Accessing Metrics Endpoint without authentication


#1

Hi there,

I have a question about accessing the Metrics Endpoint. Is it possible to only make the following address accessible from outside without authentication?
I would not like to completely remove the authentication.

http://localhost:8080/camunda/api/engine/engine/default/metrics/activity-instance-end/sum

The aim is to query the flow nodes and integrate them into another system.

Thanks for your help,
Jannik


#2

It is not possible the easy way.

The servlet filter ProcessEngineAuthenticationFilter does a check in it’s doFilter method, which is calling the requiresEngineAuthentication method, which compiles a regularExpression which matches any part containing a /engine (read from here)

So the only way would be to overwrite the doFilter method to continue the chain when the path contains the metrics URL - but that would mean that you would have to compile your own bpm-engine, which I guess you don’t want to do. (not so sure about the last part, but I doubt that overwriting the filter is easier than to just implement the authorization in your other system).

If you still plan on overwriting the filter, you may check out this stackoverflow answer and this part of the doFilter method.

Edit: This answer however took it for granted that you have the ProcessEngineAuthenticationFilter enabled. If you are not this filter (which is used in the BasicAuth example), you can simply add the following line to your securityFilterRules.json in your WEB-INF folder (example: *camunda-webapp-jboss-7.11.0.war\WEB-INF*):

	  { "path": "/api/engine/engine/{engine}/metrics/.*", "methods" : "GET" },

This has to be placed into the allowedPaths array. This will expose all subpaths of metrics for every engine deploed.

Hope I could help you!