diff --git a/app/vmauth/auth_config.go b/app/vmauth/auth_config.go index c566d42692..8d0b350003 100644 --- a/app/vmauth/auth_config.go +++ b/app/vmauth/auth_config.go @@ -43,6 +43,7 @@ var ( "This may be useful when url_prefix points to a hostname with dynamically scaled instances behind it. See https://docs.victoriametrics.com/vmauth.html#discovering-backend-ips") discoverBackendIPsInterval = flag.Duration("discoverBackendIPsInterval", 10*time.Second, "The interval for re-discovering backend IPs if -discoverBackendIPs command-line flag is set. "+ "Too low value may lead to DNS errors") + httpAuthHeader = flag.String("httpAuthHeader", "Authorization", "HTTP request header to use for obtaining authorization tokens") ) // AuthConfig represents auth config. @@ -912,17 +913,15 @@ func getAuthTokensFromRequest(r *http.Request) []string { var ats []string // Obtain possible auth tokens from one of allowed auth headers - for _, headerName := range authHeaders { - if ah := r.Header.Get(headerName); ah != "" { - if strings.HasPrefix(ah, "Token ") { - // Handle InfluxDB's proprietary token authentication scheme as a bearer token authentication - // See https://docs.influxdata.com/influxdb/v2.0/api/ - ah = strings.Replace(ah, "Token", "Bearer", 1) - } - at := "http_auth:" + ah - ats = append(ats, at) - break + headerName := *httpAuthHeader + if ah := r.Header.Get(headerName); ah != "" { + if headerName == "Authorization" && strings.HasPrefix(ah, "Token ") { + // Handle InfluxDB's proprietary token authentication scheme as a bearer token authentication + // See https://docs.influxdata.com/influxdb/v2.0/api/ + ah = strings.Replace(ah, "Token", "Bearer", 1) } + at := "http_auth:" + ah + ats = append(ats, at) } return ats diff --git a/app/vmauth/main.go b/app/vmauth/main.go index 7cd6aabae8..bcfc275f18 100644 --- a/app/vmauth/main.go +++ b/app/vmauth/main.go @@ -56,8 +56,6 @@ var ( "See https://docs.victoriametrics.com/vmauth.html#backend-tls-setup") backendTLSCAFile = flag.String("backend.TLSCAFile", "", "Optional path to TLS root CA file, which is used for TLS verification when connecting to backends over HTTPS. "+ "See https://docs.victoriametrics.com/vmauth.html#backend-tls-setup") - extraAuthHeaders = flagutil.NewArrayString("extraAuthHeader", "extra to Authorization auth header names") - authHeaders = []string{"Authorization"} ) func main() { @@ -72,7 +70,6 @@ func main() { if len(listenAddrs) == 0 { listenAddrs = []string{":8427"} } - authHeaders = append(authHeaders, (*extraAuthHeaders)...) logger.Infof("starting vmauth at %q...", listenAddrs) startTime := time.Now() initAuthConfig() diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 2e8385dd6e..1b9d08687e 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -38,7 +38,7 @@ See also [LTS releases](https://docs.victoriametrics.com/lts-releases/). * FEATURE: [vmauth](https://docs.victoriametrics.com/vmauth/): allow discovering ip addresses for backend instances hidden behind a shared hostname, via `discover_backend_ips: true` option. This allows evenly spreading load among backend instances. See [these docs](https://docs.victoriametrics.com/vmauth/#discovering-backend-ips) and [this feature request](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5707). * FEATURE: [vmauth](https://docs.victoriametrics.com/vmauth/): allow routing incoming requests based on HTTP [query args](https://en.wikipedia.org/wiki/Query_string) via `src_query_args` option at `url_map`. See [these docs](https://docs.victoriametrics.com/vmauth/#generic-http-proxy-for-different-backends) and [this feature request](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5878). * FEATURE: [vmauth](https://docs.victoriametrics.com/vmauth/): allow routing incoming requests based on HTTP request headers via `src_headers` option at `url_map`. See [these docs](https://docs.victoriametrics.com/vmauth/#generic-http-proxy-for-different-backends). -* FEATURE: [vmauth](https://docs.victoriametrics.com/vmauth/): added ability to set extra headers where to expect auth token (additionally to Authorization). +* FEATURE: [vmauth](https://docs.victoriametrics.com/vmauth/): add ability to read auth tokens from arbitrary HTTP request header. Previously auth tokens were read only from `Authorization` HTTP request header. See [these docs](https://docs.victoriametrics.com/vmauth/#reading-auth-tokens-from-other-http-headers) for details. * FEATURE: [stream aggregation](https://docs.victoriametrics.com/stream-aggregation/): reduce memory usage by up to 5x when aggregating over big number of unique [time series](https://docs.victoriametrics.com/keyconcepts/#time-series). The memory usage reduction is most visible when [stream deduplication](https://docs.victoriametrics.com/stream-aggregation/#deduplication) is enabled. * FEATURE: [stream aggregation](https://docs.victoriametrics.com/stream-aggregation/): allow using `-streamAggr.dedupInterval` and `-remoteWrite.streamAggr.dedupInterval` command-line flags without the need to specify `-streamAggr.config` and `-remoteWrite.streamAggr.config`. See [these docs](https://docs.victoriametrics.com/stream-aggregation/#deduplication). * FEATURE: [stream aggregation](https://docs.victoriametrics.com/stream-aggregation/): add `-streamAggr.dropInputLabels` command-line flag, which can be used for dropping the listed labels from input samples before applying stream [de-duplication](https://docs.victoriametrics.com/stream-aggregation/#deduplication) and aggregation. This is faster and easier to use alternative to [input_relabel_configs](https://docs.victoriametrics.com/stream-aggregation/#relabeling). See [these docs](https://docs.victoriametrics.com/stream-aggregation/#dropping-unneeded-labels). diff --git a/docs/vmauth.md b/docs/vmauth.md index ffa1f8495b..7a70248496 100644 --- a/docs/vmauth.md +++ b/docs/vmauth.md @@ -245,7 +245,6 @@ See [load-balancing docs](#load-balancing) for more details. * `-tls` enables accepting TLS connections at `-httpListenAddr` * `-tlsKeyFile` sets the path to TLS certificate key file * `-tlsCertFile` sets the path to TLS certificate file -* `-extraAuthHeader` sets alternative headers for auth ### Basic Auth proxy @@ -633,6 +632,16 @@ users: See config example of using IP filters [here](https://github.com/VictoriaMetrics/VictoriaMetrics/blob/master/app/vmauth/example_config_ent.yml). +## Reading auth tokens from other HTTP headers + +`vmauth` reads `username`, `password` and `bearer_token` [config values](#auth-config) from `Authorization` request header. +It is possible to read these values from any other request header by specifying it via `-httpAuthHeader` command-line flag. +For example, the following command instructs `vmauth` to read auth token from `X-Amz-Firehose-Access-Key` header: + +``` +./vmauth -httpAuthHeader=X-Amz-Firehose-Access-Key +``` + ## Auth config `-auth.config` is represented in the following simple `yml` format: @@ -994,6 +1003,8 @@ See the docs at https://docs.victoriametrics.com/vmauth.html . Flag value can be read from the given file when using -httpAuth.password=file:///abs/path/to/file or -httpAuth.password=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -httpAuth.password=http://host/path or -httpAuth.password=https://host/path -httpAuth.username string Username for HTTP server's Basic Auth. The authentication is disabled if empty. See also -httpAuth.password + -httpAuthHeader string + HTTP request header to use for obtaining authorization tokens (default "Authorization") -httpListenAddr array TCP address to listen for incoming http requests. See also -tls and -httpListenAddr.useProxyProtocol Supports an array of values separated by comma or specified via multiple flags.