mirror of
https://github.com/VictoriaMetrics/VictoriaMetrics.git
synced 2024-11-21 14:44:00 +00:00
vmauth: add browser authorization request for http requests without… (#5234)
* vmauth: add browser authorization request for http requests without credentials to a route that is not in the `unauthorized_user` section (when `unauthorized_user` is specified). * add link to issue in CHANGELOG * Extend vmauth docs * wip --------- Co-authored-by: Aliaksandr Valialkin <valyala@victoriametrics.com>
This commit is contained in:
parent
4497a08e3d
commit
828ddd4e4f
7 changed files with 34 additions and 1 deletions
|
@ -222,6 +222,8 @@ users:
|
||||||
# For example, request to http://vmauth:8427/non/existing/path are proxied:
|
# For example, request to http://vmauth:8427/non/existing/path are proxied:
|
||||||
# - to http://default1:8888/unsupported_url_handler?request_path=/non/existing/path
|
# - to http://default1:8888/unsupported_url_handler?request_path=/non/existing/path
|
||||||
# - or http://default2:8888/unsupported_url_handler?request_path=/non/existing/path
|
# - or http://default2:8888/unsupported_url_handler?request_path=/non/existing/path
|
||||||
|
#
|
||||||
|
# Regular expressions are allowed in `src_paths` entries.
|
||||||
- username: "foobar"
|
- username: "foobar"
|
||||||
url_map:
|
url_map:
|
||||||
- src_paths:
|
- src_paths:
|
||||||
|
@ -248,6 +250,8 @@ users:
|
||||||
# Requests are routed in round-robin fashion between `url_prefix` backends.
|
# Requests are routed in round-robin fashion between `url_prefix` backends.
|
||||||
# The deny_partial_response query arg is added to all the routed requests.
|
# The deny_partial_response query arg is added to all the routed requests.
|
||||||
# The requests are re-tried if url_prefix backends send 500 or 503 response status codes.
|
# The requests are re-tried if url_prefix backends send 500 or 503 response status codes.
|
||||||
|
# Note that the unauthorized_user section takes precedence when processing a route without credentials,
|
||||||
|
# even if such a route also exists in the users section (see https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5236).
|
||||||
unauthorized_user:
|
unauthorized_user:
|
||||||
url_prefix:
|
url_prefix:
|
||||||
- http://vmselect-az1/?deny_partial_response=1
|
- http://vmselect-az1/?deny_partial_response=1
|
||||||
|
|
|
@ -420,6 +420,18 @@ func parseAuthConfig(data []byte) (*AuthConfig, error) {
|
||||||
}
|
}
|
||||||
ui := ac.UnauthorizedUser
|
ui := ac.UnauthorizedUser
|
||||||
if ui != nil {
|
if ui != nil {
|
||||||
|
if ui.Username != "" {
|
||||||
|
return nil, fmt.Errorf("field username can't be specified for unauthorized_user section")
|
||||||
|
}
|
||||||
|
if ui.Password != "" {
|
||||||
|
return nil, fmt.Errorf("field password can't be specified for unauthorized_user section")
|
||||||
|
}
|
||||||
|
if ui.BearerToken != "" {
|
||||||
|
return nil, fmt.Errorf("field bearer_token can't be specified for unauthorized_user section")
|
||||||
|
}
|
||||||
|
if ui.Name != "" {
|
||||||
|
return nil, fmt.Errorf("field name can't be specified for unauthorized_user section")
|
||||||
|
}
|
||||||
ui.requests = metrics.GetOrCreateCounter(`vmauth_unauthorized_user_requests_total`)
|
ui.requests = metrics.GetOrCreateCounter(`vmauth_unauthorized_user_requests_total`)
|
||||||
ui.requestsDuration = metrics.GetOrCreateSummary(`vmauth_unauthorized_user_request_duration_seconds`)
|
ui.requestsDuration = metrics.GetOrCreateSummary(`vmauth_unauthorized_user_request_duration_seconds`)
|
||||||
ui.concurrencyLimitCh = make(chan struct{}, ui.getMaxConcurrentRequests())
|
ui.concurrencyLimitCh = make(chan struct{}, ui.getMaxConcurrentRequests())
|
||||||
|
|
|
@ -82,6 +82,8 @@ users:
|
||||||
# For example, request to http://vmauth:8427/non/existing/path are proxied:
|
# For example, request to http://vmauth:8427/non/existing/path are proxied:
|
||||||
# - to http://default1:8888/unsupported_url_handler?request_path=/non/existing/path
|
# - to http://default1:8888/unsupported_url_handler?request_path=/non/existing/path
|
||||||
# - or http://default2:8888/unsupported_url_handler?request_path=/non/existing/path
|
# - or http://default2:8888/unsupported_url_handler?request_path=/non/existing/path
|
||||||
|
#
|
||||||
|
# Regular expressions are allowed in `src_paths` entries.
|
||||||
- username: "foobar"
|
- username: "foobar"
|
||||||
url_map:
|
url_map:
|
||||||
- src_paths:
|
- src_paths:
|
||||||
|
|
|
@ -20,6 +20,8 @@ users:
|
||||||
# For example, request to http://vmauth:8427/non/existing/path are proxied:
|
# For example, request to http://vmauth:8427/non/existing/path are proxied:
|
||||||
# - to http://default1:8888/unsupported_url_handler?request_path=/non/existing/path
|
# - to http://default1:8888/unsupported_url_handler?request_path=/non/existing/path
|
||||||
# - or http://default2:8888/unsupported_url_handler?request_path=/non/existing/path
|
# - or http://default2:8888/unsupported_url_handler?request_path=/non/existing/path
|
||||||
|
#
|
||||||
|
# Regular expressions are allowed in `src_paths` entries.
|
||||||
- username: "foobar"
|
- username: "foobar"
|
||||||
url_map:
|
url_map:
|
||||||
- src_paths:
|
- src_paths:
|
||||||
|
|
|
@ -158,8 +158,16 @@ func processRequest(w http.ResponseWriter, r *http.Request, ui *UserInfo) {
|
||||||
up, hc, retryStatusCodes := ui.getURLPrefixAndHeaders(u)
|
up, hc, retryStatusCodes := ui.getURLPrefixAndHeaders(u)
|
||||||
isDefault := false
|
isDefault := false
|
||||||
if up == nil {
|
if up == nil {
|
||||||
missingRouteRequests.Inc()
|
|
||||||
if ui.DefaultURL == nil {
|
if ui.DefaultURL == nil {
|
||||||
|
// Authorization should be requested for http requests without credentials
|
||||||
|
// to a route that is not in the configuration for unauthorized user.
|
||||||
|
// See https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5236
|
||||||
|
if ui.BearerToken == "" && ui.Username == "" && len(*authUsers.Load()) > 0 {
|
||||||
|
w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
|
||||||
|
http.Error(w, "missing `Authorization` request header", http.StatusUnauthorized)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
missingRouteRequests.Inc()
|
||||||
httpserver.Errorf(w, r, "missing route for %q", u.String())
|
httpserver.Errorf(w, r, "missing route for %q", u.String())
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
|
@ -90,6 +90,7 @@ The sandbox cluster installation is running under the constant load generated by
|
||||||
* BUGFIX: [vmagent](https://docs.victoriametrics.com/vmagent.html): do not print redundant error logs when failed to scrape consul or nomad target. See [this pull request](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/5239).
|
* BUGFIX: [vmagent](https://docs.victoriametrics.com/vmagent.html): do not print redundant error logs when failed to scrape consul or nomad target. See [this pull request](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/5239).
|
||||||
* BUGFIX: [vmstorage](https://docs.victoriametrics.com/Cluster-VictoriaMetrics.html): prevent deleted series to be searchable via `/api/v1/series` API if they were re-ingested with staleness markers. This situation could happen if user deletes the series from the target and from VM, and then vmagent sends stale markers for absent series. Thanks to @ilyatrefilov for the [issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5069) and [pull request](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/5174).
|
* BUGFIX: [vmstorage](https://docs.victoriametrics.com/Cluster-VictoriaMetrics.html): prevent deleted series to be searchable via `/api/v1/series` API if they were re-ingested with staleness markers. This situation could happen if user deletes the series from the target and from VM, and then vmagent sends stale markers for absent series. Thanks to @ilyatrefilov for the [issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5069) and [pull request](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/5174).
|
||||||
* BUGFIX: [vmstorage](https://docs.victoriametrics.com/Cluster-VictoriaMetrics.html): log warning about switching to ReadOnly mode only on state change. Before, vmstorage would log this warning every 1s. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5159) for details.
|
* BUGFIX: [vmstorage](https://docs.victoriametrics.com/Cluster-VictoriaMetrics.html): log warning about switching to ReadOnly mode only on state change. Before, vmstorage would log this warning every 1s. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5159) for details.
|
||||||
|
* BUGFIX: [vmauth](https://docs.victoriametrics.com/vmauth.html): show browser authorization window for unauthorized requests to unsupported paths if the `unauthorized_user` section is specified. This allows properly authorizing the user. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5236) for details.
|
||||||
* BUGFIX: [vmui](https://docs.victoriametrics.com/#vmui): fix the `Disable cache` toggle at `JSON` and `Table` views. Previously response caching was always enabled and couldn't be disabled at these views.
|
* BUGFIX: [vmui](https://docs.victoriametrics.com/#vmui): fix the `Disable cache` toggle at `JSON` and `Table` views. Previously response caching was always enabled and couldn't be disabled at these views.
|
||||||
|
|
||||||
## [v1.94.0](https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.94.0)
|
## [v1.94.0](https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.94.0)
|
||||||
|
|
|
@ -233,6 +233,8 @@ users:
|
||||||
# For example, request to http://vmauth:8427/non/existing/path are proxied:
|
# For example, request to http://vmauth:8427/non/existing/path are proxied:
|
||||||
# - to http://default1:8888/unsupported_url_handler?request_path=/non/existing/path
|
# - to http://default1:8888/unsupported_url_handler?request_path=/non/existing/path
|
||||||
# - or http://default2:8888/unsupported_url_handler?request_path=/non/existing/path
|
# - or http://default2:8888/unsupported_url_handler?request_path=/non/existing/path
|
||||||
|
#
|
||||||
|
# Regular expressions are allowed in `src_paths` entries.
|
||||||
- username: "foobar"
|
- username: "foobar"
|
||||||
url_map:
|
url_map:
|
||||||
- src_paths:
|
- src_paths:
|
||||||
|
@ -259,6 +261,8 @@ users:
|
||||||
# Requests are routed in round-robin fashion between `url_prefix` backends.
|
# Requests are routed in round-robin fashion between `url_prefix` backends.
|
||||||
# The deny_partial_response query arg is added to all the routed requests.
|
# The deny_partial_response query arg is added to all the routed requests.
|
||||||
# The requests are re-tried if url_prefix backends send 500 or 503 response status codes.
|
# The requests are re-tried if url_prefix backends send 500 or 503 response status codes.
|
||||||
|
# Note that the unauthorized_user section takes precedence when processing a route without credentials,
|
||||||
|
# even if such a route also exists in the users section (see https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5236).
|
||||||
unauthorized_user:
|
unauthorized_user:
|
||||||
url_prefix:
|
url_prefix:
|
||||||
- http://vmselect-az1/?deny_partial_response=1
|
- http://vmselect-az1/?deny_partial_response=1
|
||||||
|
|
Loading…
Reference in a new issue