Remove basic auth from /-/healthy

Question

Remove basic auth from /-/healthy

twiden opened this issue 2 years ago · comments

Feature request

Use case. Why is this important?
Is there a way to protect only certain URL paths with basic auth?

For example I would like to make /-/healthy and /-/ready wide open for healthchecks from a load balancer that does not support basic auth (AWS ALB). Right now the ALB has to accept 401 as a valid response even though the url, after authentication, might return a 404 or anything else.

It would also be good to handle authentication for metrics PUSH endpoint separately. I'm pushing from a third party application that I don't have control over/can't change implementation freely and it does not support basic auth. But I would like authentication on all metric GET requests.

Björn Rabenstein · Answer 1 · Tue Oct 18 2022 21:24:48 GMT+0800 (China Standard Time)

My gut feeling is that this is getting into more complex web routing configuration, which we should not bake into a relatively light-weight binary as the Pushgateway. I would recommend a reverse proxy in front of the Pushgateway to manage those fine-grained access control.

However, I don't want to stifle the discussion here. Maybe this is useful for enough people that we should support it directly in the Pushgateway and other binaries in the Prometheus ecosystem. If that's the case, it shouldn't just be implemented in the Pushgateway, but in https://github.com/prometheus/exporter-toolkit so that all the binaries do the same in the same way.

Work is already ongoing over there, see prometheus/exporter-toolkit#111 and prometheus/exporter-toolkit#106 . Maybe you want to chime in there?

Tobias Widén · Answer 2 · Wed Oct 19 2022 21:50:16 GMT+0800 (China Standard Time)

I see your point but to me the basic auth functionality has no practical use if I can't turn it off for /-/healthy /-/ready (ALB healthcheck does not support basic auth) and posting new metrics (Keycloak metrics SPI does not support it either as far as I understand) since these are performed within the subnet it would be really nice if I could whitelist a CIDR that is allowed to bypass basic auth.

Björn Rabenstein · Answer 3 · Wed Oct 19 2022 23:03:43 GMT+0800 (China Standard Time)

Well, in any case, this discussion belongs into https://github.com/prometheus/exporter-toolkit. As said, I suggest to chime in on prometheus/exporter-toolkit#111 and prometheus/exporter-toolkit#106 .