mirror of
https://github.com/VictoriaMetrics/VictoriaMetrics.git
synced 2024-12-11 14:53:49 +00:00
136 lines
4.7 KiB
Markdown
136 lines
4.7 KiB
Markdown
|
# VMUser
|
||
|
|
||
|
The `VMUser` CRD describes user configuration, its authentication methods `basic auth` or `Authorization` header.
|
||
|
User access permissions, with possible routing information.
|
||
|
|
||
|
User can define routing target with `static` config, by entering target `url`, or with `CRDRef`, in this case,
|
||
|
operator queries kubernetes API, retrieves information about CRD and builds proper url.
|
||
|
|
||
|
## Specification
|
||
|
|
||
|
You can see the full actual specification of the `VMUser` resource in
|
||
|
the **[API docs -> VMUser](../api.md#vmuser)**.
|
||
|
|
||
|
Also, you can check out the [examples](#examples) section.
|
||
|
|
||
|
## Authentication methods
|
||
|
|
||
|
There are two authentication mechanisms: ["Bearer token"](#bearer-token) and ["Basic auth"](#basic-auth) with `username` and `password`.
|
||
|
Only one of them can be used with `VMUser` at one time.
|
||
|
|
||
|
Operator creates `Secret` for every `VMUser` with name - `vmuser-{VMUser.metadata.name}`.
|
||
|
It places `username` + `password` or `bearerToken` into `data` section.
|
||
|
|
||
|
### Bearer token
|
||
|
|
||
|
Bearer token is a way to authenticate user with `Authorization` header.
|
||
|
User defines `token` field in `auth` section.
|
||
|
|
||
|
Also, you can check out the [examples](#examples) section.
|
||
|
|
||
|
### Basic auth
|
||
|
|
||
|
Basic auth is the simplest way to authenticate user. User defines `username` and `password` fields in `auth` section.
|
||
|
|
||
|
If `username` is empty, `metadata.name` from `VMUser` used as `username`.
|
||
|
|
||
|
You can automatically generate `password` if:
|
||
|
- Set `generatePassword: true` field
|
||
|
- Don't fill `password` field
|
||
|
|
||
|
Operator generates random password for this `VMUser`,
|
||
|
this password will be added to the `Secret` for this `VMUser` at `data.password` field.
|
||
|
|
||
|
Also, you can check out the [examples](#examples) section.
|
||
|
|
||
|
## Routing
|
||
|
|
||
|
You can define routes for user in `targetRefs` section.
|
||
|
|
||
|
For every entry in `targetRefs` you can define routing target with `static` config, by entering target `url`,
|
||
|
or with `crd`, in this case, operator queries kubernetes API, retrieves information about CRD and builds proper url.
|
||
|
|
||
|
Here are details about other fields in `targetRefs`:
|
||
|
|
||
|
- `paths` is the same as `src_paths` from [auth config](https://docs.victoriametrics.com/vmauth.html#auth-config)
|
||
|
- `headers` is the same as `headers` from [auth config](https://docs.victoriametrics.com/vmauth.html#auth-config)
|
||
|
- `targetPathSuffix` is the suffix for `url_prefix` (target URL) from [auth config](https://docs.victoriametrics.com/vmauth.html#auth-config)
|
||
|
|
||
|
### Static
|
||
|
|
||
|
The `static` field is the same as `url_prefix` (target URL) from [auth config](https://docs.victoriametrics.com/vmauth.html#auth-config),
|
||
|
it allows you to set a specific static URL.
|
||
|
|
||
|
### CRDRef
|
||
|
|
||
|
The `crd` field is a more convenient form for specifying the components handled by the operator as auth targets.
|
||
|
|
||
|
User can define routing target with `crd` config, by entering `kind`, `name` and `namespace` of CRD.
|
||
|
|
||
|
Operator supports following kinds in `kind` field:
|
||
|
|
||
|
- `VMAgent` for [VMAgent](./vmagent.md)
|
||
|
- `VMAlert` for [VMAlert](./vmalert.md)
|
||
|
- `VMAlertmanager` for [VMAlertmanager](./vmalertmanager.md)
|
||
|
- `VMSingle` for [VMSingle](./vmsingle.md)
|
||
|
- `VMCluster/vmselect`, `VMCluster/vminsert` and `VMCluster/vmstorage` for [VMCluster](./vmcluster.md)
|
||
|
|
||
|
Also, you can check out the [examples](#examples) section.
|
||
|
|
||
|
Additional fields like `path` and `scheme` can be added to `CRDRef` config.
|
||
|
|
||
|
## Enterprise features
|
||
|
|
||
|
Custom resource `VMUser` supports feature [IP filters](https://docs.victoriametrics.com/vmauth.html#ip-filters)
|
||
|
from [VictoriaMetrics Enterprise](https://docs.victoriametrics.com/enterprise.html#victoriametrics-enterprise).
|
||
|
|
||
|
### IP Filters
|
||
|
|
||
|
For using [IP filters](https://docs.victoriametrics.com/vmauth.html#ip-filters)
|
||
|
you need to **[enable VMAuth Enterprise](./vmauth.md#enterprise-features)**.
|
||
|
|
||
|
After that you can add `ip_filters` field to `VMUser`:
|
||
|
|
||
|
```yaml
|
||
|
apiVersion: operator.victoriametrics.com/v1beta1
|
||
|
kind: VMUser
|
||
|
metadata:
|
||
|
name: vmuser-ent-example
|
||
|
spec:
|
||
|
username: simple-user
|
||
|
password: simple-password
|
||
|
|
||
|
# using enterprise features: ip filters for vmuser
|
||
|
# more details about ip filters you can read in https://docs.victoriametrics.com/vmuser.html#enterprise-features
|
||
|
ip_filters:
|
||
|
allow_list:
|
||
|
- 10.0.0.0/24
|
||
|
- 1.2.3.4
|
||
|
deny_list:
|
||
|
- 5.6.7.8
|
||
|
```
|
||
|
|
||
|
## Examples
|
||
|
|
||
|
```yaml
|
||
|
apiVersion: operator.victoriametrics.com/v1beta1
|
||
|
kind: VMUser
|
||
|
metadata:
|
||
|
name: example
|
||
|
spec:
|
||
|
username: simple-user
|
||
|
password: simple-password
|
||
|
targetRefs:
|
||
|
- crd:
|
||
|
kind: VMSingle
|
||
|
name: example
|
||
|
namespace: default
|
||
|
paths: ["/.*"]
|
||
|
- static:
|
||
|
url: http://vmalert-example.default.svc:8080
|
||
|
paths: ["/api/v1/groups","/api/v1/alerts"]
|
||
|
```
|
||
|
|
||
|
More examples see on [Authorization and exposing components](../auth.md) page
|
||
|
and in [Quickstart guide](../quick-start.md#vmuser).
|