydantic warning text to the new counter or warning title.
 - **(Actions / Kafka)** The default Kafka offset commit strategy for Actions has changed from **synchronous** (`async_commit_enabled: false`) to **asynchronous** (`async_commit_enabled: true`). With asynchronous commits, offsets are stored locally after each event and committed periodically by a background thread (default interval: 10 seconds via `async_commit_interval`). This provides up to **25x throughput improvement** for high-volume action pipelines. The tradeoff: on consumer crash, up to `async_commit_interval` milliseconds of events may be redelivered. All built-in actions are idempotent or tolerate redelivery, so no behavior change is expected for standard deployments. To restore the previous synchronous default for any action, add `async_commit_enabled: false` to the `source.config` section of your action YAML.
 - **Docker / Prometheus (Micrometer):** When using the stock DataHub Docker `start.sh` entrypoints, GMS, MAE consumer, MCE consumer, and the frontend expose Micrometer Actuator (including `GET /actuator/prometheus` and `/actuator/health`) on container port **4319** by default (`MANAGEMENT_SERVER_PORT`), separate from the main API/UI port. Profile compose ([docker/profiles/docker-compose.gms.yml](../../docker/profiles/docker-compose.gms.yml)) **`expose`s 4319** for on-network scraping and maps **`${DATAHUB_MAPPED_GMS_MANAGEMENT_PORT:-4319}:4319`** on the host for GMS (same pattern as **`${DATAHUB_MAPPED_GMS_PORT:-8080}:8080`** for HTTP). Override `DATAHUB_GMS_MANAGEMENT_URL` in smoke tests if needed, or change the host port via `DATAHUB_MAPPED_GMS_MANAGEMENT_PORT`. Scrape from another container on the same compose network (e.g. `http://datahub-gms:4319/actuator/prometheus` as in [docker/monitoring/prometheus.yaml](../../docker/monitoring/prometheus.yaml)). MAE and MCE image **HEALTHCHECK** probes the management port first, then falls back to the main consumer port for older layouts. The JMX Prometheus Java agent remains on **4318**. If you previously scraped Micrometer from the GMS HTTP port (e.g. `8080`), update scrapes to the management listener. To keep Actuator on the main port, unset `MANAGEMENT_SERVER_PORT` in the container or set it equal to the main server port.
+- **(Operations / monitoring) Micrometer Prometheus export and scrape auth:** Micrometer Prometheus export now defaults to **off** (`MANAGEMENT_METRICS_EXPORT_PROMETHEUS_ENABLED=false`) on GMS, MAE consumer, and MCE consumer. When you enable export, HTTP Basic auth is **automatically required** on `/actuator/prometheus` unless you set `MANAGEMENT_METRICS_EXPORT_PROMETHEUS_AUTH_ENABLED=false`. Default scrape credentials are `prometheus` / `datahub`; set `MANAGEMENT_METRICS_EXPORT_PROMETHEUS_AUTH_PASSWORD` before enabling export in production. Update Prometheus, Grafana Agent, or managed scrape configs to use `basic_auth` when upgrading. See [monitoring.md](../advanced/monitoring.md#securing-the-micrometer-prometheus-endpoint).
 - (Operations / monitoring) Docker images that bundle the **JMX Prometheus Java agent** (`datahub-gms`, `datahub-frontend-react`, `datahub-mae-consumer`, `datahub-mce-consumer`, `datahub-upgrade`) now ship **`jmx_prometheus_javaagent` 1.0.1** (previously 0.20.0). The agent uses **Prometheus client_java 1.x**; upgrade scrapers and dashboards accordingly.
   - **HTTP scrape path:** Metrics are exposed at **`/metrics`**, not at **`/`**. If you scrape the JMX port directly (often **4318** when Prometheus export is enabled), set your Prometheus `metrics_path` (or Kubernetes `ServiceMonitor` / `PodMonitor` `path`) to **`/metrics`**. Anything still requesting **`/`** will receive the default HTML page, not the metrics exposition.
   - **JVM metrics:** Some built-in JVM metric **names** changed to align with OpenMetrics (for example, memory-related series). Update Grafana panels, recording rules, and alerts that referenced the old names. See the [client_java JVM migration notes](https://prometheus.github.io/client_java/migration/simpleclient/#jvm-metrics).

metadata-jobs/mae-consumer-job/src/main/resources/application.properties

@@ -1,5 +1,5 @@
 server.port=9091
-management.endpoints.web.exposure.include=metrics, health, info
+management.endpoints.web.exposure.include=metrics, health, info, prometheus
 spring.mvc.servlet.path=/
 management.health.elasticsearch.enabled=false
 management.health.neo4j.enabled=false

metadata-jobs/mce-consumer-job/src/main/resources/application.properties

@@ -1,6 +1,6 @@
 server.port=9090
 datahub.gms.uri=http://localhost:9090${DATAHUB_GMS_BASE_PATH}/gms
-management.endpoints.web.exposure.include=metrics, health, info
+management.endpoints.web.exposure.include=metrics, health, info, prometheus
 spring.mvc.servlet.path=/
 management.health.elasticsearch.enabled=false
 management.health.neo4j.enabled=false

metadata-service/configuration/src/main/resources/application.yaml

@@ -1009,7 +1009,12 @@ management:
       jmx:
         enabled: ${MANAGEMENT_METRICS_EXPORT_JMX_ENABLED:true} # Enable jmx metrics export
       prometheus:
-        enabled: ${MANAGEMENT_METRICS_EXPORT_PROMETHEUS_ENABLED:true} # Enable prometheus metrics export
+        enabled: ${MANAGEMENT_METRICS_EXPORT_PROMETHEUS_ENABLED:false} # Enable prometheus metrics export
+        auth:
+          # When unset, auth is enabled automatically if prometheus export is enabled above.
+          # Set MANAGEMENT_METRICS_EXPORT_PROMETHEUS_AUTH_ENABLED=false to expose metrics without auth.
+          username: ${MANAGEMENT_METRICS_EXPORT_PROMETHEUS_AUTH_USERNAME:}
+          password: ${MANAGEMENT_METRICS_EXPORT_PROMETHEUS_AUTH_PASSWORD:}
     tags:
       application: ${spring.application.name}
 

metadata-service/factories/src/main/java/com/linkedin/gms/factory/system_telemetry/PrometheusScrapeAuthFilter.java

@@ -0,0 +1,101 @@
+package com.linkedin.gms.factory.system_telemetry;
+
+import jakarta.annotation.PostConstruct;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.util.Base64;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.util.StringUtils;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+/**
+ * Optional HTTP Basic authentication for {@code /actuator/prometheus}.
+ *
+ * <p>Independent of DataHub token auth. When disabled, requests pass through unchanged.
+ */
+@Slf4j
+public class PrometheusScrapeAuthFilter extends OncePerRequestFilter {
+
+  public static final String PROMETHEUS_ACTUATOR_PATH = "/actuator/prometheus";
+  private static final String BASIC_PREFIX = "Basic ";
+
+  private final PrometheusScrapeAuthSettings settings;
+
+  public PrometheusScrapeAuthFilter(PrometheusScrapeAuthSettings settings) {
+    this.settings = settings;
+  }
+
+  @PostConstruct
+  public void validateConfiguration() {
+    if (!settings.isEnabled()) {
+      return;
+    }
+    log.info("Prometheus scrape HTTP Basic auth enabled for {}", PROMETHEUS_ACTUATOR_PATH);
+    if (settings.isUsingDefaultPassword()) {
+      log.warn(
+          "Prometheus scrape auth is using the default password ({}). Set "
+              + "MANAGEMENT_METRICS_EXPORT_PROMETHEUS_AUTH_PASSWORD to a strong secret.",
+          PrometheusScrapeAuthSettings.DEFAULT_PASSWORD);
+    }
+  }
+
+  @Override
+  protected boolean shouldNotFilter(HttpServletRequest request) {
+    if (!settings.isEnabled()) {
+      return true;
+    }
+    String path = request.getServletPath();
+    return path == null || !PROMETHEUS_ACTUATOR_PATH.equals(path);
+  }
+
+  @Override
+  protected void doFilterInternal(
+      HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+      throws ServletException, IOException {
+
+    if (isAuthorized(request)) {
+      filterChain.doFilter(request, response);
+      return;
+    }
+
+    response.setHeader("WWW-Authenticate", "Basic realm=\"Prometheus\"");
+    response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized");
+  }
+
+  private boolean isAuthorized(HttpServletRequest request) {
+    String authorization = request.getHeader("Authorization");
+    if (!StringUtils.hasText(authorization) || !authorization.startsWith(BASIC_PREFIX)) {
+      return false;
+    }
+
+    try {
+      byte[] decoded =
+          Base64.getDecoder().decode(authorization.substring(BASIC_PREFIX.length()).trim());
+      String credentials = new String(decoded, StandardCharsets.UTF_8);
+      int separator = credentials.indexOf(':');
+      if (separator < 0) {
+        return false;
+      }
+      String username = credentials.substring(0, separator);
+      String password = credentials.substring(separator + 1);
+      return constantTimeEquals(username, settings.getUsername())
+          && constantTimeEquals(password, settings.getPassword());
+    } catch (IllegalArgumentException e) {
+      log.debug("Invalid Basic authorization header on {}", PROMETHEUS_ACTUATOR_PATH);
+      return false;
+    }
+  }
+
+  private static boolean constantTimeEquals(String actual, String expected) {
+    if (actual == null || expected == null) {
+      return false;
+    }
+    return MessageDigest.isEqual(
+        actual.getBytes(StandardCharsets.UTF_8), expected.getBytes(StandardCharsets.UTF_8));
+  }
+}

metadata-service/factories/src/main/java/com/linkedin/gms/factory/system_telemetry/PrometheusScrapeAuthFilterConfigurationSupport.java

@@ -0,0 +1,39 @@
+package com.linkedin.gms.factory.system_telemetry;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.boot.web.servlet.FilterRegistrationBean;
+import org.springframework.context.annotation.Bean;
+import org.springframework.core.Ordered;
+
+/** Shared filter beans for Prometheus scrape auth. */
+@EnableConfigurationProperties(PrometheusScrapeAuthProperties.class)
+class PrometheusScrapeAuthFilterConfigurationSupport {
+
+  @Bean
+  PrometheusScrapeAuthFilter prometheusScrapeAuthFilter(
+      PrometheusScrapeAuthProperties authProperties,
+      @Value("${management.metrics.export.prometheus.enabled:false}")
+          boolean prometheusExportEnabled) {
+    PrometheusScrapeAuthSettings settings =
+        PrometheusScrapeAuthSettings.resolve(
+            prometheusExportEnabled,
+            authProperties.getEnabled(),
+            authProperties.getUsername(),
+            authProperties.getPassword());
+    return new PrometheusScrapeAuthFilter(settings);
+  }
+
+  @Bean
+  FilterRegistrationBean<PrometheusScrapeAuthFilter> prometheusScrapeAuthFilterRegistration(
+      PrometheusScrapeAuthFilter filter) {
+    FilterRegistrationBean<PrometheusScrapeAuthFilter> registration = new FilterRegistrationBean<>();
+    registration.setFilter(filter);
+    registration.addUrlPatterns(PrometheusScrapeAuthFilter.PROMETHEUS_ACTUATOR_PATH);
+    registration.setOrder(Ordered.HIGHEST_PRECEDENCE);
+    registration.setAsyncSupported(true);
+    return registration;
+  }
+
+  private PrometheusScrapeAuthFilterConfigurationSupport() {}
+}

metadata-service/factories/src/main/java/com/linkedin/gms/factory/system_telemetry/PrometheusScrapeAuthFilterFactory.java

@@ -0,0 +1,15 @@
+package com.linkedin.gms.factory.system_telemetry;
+
+import org.springframework.boot.actuate.autoconfigure.web.server.ConditionalOnManagementPort;
+import org.springframework.boot.actuate.autoconfigure.web.server.ManagementPortType;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
+
+/**
+ * Registers scrape auth on the main web server when management shares the application port
+ * (e.g. Aiven {@code MANAGEMENT_SERVER_PORT=8080}).
+ */
+@Configuration
+@ConditionalOnManagementPort(ManagementPortType.SAME)
+@Import(PrometheusScrapeAuthFilterConfigurationSupport.class)
+public class PrometheusScrapeAuthFilterFactory {}