diff --git a/app/vmauth/README.md b/app/vmauth/README.md index 45075adb9..47a7c9ca6 100644 --- a/app/vmauth/README.md +++ b/app/vmauth/README.md @@ -43,6 +43,7 @@ Each `url_prefix` in the [-auth.config](#auth-config) may contain either a singl users: # Requests with the 'Authorization: Bearer XXXX' header are proxied to http://localhost:8428 . # For example, http://vmauth:8427/api/v1/query is proxied to http://localhost:8428/api/v1/query + # Requests with the Basic Auth username=XXXX are proxied to http://localhost:8428 as well. - bearer_token: "XXXX" url_prefix: "http://localhost:8428" diff --git a/app/vmauth/auth_config.go b/app/vmauth/auth_config.go index f3b36278b..da0b6b8b4 100644 --- a/app/vmauth/auth_config.go +++ b/app/vmauth/auth_config.go @@ -276,9 +276,12 @@ func parseAuthConfig(data []byte) (map[string]*UserInfo, error) { if byUsername[ui.Username] { return nil, fmt.Errorf("duplicate username found; username: %q", ui.Username) } - authToken := getAuthToken(ui.BearerToken, ui.Username, ui.Password) - if byAuthToken[authToken] != nil { - return nil, fmt.Errorf("duplicate auth token found for bearer_token=%q, username=%q: %q", authToken, ui.BearerToken, ui.Username) + at1, at2 := getAuthTokens(ui.BearerToken, ui.Username, ui.Password) + if byAuthToken[at1] != nil { + return nil, fmt.Errorf("duplicate auth token found for bearer_token=%q, username=%q: %q", ui.BearerToken, ui.Username, at1) + } + if byAuthToken[at2] != nil { + return nil, fmt.Errorf("duplicate auth token found for bearer_token=%q, username=%q: %q", ui.BearerToken, ui.Username, at2) } if ui.URLPrefix != nil { if err := ui.URLPrefix.sanitize(); err != nil { @@ -318,11 +321,23 @@ func parseAuthConfig(data []byte) (map[string]*UserInfo, error) { ui.requests = metrics.GetOrCreateCounter(fmt.Sprintf(`vmauth_user_requests_total{username=%q}`, name)) byUsername[ui.Username] = true } - byAuthToken[authToken] = ui + byAuthToken[at1] = ui + byAuthToken[at2] = ui } return byAuthToken, nil } +func getAuthTokens(bearerToken, username, password string) (string, string) { + if bearerToken != "" { + // Accept the bearerToken as Basic Auth username with empty password + at1 := getAuthToken(bearerToken, "", "") + at2 := getAuthToken("", bearerToken, "") + return at1, at2 + } + at := getAuthToken("", username, password) + return at, at +} + func getAuthToken(bearerToken, username, password string) string { if bearerToken != "" { return "Bearer " + bearerToken diff --git a/app/vmauth/auth_config_test.go b/app/vmauth/auth_config_test.go index f1221e4ff..a95a3a43a 100644 --- a/app/vmauth/auth_config_test.go +++ b/app/vmauth/auth_config_test.go @@ -290,6 +290,32 @@ users: }, }, }, + getAuthToken("", "foo", ""): { + BearerToken: "foo", + URLMap: []URLMap{ + { + SrcPaths: getSrcPaths([]string{"/api/v1/query", "/api/v1/query_range", "/api/v1/label/[^./]+/.+"}), + URLPrefix: mustParseURL("http://vmselect/select/0/prometheus"), + }, + { + SrcPaths: getSrcPaths([]string{"/api/v1/write"}), + URLPrefix: mustParseURLs([]string{ + "http://vminsert1/insert/0/prometheus", + "http://vminsert2/insert/0/prometheus", + }), + Headers: []Header{ + { + Name: "foo", + Value: "bar", + }, + { + Name: "xxx", + Value: "y", + }, + }, + }, + }, + }, }) } diff --git a/app/vmauth/example_config.yml b/app/vmauth/example_config.yml index e8b91e231..85e03102d 100644 --- a/app/vmauth/example_config.yml +++ b/app/vmauth/example_config.yml @@ -4,6 +4,7 @@ users: # Requests with the 'Authorization: Bearer XXXX' header are proxied to http://localhost:8428 . # For example, http://vmauth:8427/api/v1/query is proxied to http://localhost:8428/api/v1/query + # Requests with the Basic Auth username=XXXX are proxied to http://localhost:8428 as well. - bearer_token: "XXXX" url_prefix: "http://localhost:8428"