Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mimir-continuous-test tool: Add basic authentication support #2717

Merged
merged 1 commit into from
Aug 16, 2022
Merged

mimir-continuous-test tool: Add basic authentication support #2717

merged 1 commit into from
Aug 16, 2022

Conversation

wilfriedroset
Copy link
Collaborator

@wilfriedroset wilfriedroset commented Aug 14, 2022
edited

What this PR does

Added basic authentication support to mimir-continuous-testing for when Mimir is behind a gateway authenticating the calls.

Which issue(s) this PR fixes or relates to

Fixes #2105

Checklist

  • Tests updated
  • Documentation added
  • CHANGELOG.md updated - the order of entries should be [CHANGE], [FEATURE], [ENHANCEMENT], [BUGFIX]

56quarters
56quarters approved these changes Aug 15, 2022
View reviewed changes
Copy link
Contributor

@56quarters 56quarters left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just one change. Thanks!

pkg/continuoustest/client.go Outdated Show resolved Hide resolved
@wilfriedroset
mimir-continuous-test tool: Add basic authentication and bearer token…
642ec76 
… support

Signed-off-by: Wilfried Roset <wilfriedroset@users.noreply.github.com>
@wilfriedroset
Copy link
Collaborator Author

I've also added the support for bearer token to fully address #2105

@56quarters 56quarters merged commit 4a12de2 into grafana:main Aug 16, 2022
@56quarters
Copy link
Contributor

Thanks!

@jcquiles
Copy link

@wilfriedroset I have a question! How does reverse proxy work when authenticating with a bearer token, does this mean mimir doesn't do the auth but the proxy does instead? I've seen the configs in the docs, but havent been able to find an explanation on how it actually works. Thank you!

@wilfriedroset
Copy link
Collaborator Author

Mimir does not handle authentication by itself. This part is delegated to an eventual proxy placed before Mimir.
Mimir trust the http header X-Scope-OrgID, as such the proxy is responsible for authenticating the user as it sees fit and then forward the request to mimir with the correct value.

It can be as simple as a basic auth in nginx something like:

location /api/v1/push {
  auth_basic           "prometheus remote write";
  auth_basic_user_file /etc/nginx/htpasswd.write;
  proxy_pass            https://distributor$request_uri;
  proxy_set_header      X-Scope-OrgID $x_scope_orgid;
}

Where x_scope_orgid is define as a map in nginx configuration

map $remote_user $x_scope_orgid {
    foo bar;
}

@jcquiles
Copy link

Thanks @wilfriedroset for the explanation! How about when it comes to externalLabels does it preserve all labels or only certain ones such as cluster & namespace? Afaik, it only accepts specific labels.

@wilfriedroset
Copy link
Collaborator Author

The proxy (at least for nginx) does not do anything about the external labels. They are used by mimir during the deduplication process. You can find out more in the documentation: https://grafana.com/docs/mimir/latest/operators-guide/configure/configuring-high-availability-deduplication/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@56quarters 56quarters 56quarters approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[mimir-continuous-test]: Support authentication
3 participants
@wilfriedroset @56quarters @jcquiles