Skip to content

Commit 7344d28

Browse files
eschabelleschabell
committed
Updated fwd intput plugin for fixing user auth, added 1 missing config option and general cleanup to doc. Fixes #2212.
Signed-off-by: Eric D. Schabell <eric@schabell.org>
1 parent 863ec6d commit 7344d28

File tree

1 file changed

+70
-14
lines changed

1 file changed

+70
-14
lines changed

pipeline/inputs/forward.md

Lines changed: 70 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -8,19 +8,23 @@ The plugin supports the following configuration parameters:
88

99
| Key | Description | Default |
1010
|:--------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------|
11-
| `Listen` | Listener network interface. | `0.0.0.0` |
12-
| `Port` | TCP port to listen for incoming connections. | `24224` |
13-
| `Unix_Path` | Specify the path to Unix socket to receive a Forward message. If set, `Listen` and `Port` are ignored. | _none_ |
14-
| `Unix_Perm` | Set the permission of the Unix socket file. If `Unix_Path` isn't set, this parameter is ignored. | _none_ |
15-
| `Buffer_Max_Size` | Specify the maximum buffer memory size used to receive a Forward message. The value must be according to the [Unit Size](../../administration/configuring-fluent-bit.md#unit-sizes) specification. | `6144000` |
16-
| `Buffer_Chunk_Size` | By default the buffer to store the incoming Forward messages, don't allocate the maximum memory allowed, instead it allocate memory when it's required. The rounds of allocations are set by `Buffer_Chunk_Size`. The value must be according to the [Unit Size ](../../administration/configuring-fluent-bit.md#unit-sizes)specification. | `1024000` |
17-
| `Tag_Prefix` | Prefix incoming tag with the defined value. | _none_ |
18-
| `Tag` | Override the tag of the forwarded events with the defined value. | _none_ |
19-
| `Shared_Key` | Shared key for secure forward authentication. | _none_ |
20-
| `Empty_Shared_Key` | Use this option to connect to Fluentd with a zero-length shared key. | `false` |
21-
| `Self_Hostname` | Hostname for secure forward authentication. | _none_ |
22-
| `Security.Users` | Specify the username and password pairs for secure forward authentication. | |
23-
| `Threaded` | Indicates whether to run this input in its own [thread](../../administration/multithreading.md#inputs). | `false` |
11+
| `buffer_chunk_size` | By default the buffer to store the incoming Forward messages, don't allocate the maximum memory allowed, instead it allocate memory when it's required. The rounds of allocations are set by `buffer_chunk_size`. The value must be according to the [Unit Size ](../../administration/configuring-fluent-bit.md#unit-sizes)specification. | `1024000` |
12+
| `buffer_max_size` | Specify the maximum buffer memory size used to receive a Forward message. The value must be according to the [Unit Size](../../administration/configuring-fluent-bit.md#unit-sizes) specification. | `6144000` |
13+
| `empty_shared_key` | Enable secure forward protocol with a zero-length shared key. Use this to enable user authentication without requiring a shared key, or to connect to Fluentd with a zero-length shared key. | `false` |
14+
| `listen` | Listener network interface. | `0.0.0.0` |
15+
| `port` | TCP port to listen for incoming connections. | `24224` |
16+
| `security.users` | Specify the username and password pairs for secure forward authentication. Requires `shared_key` or `empty_shared_key` to be set. | |
17+
| `self_hostname` | Hostname for secure forward authentication. | _none_ |
18+
| `shared_key` | Shared key for secure forward authentication. | _none_ |
19+
| `tag` | Override the tag of the forwarded events with the defined value. | _none_ |
20+
| `tag_prefix` | Prefix incoming tag with the defined value. | _none_ |
21+
| `threaded` | Indicates whether to run this input in its own [thread](../../administration/multithreading.md#inputs). | `false` |
22+
| `unix_path` | Specify the path to Unix socket to receive a Forward message. If set, `listen` and `port` are ignored. | _none_ |
23+
| `unix_perm` | Set the permission of the Unix socket file. If `unix_path` isn't set, this parameter is ignored. | _none_ |
24+
25+
### TLS / SSL
26+
27+
The Forward input plugin supports TLS/SSL. For more details about the properties available and general configuration, refer to [Transport Security](../../administration/transport-security.md).
2428

2529
## Get started
2630

@@ -86,7 +90,13 @@ pipeline:
8690

8791
In Fluent Bit v3 or later, `in_forward` can handle secure forward protocol.
8892

89-
For using user-password authentication, specify `security.users` in at least a one-pair. For using shared key, specify `shared_key` in both of forward output and forward input. `self_hostname` isn't able to specify with the same hostname between fluent servers and clients.
93+
{% hint style="warning" %}
94+
When using `security.users` for user-password authentication, you **must** also configure either `shared_key` or set `empty_shared_key` to `true`. The Forward input plugin will reject a configuration that has `security.users` set without one of these options.
95+
{% endhint %}
96+
97+
For shared key authentication, specify `shared_key` in both forward output and forward input. For user-password authentication, specify `security.users` with at least one user-password pair along with a shared key. To use user authentication without requiring clients to know a shared key, set `empty_shared_key` to `true`.
98+
99+
The `self_hostname` value can't be the same between Fluent Bit servers and clients.
90100

91101
{% tabs %}
92102
{% tab title="fluent-bit-secure-forward.yaml" %}
@@ -130,6 +140,52 @@ pipeline:
130140
{% endtab %}
131141
{% endtabs %}
132142

143+
### User authentication with `empty_shared_key`
144+
145+
To use username and password authentication without requiring clients to know a shared key, set `empty_shared_key` to `true`:
146+
147+
{% tabs %}
148+
{% tab title="fluent-bit-user-auth.yaml" %}
149+
150+
```yaml
151+
pipeline:
152+
inputs:
153+
- name: forward
154+
listen: 0.0.0.0
155+
port: 24224
156+
buffer_chunk_size: 1M
157+
buffer_max_size: 6M
158+
security.users: fluentbit changeme
159+
empty_shared_key: true
160+
self_hostname: flb.server.local
161+
162+
outputs:
163+
- name: stdout
164+
match: '*'
165+
```
166+
167+
{% endtab %}
168+
{% tab title="fluent-bit-user-auth.conf" %}
169+
170+
```text
171+
[INPUT]
172+
Name forward
173+
Listen 0.0.0.0
174+
Port 24224
175+
Buffer_Chunk_Size 1M
176+
Buffer_Max_Size 6M
177+
Security.Users fluentbit changeme
178+
Empty_Shared_Key true
179+
Self_Hostname flb.server.local
180+
181+
[OUTPUT]
182+
Name stdout
183+
Match *
184+
```
185+
186+
{% endtab %}
187+
{% endtabs %}
188+
133189
## Testing
134190

135191
After Fluent Bit is running, you can send some messages using the `fluent-cat` tool, provided by [Fluentd](http://www.fluentd.org):

0 commit comments

Comments
 (0)