diff --git a/app/vmauth/auth_config.go b/app/vmauth/auth_config.go index 8d0b350003..4abe6793b3 100644 --- a/app/vmauth/auth_config.go +++ b/app/vmauth/auth_config.go @@ -43,7 +43,7 @@ var ( "This may be useful when url_prefix points to a hostname with dynamically scaled instances behind it. See https://docs.victoriametrics.com/vmauth.html#discovering-backend-ips") discoverBackendIPsInterval = flag.Duration("discoverBackendIPsInterval", 10*time.Second, "The interval for re-discovering backend IPs if -discoverBackendIPs command-line flag is set. "+ "Too low value may lead to DNS errors") - httpAuthHeader = flag.String("httpAuthHeader", "Authorization", "HTTP request header to use for obtaining authorization tokens") + httpAuthHeader = flagutil.NewArrayString("httpAuthHeader", "HTTP request header to use for obtaining authorization tokens. By default auth tokens are read from Authorization request header") ) // AuthConfig represents auth config. @@ -909,19 +909,26 @@ func getHTTPAuthBasicToken(username, password string) string { return "http_auth:Basic " + token64 } +var defaultHeaderNames = []string{"Authorization"} + func getAuthTokensFromRequest(r *http.Request) []string { var ats []string - // Obtain possible auth tokens from one of allowed auth headers - headerName := *httpAuthHeader - if ah := r.Header.Get(headerName); ah != "" { - if headerName == "Authorization" && strings.HasPrefix(ah, "Token ") { - // Handle InfluxDB's proprietary token authentication scheme as a bearer token authentication - // See https://docs.influxdata.com/influxdb/v2.0/api/ - ah = strings.Replace(ah, "Token", "Bearer", 1) + // Obtain possible auth tokens from one of the allowed auth headers + headerNames := *httpAuthHeader + if len(headerNames) == 0 { + headerNames = defaultHeaderNames + } + for _, headerName := range headerNames { + if ah := r.Header.Get(headerName); ah != "" { + if strings.HasPrefix(ah, "Token ") { + // Handle InfluxDB's proprietary token authentication scheme as a bearer token authentication + // See https://docs.influxdata.com/influxdb/v2.0/api/ + ah = strings.Replace(ah, "Token", "Bearer", 1) + } + at := "http_auth:" + ah + ats = append(ats, at) } - at := "http_auth:" + ah - ats = append(ats, at) } return ats diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 1b9d08687e..5a92d1ff5c 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -38,7 +38,7 @@ See also [LTS releases](https://docs.victoriametrics.com/lts-releases/). * FEATURE: [vmauth](https://docs.victoriametrics.com/vmauth/): allow discovering ip addresses for backend instances hidden behind a shared hostname, via `discover_backend_ips: true` option. This allows evenly spreading load among backend instances. See [these docs](https://docs.victoriametrics.com/vmauth/#discovering-backend-ips) and [this feature request](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5707). * FEATURE: [vmauth](https://docs.victoriametrics.com/vmauth/): allow routing incoming requests based on HTTP [query args](https://en.wikipedia.org/wiki/Query_string) via `src_query_args` option at `url_map`. See [these docs](https://docs.victoriametrics.com/vmauth/#generic-http-proxy-for-different-backends) and [this feature request](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5878). * FEATURE: [vmauth](https://docs.victoriametrics.com/vmauth/): allow routing incoming requests based on HTTP request headers via `src_headers` option at `url_map`. See [these docs](https://docs.victoriametrics.com/vmauth/#generic-http-proxy-for-different-backends). -* FEATURE: [vmauth](https://docs.victoriametrics.com/vmauth/): add ability to read auth tokens from arbitrary HTTP request header. Previously auth tokens were read only from `Authorization` HTTP request header. See [these docs](https://docs.victoriametrics.com/vmauth/#reading-auth-tokens-from-other-http-headers) for details. +* FEATURE: [vmauth](https://docs.victoriametrics.com/vmauth/): add ability to read auth tokens from arbitrary HTTP request headers. Previously auth tokens were read only from `Authorization` HTTP request header. See [these docs](https://docs.victoriametrics.com/vmauth/#reading-auth-tokens-from-other-http-headers) for details. * FEATURE: [stream aggregation](https://docs.victoriametrics.com/stream-aggregation/): reduce memory usage by up to 5x when aggregating over big number of unique [time series](https://docs.victoriametrics.com/keyconcepts/#time-series). The memory usage reduction is most visible when [stream deduplication](https://docs.victoriametrics.com/stream-aggregation/#deduplication) is enabled. * FEATURE: [stream aggregation](https://docs.victoriametrics.com/stream-aggregation/): allow using `-streamAggr.dedupInterval` and `-remoteWrite.streamAggr.dedupInterval` command-line flags without the need to specify `-streamAggr.config` and `-remoteWrite.streamAggr.config`. See [these docs](https://docs.victoriametrics.com/stream-aggregation/#deduplication). * FEATURE: [stream aggregation](https://docs.victoriametrics.com/stream-aggregation/): add `-streamAggr.dropInputLabels` command-line flag, which can be used for dropping the listed labels from input samples before applying stream [de-duplication](https://docs.victoriametrics.com/stream-aggregation/#deduplication) and aggregation. This is faster and easier to use alternative to [input_relabel_configs](https://docs.victoriametrics.com/stream-aggregation/#relabeling). See [these docs](https://docs.victoriametrics.com/stream-aggregation/#dropping-unneeded-labels). diff --git a/docs/vmauth.md b/docs/vmauth.md index 7a70248496..50ad776a9b 100644 --- a/docs/vmauth.md +++ b/docs/vmauth.md @@ -635,11 +635,18 @@ See config example of using IP filters [here](https://github.com/VictoriaMetrics ## Reading auth tokens from other HTTP headers `vmauth` reads `username`, `password` and `bearer_token` [config values](#auth-config) from `Authorization` request header. -It is possible to read these values from any other request header by specifying it via `-httpAuthHeader` command-line flag. +It is possible to read these auth tokens from any other request header by specifying it via `-httpAuthHeader` command-line flag. For example, the following command instructs `vmauth` to read auth token from `X-Amz-Firehose-Access-Key` header: ``` -./vmauth -httpAuthHeader=X-Amz-Firehose-Access-Key +./vmauth -httpAuthHeader='X-Amz-Firehose-Access-Key' +``` + +It is possible to read auth tokens from multiple headers. For example, the following command instructs `vmauth` to read auth token +from both `Authorization` and `X-Amz-Firehose-Access-Key` headers: + +``` +./vmauth -httpAuthHeader='Authorization' -httpAuthHeader='X-Amz-Firehose-Access-Key' ``` ## Auth config @@ -1003,8 +1010,10 @@ See the docs at https://docs.victoriametrics.com/vmauth.html . Flag value can be read from the given file when using -httpAuth.password=file:///abs/path/to/file or -httpAuth.password=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -httpAuth.password=http://host/path or -httpAuth.password=https://host/path -httpAuth.username string Username for HTTP server's Basic Auth. The authentication is disabled if empty. See also -httpAuth.password - -httpAuthHeader string - HTTP request header to use for obtaining authorization tokens (default "Authorization") + -httpAuthHeader array + HTTP request header to use for obtaining authorization tokens. By default auth tokens are read from Authorization request header + Supports an array of values separated by comma or specified via multiple flags. + Value can contain comma inside single-quoted or double-quoted string, {}, [] and () braces. -httpListenAddr array TCP address to listen for incoming http requests. See also -tls and -httpListenAddr.useProxyProtocol Supports an array of values separated by comma or specified via multiple flags.