A reverse proxy for prometheus that provides label based acls via oidc.
Via environment you can configure all settings.
LISTEN: IP and port to to listen on (default :8080)URL: URL for prometheus-acls, used to generate redirects, login and callback routes (e.g. https://promacl.example.com)COOKIE_SECRET: Cookie Secret (should be 32 or 64 chars), autogenerated if emptyPROMETHEUS_URL: URL to the upstream Prometheus (default http://localhost:9090)OIDC_ISSUER: URL to the OpenID Connect Sever (e.g. https://auth.example.com/auth/realms/users)OIDC_CLIENT_ID: Oauth Client ID (e.g. grafana)OIDC_CLIENT_SECRET: Oauth Client Secret (e.g. 12345678-1234-1234-1234-123456789abc)OIDC_ROLES_CLAIM: Field in Acces Token to load the users role (default roles)ACL_FILE: Full or relative path to acl configuration file (default prometheus-acls.yml)prometheus-acls.yml:The prometheus-acls.yml file is used to map roles to access rights.
# syntax:
#
# <rolename>:
# <metricname>: <prometheus label matches>
# # or
# re!<regex>: <prometheus label matches>
developer: # The keys match the OIDC_ROLES_CLAIM field of the access token.
re!^awesome_app_: # regex match for all metrics that stat with awesome_app_
env=dev # prometheus label match for dev env
re!^node_: # regex match for node exporter
instance=~'.*\.lan$' # prometheus label match for instances that end with .lan
up: env!=dev,app=hal # prometheus labels are handled by prometheus, so their complete
# syntax is supported
admin: # The keys match the OIDC_ROLES_CLAIM field of the access token.
secret_app_: # exact metric name
~ # yaml null value will bock access to a metric
'*': # wildchard match for all metrics
'' # emty prometheus label match for NO RESTRICTIONS
Order of metric name matching:
Best Practices:
^Example for keycloak:
confidentialUser Client RoleToken Claim Name to roles (if you change this you also need to supply $OIDC_ROLES_CLAIM to prometheus-acls)Claim JSON Type is StringAdd to access token must be onNote: When you have multiple roles, the first one that is mentioned in prometheus-acls will be used.
We currently use per client roles to avoid any conflics.
$ claude mcp add prometheus-acls \
-- python -m otcore.mcp_server <graph>