How do I secure pyctuator endpoints with basic auth (FastAPI)? #67
Comments
|
Your reference is for the java spring-boot-admin-client. |
Oh, I think there was a missunderstanding. I do not want to authenticate against a protected Spring Boot Admin Instance. Instead I want to secure the Endpoints of the App itself. Custom health providers could leak sensitive information, so I want some kind of BasicAuth-Mechanism for every route under |
|
Hi @thurse93, In the case of protecting the However, after you figure out how to protect your web app using FastAPI, it would be great if you could share an example here or even submit a pull-request with the example added to the Thanks |
|
Hey @michaelyaakoby , 100% agree with that. But atm securing the FastAPI endpoints normally happens on a per-endpoint / per-router basis, see: https://fastapi.tiangolo.com/advanced/security/http-basic-auth/ Since the Routing definition is taking place in pyctuator, the should be some kind of API to add at least the most basic kind of authentication. More importantly, again referring to the spring boot admin docs: https://codecentric.github.io/spring-boot-admin/current/#_securing_client_actuator_endpoints |
|
Oh, now I see the issue - reopening and lets try to find a way to configure FastAPI security using a "path" and not a specific function. |
|
Might be possible to inject the auth dependency to the router, see https://fastapi.tiangolo.com/tutorial/bigger-applications/#include-an-apirouter. |
|
I made a proof of concept, just for FastAPI: thurse93@146d2ba (Since I changed the signature of your core classes, updated FastAPI and did not adjust the tests its far from a PR) Minimal working example would be as follows (assuming SBA runs on import uvicorn
from fastapi import FastAPI
from pyctuator.auth import BasicAuth
from pyctuator.pyctuator import Pyctuator
app = FastAPI()
pyctuator = Pyctuator(
app,
app.title,
"http://localhost:8080",
"http://localhost:8080/pyctuator",
"http://localhost:8090/instances",
pyctuator_endpoint_auth=BasicAuth(username="foo", password="bar")
)
if __name__ == "__main__":
uvicorn.run(app, host="127.0.0.1", port=8080)SBA gets the credentials via the registration metadata (fields are I think its quite straightforward to do. Unfortunately I dont know much about the other web frameworks you're using so I can't provide much help there. |
|
Thanks @thurse93, its a good start. I see you were using the approach of including the credentials in the registration request as described here. Somehow it feels wrong that Pyctuator would be responsible for securing its own routes - I think its better if we can find a way to do this from outside Pyctuator and only have Pyctuator include the credentials in the metadata of the registration. I'm trying to see if its possible with FastAPI to secure a path instead of using the dependency parameter - if we figure this out, than all you need to do is to add the credentials to the metadata which is already supported. Anyways, yours is a good direction - i'll be digging too, and please do write if you find a way of enabling authentication "from outside". |
|
@michaelyaakoby Alright, I'll get your point. Unfortunately I didn't find a clean way to do this. One option of course would be to add a middleware for the whole application which seems kind of overkill. Another one may be to crawl the I think the problem with FastAPI is that it was designed as a very easy way of providing well-documented Restful APIs for various backends. So it makes a lot of assumptions how APIs should be built. Everything source I found expects you to define your security mechanisms at the endpoint or routing level. |
|
Was a busy week, starting to dig now, will update. |
The customizer allows for web-framework specific customiztion. For example, it can be used to add authentication to pyctuator running with FastAPI. See #67
The customizer allows for web-framework specific customiztion. For example, it can be used to add authentication to pyctuator running with FastAPI. See #67
The customizer allows for web-framework specific customiztion. For example, it can be used to add authentication to pyctuator running with FastAPI. See #67
|
I've tidied up and completed the example in #70. |
|
@michaelyaakoby That looks great! Sorry for the late reply, I was on vacation. Thank you very much for the realization :) |
The customizer allows for web-framework specific customiztion. For example, it can be used to add authentication to pyctuator running with FastAPI. See #67
|
Done. 0.17.0 |
In the API of the Pyctuator object I did not find a way to secure the provided endpoints with BasicAuth. What would be the most straightforward way of doing this using FastAPI?
Also, how can i communicate the credentials to Spring Boot Admin?
If I understood https://codecentric.github.io/spring-boot-admin/current/#spring-boot-admin-client right, I can use something like:
In the metadata arg of Pyctuator. Is that correct?
The text was updated successfully, but these errors were encountered: