mirror of
https://github.com/VictoriaMetrics/VictoriaMetrics.git
synced 2024-11-21 14:44:00 +00:00
app/vmauth: fix unauthorized_user routing inconsistency
This commit makes vmauth respect the routing config for unauthorized requests for requests that despite having Authorization header failed to authorize successfully. It covers the following use-cases: - vmauth is used at load-balanacer and must forward requests as is. There is no any authorization configs. - vmauth has authorization config, but it must forward requests with invalid credential tokens to some other backend. related issue: https://github.com/VictoriaMetrics/VictoriaMetrics/issues/7543 --------- Signed-off-by: Andrii <andriibeee@gmail.com>
This commit is contained in:
parent
a335ed23c7
commit
5d85968659
3 changed files with 21 additions and 0 deletions
|
@ -123,6 +123,12 @@ func requestHandler(w http.ResponseWriter, r *http.Request) bool {
|
||||||
|
|
||||||
ui := getUserInfoByAuthTokens(ats)
|
ui := getUserInfoByAuthTokens(ats)
|
||||||
if ui == nil {
|
if ui == nil {
|
||||||
|
uu := authConfig.Load().UnauthorizedUser
|
||||||
|
if uu != nil {
|
||||||
|
processUserRequest(w, r, uu)
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
invalidAuthTokenRequests.Inc()
|
invalidAuthTokenRequests.Inc()
|
||||||
if *logInvalidAuthTokens {
|
if *logInvalidAuthTokens {
|
||||||
err := fmt.Errorf("cannot authorize request with auth tokens %q", ats)
|
err := fmt.Errorf("cannot authorize request with auth tokens %q", ats)
|
||||||
|
|
|
@ -90,6 +90,20 @@ User-Agent: vmauth
|
||||||
X-Forwarded-For: 12.34.56.78, 42.2.3.84`
|
X-Forwarded-For: 12.34.56.78, 42.2.3.84`
|
||||||
f(cfgStr, requestURL, backendHandler, responseExpected)
|
f(cfgStr, requestURL, backendHandler, responseExpected)
|
||||||
|
|
||||||
|
// routing of all failed to authorize requests to unauthorized_user (issue #7543)
|
||||||
|
cfgStr = `
|
||||||
|
unauthorized_user:
|
||||||
|
url_prefix: "{BACKEND}/foo"
|
||||||
|
keep_original_host: true`
|
||||||
|
requestURL = "http://foo:invalid-secret@some-host.com/abc/def"
|
||||||
|
backendHandler = func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
fmt.Fprintf(w, "requested_url=http://%s%s", r.Host, r.URL)
|
||||||
|
}
|
||||||
|
responseExpected = `
|
||||||
|
statusCode=200
|
||||||
|
requested_url=http://some-host.com/foo/abc/def`
|
||||||
|
f(cfgStr, requestURL, backendHandler, responseExpected)
|
||||||
|
|
||||||
// keep_original_host
|
// keep_original_host
|
||||||
cfgStr = `
|
cfgStr = `
|
||||||
unauthorized_user:
|
unauthorized_user:
|
||||||
|
|
|
@ -20,6 +20,7 @@ See also [LTS releases](https://docs.victoriametrics.com/lts-releases/).
|
||||||
|
|
||||||
* SECURITY: upgrade Go builder from Go1.23.1 to Go1.23.3. See the list of issues addressed in [Go1.23.2](https://github.com/golang/go/issues?q=milestone%3AGo1.23.2+label%3ACherryPickApproved) and [Go1.23.3](https://github.com/golang/go/issues?q=milestone%3AGo1.23.3+label%3ACherryPickApproved).
|
* SECURITY: upgrade Go builder from Go1.23.1 to Go1.23.3. See the list of issues addressed in [Go1.23.2](https://github.com/golang/go/issues?q=milestone%3AGo1.23.2+label%3ACherryPickApproved) and [Go1.23.3](https://github.com/golang/go/issues?q=milestone%3AGo1.23.3+label%3ACherryPickApproved).
|
||||||
|
|
||||||
|
* BUGFIX: [vmauth](https://docs.victoriametrics.com/vmauth/): fixed unauthorized routing behavior inconsistency. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/7543) for details.
|
||||||
* BUGFIX: [vmctl](https://docs.victoriametrics.com/vmctl/): drop rows that do not belong to the current series during import. The dropped rows should belong to another series whose tags are a superset of the current series. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/7301) and [this pull request](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/7330). Thanks to @dpedu for reporting and cooperating with the test.
|
* BUGFIX: [vmctl](https://docs.victoriametrics.com/vmctl/): drop rows that do not belong to the current series during import. The dropped rows should belong to another series whose tags are a superset of the current series. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/7301) and [this pull request](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/7330). Thanks to @dpedu for reporting and cooperating with the test.
|
||||||
* BUGFIX: [vmsingle](https://docs.victoriametrics.com/single-server-victoriametrics/), `vmselect` in [VictoriaMetrics cluster](https://docs.victoriametrics.com/cluster-victoriametrics/): keep the order of resulting time series when `limit_offset` is applied. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/7068).
|
* BUGFIX: [vmsingle](https://docs.victoriametrics.com/single-server-victoriametrics/), `vmselect` in [VictoriaMetrics cluster](https://docs.victoriametrics.com/cluster-victoriametrics/): keep the order of resulting time series when `limit_offset` is applied. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/7068).
|
||||||
* BUGFIX: [graphite](https://docs.victoriametrics.com/#graphite-render-api-usage): properly handle xFilesFactor=0 for `transformRemoveEmptySeries` function. See [this PR](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/7337) for details.
|
* BUGFIX: [graphite](https://docs.victoriametrics.com/#graphite-render-api-usage): properly handle xFilesFactor=0 for `transformRemoveEmptySeries` function. See [this PR](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/7337) for details.
|
||||||
|
|
Loading…
Reference in a new issue