-
Notifications
You must be signed in to change notification settings - Fork 477
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove basic auth from /-/healthy #501
Comments
My gut feeling is that this is getting into more complex web routing configuration, which we should not bake into a relatively light-weight binary as the Pushgateway. I would recommend a reverse proxy in front of the Pushgateway to manage those fine-grained access control. However, I don't want to stifle the discussion here. Maybe this is useful for enough people that we should support it directly in the Pushgateway and other binaries in the Prometheus ecosystem. If that's the case, it shouldn't just be implemented in the Pushgateway, but in https://github.com/prometheus/exporter-toolkit so that all the binaries do the same in the same way. Work is already ongoing over there, see prometheus/exporter-toolkit#111 and prometheus/exporter-toolkit#106 . Maybe you want to chime in there? |
I see your point but to me the basic auth functionality has no practical use if I can't turn it off for /-/healthy /-/ready (ALB healthcheck does not support basic auth) and posting new metrics (Keycloak metrics SPI does not support it either as far as I understand) since these are performed within the subnet it would be really nice if I could whitelist a CIDR that is allowed to bypass basic auth. |
Well, in any case, this discussion belongs into https://github.com/prometheus/exporter-toolkit. As said, I suggest to chime in on prometheus/exporter-toolkit#111 and prometheus/exporter-toolkit#106 . |
Feature request
Use case. Why is this important?
Is there a way to protect only certain URL paths with basic auth?
For example I would like to make /-/healthy and /-/ready wide open for healthchecks from a load balancer that does not support basic auth (AWS ALB). Right now the ALB has to accept 401 as a valid response even though the url, after authentication, might return a 404 or anything else.
It would also be good to handle authentication for metrics PUSH endpoint separately. I'm pushing from a third party application that I don't have control over/can't change implementation freely and it does not support basic auth. But I would like authentication on all metric GET requests.
The text was updated successfully, but these errors were encountered: