Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove basic auth from /-/healthy #501

Closed
twiden opened this issue Oct 18, 2022 · 3 comments
Closed

Remove basic auth from /-/healthy #501

twiden opened this issue Oct 18, 2022 · 3 comments

Comments

@twiden
Copy link

twiden commented Oct 18, 2022

Feature request

Use case. Why is this important?
Is there a way to protect only certain URL paths with basic auth?

For example I would like to make /-/healthy and /-/ready wide open for healthchecks from a load balancer that does not support basic auth (AWS ALB). Right now the ALB has to accept 401 as a valid response even though the url, after authentication, might return a 404 or anything else.

It would also be good to handle authentication for metrics PUSH endpoint separately. I'm pushing from a third party application that I don't have control over/can't change implementation freely and it does not support basic auth. But I would like authentication on all metric GET requests.
@beorn7
Copy link
Member

beorn7 commented Oct 18, 2022

My gut feeling is that this is getting into more complex web routing configuration, which we should not bake into a relatively light-weight binary as the Pushgateway. I would recommend a reverse proxy in front of the Pushgateway to manage those fine-grained access control.

However, I don't want to stifle the discussion here. Maybe this is useful for enough people that we should support it directly in the Pushgateway and other binaries in the Prometheus ecosystem. If that's the case, it shouldn't just be implemented in the Pushgateway, but in https://github.com/prometheus/exporter-toolkit so that all the binaries do the same in the same way.

Work is already ongoing over there, see prometheus/exporter-toolkit#111 and prometheus/exporter-toolkit#106 . Maybe you want to chime in there?

@twiden
Copy link
Author

twiden commented Oct 19, 2022

I see your point but to me the basic auth functionality has no practical use if I can't turn it off for /-/healthy /-/ready (ALB healthcheck does not support basic auth) and posting new metrics (Keycloak metrics SPI does not support it either as far as I understand) since these are performed within the subnet it would be really nice if I could whitelist a CIDR that is allowed to bypass basic auth.

@beorn7
Copy link
Member

beorn7 commented Oct 19, 2022

Well, in any case, this discussion belongs into https://github.com/prometheus/exporter-toolkit. As said, I suggest to chime in on prometheus/exporter-toolkit#111 and prometheus/exporter-toolkit#106 .

@beorn7 beorn7 closed this as completed Oct 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@beorn7 @twiden