Skip to content

Authentication.md

Latest commit

 

History

History
117 lines (92 loc) · 3 KB

Authentication.md

File metadata and controls

117 lines (92 loc) · 3 KB

Authentication

Summary of how authentication works in OpenTelemetry Collector using server- and client-side authenticators.

Modes

  • Server side: collector intercepts inbound HTTP/gRPC, extracts headers or query params, calls the server authenticator, returns 401/Unauthenticated on failure, forwards with enriched context on success.
  • Client side: collector wraps outbound HTTP or gRPC with authenticator-provided credentials so every request carries required headers, tokens, or signing.

Authenticator types

  • Server (receivers): basicauthextension, bearertokenauthextension, oidcauthextension
  • Client (exporters): asapauthextension, basicauthextension, bearertokenauthextension, oauth2clientauthextension, sigv4authextension

Notes

For example for client-side OAuth2 in the collector you need an OAuth2 authorization server that exposes a token endpoint. The oauth2client extension is configured with that server’s token_url, your client_id/client_secret (and optional scopes/audience/TLS). It will call the token endpoint to obtain/refresh access tokens and inject Authorization: Bearer token on exporter requests. Without a reachable OAuth2 server, the extension cannot get tokens.

Server-side example (basic auth)

extensions:
  basicauth/server:
    htpasswd: ./htpasswd # file with user:hashed-password entries

receivers:
  otlp:
    protocols:
      http:
        auth:
          authenticator: basicauth/server
      grpc:
        auth:
          authenticator: basicauth/server

exporters:
  debug: {}

service:
  extensions: [basicauth/server]
  pipelines:
    traces:
      receivers: [otlp]
      processors: []
      exporters: [debug]
    metrics:
      receivers: [otlp]
      processors: []
      exporters: [debug]

Client-side example (OAuth2)

extensions:
  oauth2client:
    client_id: my-client
    client_secret: supersecret
    token_url: https://auth.example.com/oauth/token
    scopes: [metrics.write]

exporters:
  otlphttp:
    endpoint: https://backend.example.com
    auth:
      authenticator: oauth2client

service:
  extensions: [oauth2client]
  pipelines:
    metrics:
      receivers: [otlp]
      processors: []
      exporters: [otlphttp]

References

  • opentelemetry-collector/config/configauth/README.md

mTLS

When using mutual TLS (mTLS) for authentication, both the client and server present their own certificates to verify each other's identities. For more details on setting up mTLS with OpenTelemetry Collector, refer to this guide: https://dev.to/vipinvkmenon/setting-up-otel-collectors-for-mtls-4n4o

in short

mTLS receiver server

receivers:
  otlp:
    protocols:
      grpc:
        tls:
          cert_file: /etc/certs/server-tls.pem
          key_file: /etc/certs/server-tls.key
          client_ca_file: /etc/certs/ca.pem

mTLS exporter client

exporters:
  otlp:
    tls:
      cert_file: /etc/certs/client-tls.pem
      key_file: /etc/certs/client-tls.key
      ca_file: /etc/certs/ca.pem