prom-authzed-proxy is a proxy for Prometheus that authorizes the request's Bearer Token with Authzed and enforces a label in a PromQL query.
Authzed is a database and service that stores, computes, and validates your application's permissions.
Developers create a schema that models their permissions requirements and use a client library, such as this one, to apply the schema to the database, insert data into the database, and query the data to efficiently check permissions in their applications.
See CONTRIBUTING.md for instructions on how to contribute and perform common tasks like building the project and running tests.
If you're using a modern version of Go, run the following command to install:
go install github.com/authzed/prom-authzed-proxyIf you want a container of the proxy and have docker installed:
docker pull quay.io/authzed/prom-authzed-proxy:latestThe following command will run the proxy that checks the permissions against authzed.com and a Prometheus running on localhost:
prom-authzed-proxy \
--upstream-prom-addr http://localhost:9090 \
--object-id-parameter install \
--authzed-token tc_client_token_1234deadbeef \
--authzed-subject-definition-path psystem/token \
--authzed-subject-relation ... \
--authzed-object-definition-path psystem/prometheus \
--authzed-permission viewerEach request is checked to have a value as a Bearer Token that is a viewer of the value in the PromQL label install with their respective Authzed Object Types.
If the permission check fails, the proxy will return an HTTP 403.
- Prometheus - industry standard time series database
- prom-label-proxy - proxy that enforces labels in PromQL
- kube-rbac-proxy - proxy that authorizes requests with Kubernetes cluster RBAC, sometimes used with prom-label-proxy