vmauth: support other auth header names besides Authorization (#6009)

This commit is contained in:
Andrii Chubatiuk 2024-03-26 14:21:07 +02:00 committed by Aliaksandr Valialkin
parent 914b23f1e8
commit 9c92cc2759
No known key found for this signature in database
GPG key ID: 52C003EE2BCDB9EB
3 changed files with 15 additions and 8 deletions

View file

@ -911,15 +911,18 @@ func getHTTPAuthBasicToken(username, password string) string {
func getAuthTokensFromRequest(r *http.Request) []string {
var ats []string
// Obtain possible auth tokens from Authorization header
if ah := r.Header.Get("Authorization"); ah != "" {
if strings.HasPrefix(ah, "Token ") {
// Handle InfluxDB's proprietary token authentication scheme as a bearer token authentication
// See https://docs.influxdata.com/influxdb/v2.0/api/
ah = strings.Replace(ah, "Token", "Bearer", 1)
// Obtain possible auth tokens from one of allowed auth headers
for _, headerName := range authHeaders {
if ah := r.Header.Get(headerName); ah != "" {
if strings.HasPrefix(ah, "Token ") {
// Handle InfluxDB's proprietary token authentication scheme as a bearer token authentication
// See https://docs.influxdata.com/influxdb/v2.0/api/
ah = strings.Replace(ah, "Token", "Bearer", 1)
}
at := "http_auth:" + ah
ats = append(ats, at)
break
}
at := "http_auth:" + ah
ats = append(ats, at)
}
return ats

View file

@ -56,6 +56,8 @@ var (
"See https://docs.victoriametrics.com/vmauth.html#backend-tls-setup")
backendTLSCAFile = flag.String("backend.TLSCAFile", "", "Optional path to TLS root CA file, which is used for TLS verification when connecting to backends over HTTPS. "+
"See https://docs.victoriametrics.com/vmauth.html#backend-tls-setup")
extraAuthHeaders = flagutil.NewArrayString("extraAuthHeader", "extra to Authorization auth header names")
authHeaders = []string{"Authorization"}
)
func main() {
@ -70,6 +72,7 @@ func main() {
if len(listenAddrs) == 0 {
listenAddrs = []string{":8427"}
}
authHeaders = append(authHeaders, (*extraAuthHeaders)...)
logger.Infof("starting vmauth at %q...", listenAddrs)
startTime := time.Now()
initAuthConfig()

View file

@ -245,6 +245,7 @@ See [load-balancing docs](#load-balancing) for more details.
* `-tls` enables accepting TLS connections at `-httpListenAddr`
* `-tlsKeyFile` sets the path to TLS certificate key file
* `-tlsCertFile` sets the path to TLS certificate file
* `-extraAuthHeader` sets alternative headers for auth
### Basic Auth proxy