Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dbp 1037 setup privacyidea monitring #140

Open
wants to merge 39 commits into
base: master
Choose a base branch
from
Open

Dbp 1037 setup privacyidea monitring #140

wants to merge 39 commits into from

Conversation

sahassou
Copy link
Contributor

Description

This PR focuses on creating a robust monitoring setup for PrivacyIDEA by developing a custom exporter that collects vital statistics from PrivacyIDEA's database and exposes them in a format that Prometheus can scrape.
Custom Exporter Configuration
The custom exporter will follow this chain of communication:

  1. Prometheus sends requests for metrics.
  2. Nginx forwards Prometheus requests to uWSGI using a socket.
  3. uWSGI routes these requests to a Flask application.
  4. Flask fetches the metrics from PrivacyIDEA’s database and sends the response back through the chain to Prometheus.

mcpovel and others added 30 commits October 11, 2024 12:00
@mcpovel
Make database host variable
85fd1d4
@mcpovel
PrivacyIDEA-HA
21af7db
@mcpovel
New location and initialy working
afb1e17
@mcpovel
First working role
953d135
@mcpovel
First version with certificate and HA address
2a8ba9d
@mcpovel
Further HA enabling stuff
09fe215
@mcpovel
Enabled exporter reload
18b5bb2
@mcpovel
First redundant system
0ff73d7
@mcpovel
Running OK wirth failover
68655a0
@mcpovel
Working OK, started cleanup
a623fa5
@mcpovel
Chnage file permission
c441059
@mcpovel
Fixed user also in single node mode
2c1e069
@mcpovel
Added missing public key
bd99724
@mcpovel
Improved and centralized FW rules
e2ac55c
@mcpovel
Corrected FW settings for HA
59e53fa
@mcpovel
Corrected order to get certificates and cluster up
fcbbb7c
@mcpovel
Changed handlerd for resources to use pcs not systemctl
31b77ee
@mcpovel
Change formating
beb8db7
@mcpovel
Another format issue
403203d
@mcpovel
Removed empty default passwords
d668655
@mcpovel
Using block and local delete
fc35b9f
@mcpovel
Only allow single certificate for remote access of certificate_sync_user
3982935
@mcpovel
Correted path
2401551
@mcpovel
Remove wrong copied file
df97303
@mcpovel
Corrected options order
4860c27
@sahassou
Create periodic tasks for various counting operations and Create even…
b0246c0 
…t handlers for various events
@sahassou
PrivacyIDEA cron job is set up
4cd29ef
@sahassou
import_tasks: cron_tasks.yml
27482a7
@sahassou
Execute the privacyidea_data_import_and_cleanup.sh script
991433c
@sahassou
add cronjob to pacemakerresource configuration
36e5671
@sahassou sahassou self-assigned this Nov 22, 2024
YannickEvers
YannickEvers reviewed Nov 22, 2024
View reviewed changes
roles/privacyidea_ha/tasks/generate_keys.yml
@@ -63,3 +63,4 @@
path: "/tmp/certificate_sync_key_*"
state: absent
delegate_to: localhost
ignore_errors: true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason for ignoring errors here?

roles/privacyidea_ha/tasks/import_data.yml
# args:
# executable: /bin/bash
# notify: restart uwsgi

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason for commenting this out? There is a when condition in the main.yml so it would only be executed if privacyidea_execute_data_import is true.

roles/privacyidea_ha/tasks/install_packages.yml
- name: Install prometheus_client in PrivacyIDEA
ansible.builtin.command:
cmd: sudo -H /opt/privacyidea/virtualenv/bin/pip install prometheus_client
become: true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

May be the ansible pip module could be more elegant here? I think it supports virtualenvs.

roles/privacyidea_ha/templates/custom_exporter.py.j2

def check_auth(username, password):
"""Check if a username/password combination is valid."""
return username == EXPORTER_USERNAME and password == EXPORTER_PASSWORD
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this could potentially be vulnerable for timing attacks.
Maybe we could use a hash and standard method from bcrypt instead?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@YannickEvers YannickEvers YannickEvers left review comments

@simoncolincap simoncolincap Awaiting requested review from simoncolincap

@aimee-889 aimee-889 Awaiting requested review from aimee-889

@mcpovel mcpovel Awaiting requested review from mcpovel

At least 1 approving review is required to merge this pull request.

Assignees

@sahassou sahassou

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sahassou @YannickEvers @mcpovel