-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CORS requests are failed if Basic Auth is enabled #71
Comments
You are correct, we should allow OPTIONS without basic auth, I will move this to the exporter-toolkit repository. We probably do not want this by default, but as an option in web.yml. |
I guess we will also need to understand how Prometheus itself handles OPTIONS requests (without basic auth). |
The OPTIONS needed for CORS requests
I created a PR. Honestly I don't see benefits of having this configurable. In theory, that may lead to problem when someone tested an API endpoint with the OPTIONS covered by a basic auth and then they may be wondered that someone disabled basic auth and now sensitive data is exposed. |
The OPTIONS needed for CORS requests Signed-off-by: Sergey Ponomarev <[email protected]>
It looks like the Prometheus golang API does not check the method. Enabling this would then disable basic auth for metrics endpoints if OPTIONS is used as method. How could we move this forward? What would be an alternative? |
The only valid way is to fix api and check for api method |
Yes, we should probably fix client_golang promhttp to allow enforcing the HTTP method. |
Can we do something to force the HTTP method checking? |
Hi again, could you please add the task to a some roadmap. Or maybe we should just close it |
There is also another related problem that needs to be fixed in scope of the task. But Prometheus doesn't do that because the I've set the regexp to Another problem is that the Here is a workaround Nginx conf that I made |
I enabled CORS headers and basic auth but a browser still can't fetch information from Prometheus.
Before sending a GET request an OPTIONS request is performed first and it doesn't contains the Authorization header.
So Prometheus must allow the OPTIONS request without the Authorization header.
I can do that with some Nginx configuration but I don't want to use just for this and also I want to keep configuration clear.
The text was updated successfully, but these errors were encountered: