Enable authentication for the HTTP interface.

[royjacobson]

CC @Pothulapati @ashotland for awareness.

[ashotland]

Hi @royjacobson, what should we watch for?

Does http on admin approt require no auth? (we hit it for metrics)

[royjacobson]

Hi @royjacobson, what should we watch for?

Does http on admin approt require no auth? (we hit it for metrics)

If the admin interface is configured without password and the HTTP interface is not exposed on the main port (--noprimary_port_http_enabled) then there's no change.

[romange]

@royjacobson can you please provide an example on how to fetch metrics with password using curl/wget?

[s5unty]

In versions after 1.9, under the default configuration, the /metrics endpoint requires basic authentication for access.
Due to the limitations of Prometheus's scrape_config, each job can only specify a single basic authentication setting.
To collect from different authenticated /metrics endpoints within a single job, you can set these three configurations.

--primary_port_http_enabled=false
--admin_nopass=true
--admin_port=16579

This way, the /metrics endpoint will be provided on the port 16579 and will not require basic authentication.

---

update (v1.11.0):

Lots of ACL/Auth fixes. Specifically (IMPORTANT):
we changed the default http user to be "default" instead of "user" to be consistent with Dragonfly ACL rules.
We also removed the requirement for authenticated access to /metrics http page even if ACL are enabled.

[romange]

@royjacobson I prefer cancelling http authentication and rethink it properly as a separate task. Too many things are colliding around it.

[romange]

@s5unty can you explain in more detail why setting basic_auth in scrape_config does not work for you?
https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config

[s5unty]

@s5unty can you explain in more detail why setting basic_auth in scrape_config does not work for you? https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config

To scrape the /metrics endpoints of two instances while keeping the job_name uniform,

• case1: found multiple scrape configs with job name "my-job"

  - job_name: 'my-job'
    metrics_path: /metrics
    static_configs:
      - targets: [ 10.1.1.1:6479 ]
    basic_auth: { username: "user", password: "pw6479" }
  
  - job_name: 'my-job'
    metrics_path: /metrics
    static_configs:
      - targets: [ 10.1.1.1:6579 ]
    basic_auth: { username: "user", password: "pw6579" }
  

• case2: static_configs does not support basic_auth

  - job_name: 'my-job'
    metrics_path: /metrics
    static_configs:
      - targets: [ 10.1.1.1:6479 ]
        basic_auth: { username: "user", password: "pw6479" }
  
      - targets: [ 10.1.1.1:6579 ]
        basic_auth: { username: "user", password: "pw6579" }