New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support authorization_credentials #272
Support authorization_credentials #272
Conversation
Questions: Do we want the form:
or
Note: the latter would mean always 2 lines (in pretty yaml) and therefore you can't easily
or
|
4b57689
to
1e10141
Compare
My vote would be for the latter format
|
1e10141
to
ac5d086
Compare
I have implemented the latter. cc @beorn7 |
fac8ca6
to
34fd980
Compare
I'll review properly ASAP. In the meantime, you can fix the CI failures. (o: |
This backward-compatible patch enables authorization header type to be set. For consistency, bearer_token is renamed to authorization credentials and a new authorization type is introduced. The terminology is taken from https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu>
34fd980
to
84ebc5b
Compare
if len(c.Authorization.Type) == 0 { | ||
c.Authorization.Type = "Bearer" | ||
} | ||
if strings.ToLower(c.Authorization.Type) == "basic" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the benefit for preventing "basic" as the auth type here? Just thinking the two config mechanisms are not strictly equivalent - as with one the user must save the username and password in the config in plain text. In the other the user can save the credentials pre encoded as they are transmitted over the wire. It may be preferable to the user to use the second mechanism?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is to reduce support requests. That prevents users to put clear text password here and expect it to work. We have a well defined way to do Basic auth, let's not add a second.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would also note that some users might have the fake sense of security that this method would use an encrypted password while it's not the case.
This backward-compatible patch enables authorization header type to be
set.
For consistency, bearer_token is renamed to authorization_credentials
and a new authorization_type is introduced.
The terminology is taken from
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization
refs:
#271
prometheus/prometheus#5107
Signed-off-by: Julien Pivotto roidelapluie@inuits.eu