This document describes the authentication mechanism used for integrating with the CloudMon Status Dashboard.
The metrics-processor uses JWT (JSON Web Token) authentication when reporting component status to the status-dashboard API. This is specifically used by the cloudmon-metrics-reporter component to securely communicate health status updates.
JWT tokens are generated using the HMAC-SHA256 algorithm with a shared secret key.
Algorithm: HS256 (HMAC with SHA-256)
Token Structure:
The JWT token contains a simple claim structure:
{
"stackmon": "dummy"
}Signing Process:
- The shared secret is loaded from configuration (
status_dashboard.secret) - An HMAC-SHA256 key is created from the secret bytes
- Claims are signed with the key to produce the JWT token
- The token is included in the
Authorizationheader as a Bearer token
Authentication is configured in the status_dashboard section of the configuration file:
status_dashboard:
url: https://status-dashboard.example.com
secret: your-shared-secret-key| Field | Type | Required | Description |
|---|---|---|---|
url |
string | Yes | Status dashboard base URL |
secret |
string | No | JWT signing secret. If not provided, requests are sent without authentication |
The secret can also be set via environment variable:
export MP_STATUS_DASHBOARD__SECRET="your-shared-secret-key"Environment variables are merged with the configuration file, with environment variables taking precedence.
When making requests to the status-dashboard, the JWT token is included in the HTTP Authorization header using the Bearer scheme:
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdGFja21vbiI6ImR1bW15In0.<signature>
- Configuration Load: The reporter reads the
status_dashboard.secretfrom configuration - Token Generation: If a secret is configured, a JWT token is generated at startup
- Request Authentication: All POST requests to
/v1/component_statusinclude the Bearer token - Server Validation: The status-dashboard validates the token signature using the same shared secret
On the server side (status-dashboard), tokens should be validated by:
- Extracting the token from the
Authorizationheader - Verifying the HMAC-SHA256 signature using the shared secret
- Optionally checking the claims (currently contains
{"stackmon": "dummy"})
- Never commit secrets to version control
- Use environment variables (
MP_STATUS_DASHBOARD__SECRET) in production - Rotate secrets periodically
- Use strong, randomly-generated secrets (minimum 32 characters recommended)
- Always use HTTPS for the status-dashboard URL in production
- The JWT token is sent in clear text in the Authorization header
- Without TLS, tokens could be intercepted and reused
- Stateless: Tokens are self-contained and don't require server-side session storage
- No Expiration: Current implementation does not include expiration claims
- Single Use Case: Tokens are specifically for machine-to-machine authentication between reporter and status-dashboard
-
Use Strong Secrets: Generate cryptographically secure random strings
openssl rand -base64 32
-
Environment Separation: Use different secrets for development, staging, and production
-
Audit Logging: Log authentication failures on the status-dashboard for monitoring
-
Network Isolation: Where possible, restrict network access between components
use hmac::{Hmac, Mac};
use jwt::SignWithKey;
use sha2::Sha256;
use std::collections::BTreeMap;
let secret = "your-shared-secret";
let key: Hmac<Sha256> = Hmac::new_from_slice(secret.as_bytes()).unwrap();
let mut claims = BTreeMap::new();
claims.insert("stackmon", "dummy");
let token_str = claims.sign_with_key(&key).unwrap();
let bearer = format!("Bearer {}", token_str);function validate_token(authorization_header, secret):
# Extract token from "Bearer <token>"
token = extract_bearer_token(authorization_header)
# Verify signature
key = hmac_sha256_key(secret)
claims = verify_and_decode(token, key)
if claims is valid:
return true
else:
return false