mirror of
https://github.com/VictoriaMetrics/VictoriaMetrics.git
synced 2024-12-01 14:47:38 +00:00
b3598ba2c1
* app/vmauth: adds metric_labels and backend_errors counter it must improve observability for user requests with new metric - per user backend errors counter. it's needed to calculate requests fail rate to the configured backends. metric_labels configuration allows to perform additional aggregations on top of multiple users from configuration section. It could be multiple clients or clients with separate read/write tokens https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5565 * wip --------- Co-authored-by: Aliaksandr Valialkin <valyala@victoriametrics.com>
127 lines
6.5 KiB
YAML
127 lines
6.5 KiB
YAML
# Arbitrary number of usernames may be put here.
|
|
# It is possible to set multiple identical usernames with different passwords.
|
|
# Such usernames can be differentiated by `name` option.
|
|
|
|
users:
|
|
# Requests with the 'Authorization: Bearer XXXX' and 'Authorization: Token XXXX'
|
|
# header are proxied to http://localhost:8428 .
|
|
# For example, http://vmauth:8427/api/v1/query is proxied to http://localhost:8428/api/v1/query
|
|
# Requests with the Basic Auth username=XXXX are proxied to http://localhost:8428 as well.
|
|
- bearer_token: "XXXX"
|
|
url_prefix: "http://localhost:8428"
|
|
|
|
# Adds labels to the exported metrics for given user section
|
|
# label name must be prometheus compatible and match regex: `^[a-zA-Z_:.][a-zA-Z0-9_:.]*$`
|
|
metric_labels:
|
|
backend_dc: eu
|
|
access_team: dev
|
|
# Requests with the 'Authorization: Bearer YYY' header are proxied to http://localhost:8428 ,
|
|
# The `X-Scope-OrgID: foobar` http header is added to every proxied request.
|
|
# The `X-Server-Hostname:` http header is removed from the proxied response.
|
|
# For example, http://vmauth:8427/api/v1/query is proxied to http://localhost:8428/api/v1/query
|
|
- bearer_token: "YYY"
|
|
url_prefix: "http://localhost:8428"
|
|
# extra headers to add to the request or remove from the request (if header value is empty)
|
|
headers:
|
|
- "X-Scope-OrgID: foobar"
|
|
# extra headers to add to the response or remove from the response (if header value is empty)
|
|
response_headers:
|
|
- "X-Server-Hostname:" # empty value means the header will be removed from the response
|
|
|
|
# All the requests to http://vmauth:8427 with the given Basic Auth (username:password)
|
|
# are proxied to http://localhost:8428 .
|
|
# For example, http://vmauth:8427/api/v1/query is proxied to http://localhost:8428/api/v1/query
|
|
#
|
|
# The given user can send maximum 10 concurrent requests according to the provided max_concurrent_requests.
|
|
# Excess concurrent requests are rejected with 429 HTTP status code.
|
|
# See also -maxConcurrentPerUserRequests and -maxConcurrentRequests command-line flags.
|
|
- username: "local-single-node"
|
|
password: "***"
|
|
url_prefix: "http://localhost:8428"
|
|
max_concurrent_requests: 10
|
|
|
|
# All the requests to http://vmauth:8427 with the given Basic Auth (username:password)
|
|
# are proxied to http://localhost:8428 with extra_label=team=dev query arg.
|
|
# For example, http://vmauth:8427/api/v1/query is proxied to http://localhost:8428/api/v1/query?extra_label=team=dev
|
|
- username: "local-single-node2"
|
|
password: "***"
|
|
url_prefix: "http://localhost:8428?extra_label=team=dev"
|
|
|
|
# All the requests to http://vmauth:8427 with the given Basic Auth (username:password)
|
|
# are proxied to https://localhost:8428
|
|
# For example, http://vmauth:8427/api/v1/query is proxied to https://localhost/api/v1/query
|
|
# TLS verification is ignored for https://localhost.
|
|
- username: "local-single-node-with-tls"
|
|
password: "***"
|
|
url_prefix: "https://localhost"
|
|
tls_insecure_skip_verify: true
|
|
|
|
# All the requests to http://vmauth:8427 with the given Basic Auth (username:password)
|
|
# are load-balanced among http://vmselect1:8481/select/123/prometheus and http://vmselect2:8481/select/123/prometheus
|
|
# For example, http://vmauth:8427/api/v1/query is proxied to the following urls in a round-robin manner:
|
|
# - http://vmselect1:8481/select/123/prometheus/api/v1/select
|
|
# - http://vmselect2:8481/select/123/prometheus/api/v1/select
|
|
- username: "cluster-select-account-123"
|
|
password: "***"
|
|
url_prefix:
|
|
- "http://vmselect1:8481/select/123/prometheus"
|
|
- "http://vmselect2:8481/select/123/prometheus"
|
|
|
|
# All the requests to http://vmauth:8427 with the given Basic Auth (username:password)
|
|
# are load-balanced between http://vminsert1:8480/insert/42/prometheus and http://vminsert2:8480/insert/42/prometheus
|
|
# For example, http://vmauth:8427/api/v1/write is proxied to the following urls in a round-robin manner:
|
|
# - http://vminsert1:8480/insert/42/prometheus/api/v1/write
|
|
# - http://vminsert2:8480/insert/42/prometheus/api/v1/write
|
|
- username: "cluster-insert-account-42"
|
|
password: "***"
|
|
url_prefix:
|
|
- "http://vminsert1:8480/insert/42/prometheus"
|
|
- "http://vminsert2:8480/insert/42/prometheus"
|
|
|
|
# A single user for querying and inserting data:
|
|
#
|
|
# - Requests to http://vmauth:8427/api/v1/query, http://vmauth:8427/api/v1/query_range
|
|
# and http://vmauth:8427/api/v1/label/<label_name>/values are proxied to the following urls in a round-robin manner:
|
|
# - http://vmselect1:8481/select/42/prometheus
|
|
# - http://vmselect2:8481/select/42/prometheus
|
|
# For example, http://vmauth:8427/api/v1/query is proxied to http://vmselect1:8480/select/42/prometheus/api/v1/query
|
|
# or to http://vmselect2:8480/select/42/prometheus/api/v1/query .
|
|
# Requests are re-tried at other url_prefix backends if response status codes match 500 or 502.
|
|
#
|
|
# - Requests to http://vmauth:8427/api/v1/write are proxied to http://vminsert:8480/insert/42/prometheus/api/v1/write .
|
|
# The "X-Scope-OrgID: abc" http header is added to these requests.
|
|
#
|
|
# Request which do not match `src_paths` from the `url_map` are proxied to the urls from `default_url`
|
|
# in a round-robin manner. The original request path is passed in `request_path` query arg.
|
|
# For example, request to http://vmauth:8427/non/existing/path are proxied:
|
|
# - to http://default1:8888/unsupported_url_handler?request_path=/non/existing/path
|
|
# - or http://default2:8888/unsupported_url_handler?request_path=/non/existing/path
|
|
#
|
|
# Regular expressions are allowed in `src_paths` and `src_hosts` entries.
|
|
- username: "foobar"
|
|
url_map:
|
|
- src_paths:
|
|
- "/api/v1/query"
|
|
- "/api/v1/query_range"
|
|
- "/api/v1/label/[^/]+/values"
|
|
url_prefix:
|
|
- "http://vmselect1:8481/select/42/prometheus"
|
|
- "http://vmselect2:8481/select/42/prometheus"
|
|
retry_status_codes: [500, 502]
|
|
- src_paths: ["/api/v1/write"]
|
|
url_prefix: "http://vminsert:8480/insert/42/prometheus"
|
|
headers:
|
|
- "X-Scope-OrgID: abc"
|
|
default_url:
|
|
- "http://default1:8888/unsupported_url_handler"
|
|
- "http://default2:8888/unsupported_url_handler"
|
|
|
|
# Requests without Authorization header are proxied according to `unauthorized_user` section.
|
|
# Requests are proxied in round-robin fashion between `url_prefix` backends.
|
|
# The deny_partial_response query arg is added to all the proxied requests.
|
|
# The requests are re-tried if url_prefix backends send 500 or 503 response status codes.
|
|
unauthorized_user:
|
|
url_prefix:
|
|
- http://vmselect-az1/?deny_partial_response=1
|
|
- http://vmselect-az2/?deny_partial_response=1
|
|
retry_status_codes: [503, 500]
|