Feature/8077/grafana logging

[SashaPog]

temporarily opened /actuator/prometheus endpoint
Issue
8077

Summary by CodeRabbit

• New Features
  • Added Prometheus metrics registry support.
  • Exposed health, info, metrics, and prometheus actuator endpoints.
  • Made the Prometheus endpoint publicly accessible.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds Prometheus metrics support and Spring Boot actuator endpoints: two dependencies were added, actuator endpoints (including prometheus) were exposed in application properties, and security rules were updated to permit access to /actuator/prometheus.

Changes

Cohort / File(s)	Summary
Dependency Management core/pom.xml	Added io.micrometer:micrometer-registry-prometheus (scope: runtime) and org.springframework.boot:spring-boot-starter-actuator to provide Prometheus metrics and actuator endpoints.
Security Configuration core/src/main/java/greencity/config/SecurityConfig.java	Inserted an authorization rule allowing unrestricted access to the /actuator/prometheus endpoint in the HTTP security chain.
Actuator Endpoints / Config core/src/main/resources/application.properties	Added management.endpoints.web.exposure.include entries to expose actuator endpoints (health, info, metrics, prometheus, etc.).

Sequence Diagram(s)

sequenceDiagram
    autonumber
    actor Prometheus
    participant Client
    participant App
    participant Security

    Client->>App: HTTP GET /actuator/prometheus
    App->>Security: Check security rules for /actuator/prometheus
    Security-->>App: Permit (public)
    App-->>Client: 200 OK + Prometheus metrics
    Prometheus->>App: Scrape /actuator/prometheus (periodic)
    App-->>Prometheus: 200 OK + Prometheus metrics

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Files to double-check: core/pom.xml, core/src/main/java/greencity/config/SecurityConfig.java, core/src/main/resources/application.properties.
• Pay attention to: dependency version alignment with existing Spring Boot BOM, security rule ordering (ensure no accidental broader permitAll), and whether actuator exposure is intentionally scoped as configured.

Poem

Metrics hum, endpoints sing,
Prometheus comes to clip its wing,
Actuator doors now open wide,
Secure the gate where data hides,
Small changes, brighter monitoring ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Feature/8077/grafana logging' is related to the changeset but uses branch naming convention rather than describing the actual change; the PR adds Prometheus metrics support and actuator endpoints for monitoring, not just 'grafana logging'.	Consider using a more descriptive title like 'Enable Prometheus metrics and actuator endpoints for monitoring' to better communicate the technical change to reviewers.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/8077/grafana-logging

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ba3783b and 690d503.

📒 Files selected for processing (1)

• core/src/main/resources/application.properties (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• core/src/main/resources/application.properties

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

core/src/main/java/greencity/config/SecurityConfig.java (1)

144-144: Consider rate limiting for public metrics endpoint.

The /actuator/prometheus endpoint is now publicly accessible, which is correct for Prometheus scraping. However, without rate limiting, this could be abused for reconnaissance or to cause resource exhaustion.

Consider implementing rate limiting at the infrastructure level (e.g., API gateway, reverse proxy) or using Spring's RateLimiter for the actuator endpoints to prevent abuse while maintaining accessibility for legitimate monitoring.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4dd4d0b and ba3783b.

📒 Files selected for processing (3)

• core/pom.xml (1 hunks)
• core/src/main/java/greencity/config/SecurityConfig.java (1 hunks)
• core/src/main/resources/application.properties (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-04-15T19:56:35.738Z

Learnt from: ChernenkoVitaliy
Repo: ita-social-projects/GreenCity PR: 8330
File: core/src/main/java/greencity/config/SecurityConfig.java:297-297
Timestamp: 2025-04-15T19:56:35.738Z
Learning: In GreenCity's SecurityConfig, endpoints not explicitly listed in authorization rules fall to the catch-all rule ".anyRequest().hasAnyRole(ADMIN)" which restricts access to ADMIN role only.

Applied to files:

• core/src/main/java/greencity/config/SecurityConfig.java

📚 Learning: 2025-03-01T10:57:03.720Z

Learnt from: Warded120
Repo: ita-social-projects/GreenCity PR: 8195
File: core/src/main/java/greencity/config/SecurityConfig.java:217-219
Timestamp: 2025-03-01T10:57:03.720Z
Learning: When working with Spring Security configuration, edit existing requestMatchers() instead of creating new ones to avoid permission conflicts, as Spring Security applies the first matching rule when evaluating access restrictions.

Applied to files:

• core/src/main/java/greencity/config/SecurityConfig.java

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build

🔇 Additional comments (2)

core/src/main/java/greencity/config/SecurityConfig.java (1)

144-144: Secure all exposed actuator endpoints explicitly.

The management.endpoints.web.exposure.include property exposes health, info, metrics, prometheus, env, threaddump. While /actuator/prometheus is explicitly permitted, the remaining endpoints (env, threaddump, health, info, metrics) fall through to the catch-all rule .anyRequest().permitAll() at line 497, making them publicly accessible without authentication. The env and threaddump endpoints are particularly sensitive and should be restricted to administrators only.

Add explicit security rules for all exposed actuator endpoints:

 .requestMatchers("/actuator/prometheus").permitAll()
+.requestMatchers("/actuator/health", "/actuator/info", "/actuator/metrics").permitAll()
+.requestMatchers("/actuator/**").hasAnyRole(ADMIN)

⛔ Skipped due to learnings

Learnt from: ChernenkoVitaliy
Repo: ita-social-projects/GreenCity PR: 8330
File: core/src/main/java/greencity/config/SecurityConfig.java:297-297
Timestamp: 2025-04-15T19:56:35.738Z
Learning: In GreenCity's SecurityConfig, endpoints not explicitly listed in authorization rules fall to the catch-all rule ".anyRequest().hasAnyRole(ADMIN)" which restricts access to ADMIN role only.

Learnt from: Warded120
Repo: ita-social-projects/GreenCity PR: 8195
File: core/src/main/java/greencity/config/SecurityConfig.java:217-219
Timestamp: 2025-03-01T10:57:03.720Z
Learning: When working with Spring Security configuration, edit existing requestMatchers() instead of creating new ones to avoid permission conflicts, as Spring Security applies the first matching rule when evaluating access restrictions.

core/pom.xml (1)

238-246: LGTM: Dependencies are appropriate for Prometheus metrics.

The added dependencies correctly enable Prometheus metrics collection:

• micrometer-registry-prometheus with runtime scope is appropriate for metrics export
• spring-boot-starter-actuator provides the actuator endpoints infrastructure

The versions are correctly inherited from Spring Boot 3.5.6 (the parent BOM), which is a current and secure version that includes recent security fixes for CVE-2025-41249 and related issues. This dependency management approach is recommended practice.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud