Add basic authentication

[roidelapluie]

WIP - To gather initial feedback.

Fully working.

Signed-off-by: Julien Pivotto roidelapluie@inuits.eu

[SuperQ]

Thanks for working on this.

What do you think about putting the user list into the same file as a first iteration. This would simplify the standard use case of config management deployed exporters having to manage multiple files.

tls_config:
  ...
users:
  alice: "$2y$BCRYPTHASH"

[roidelapluie]

ready for review.

In particular: do we want to use bcrypt here?

Pros:

• Avoid / Limit bruteforce because it is slow
• not cleartext password in file
  Cons:
• slows down every request

[brian-brazil]

Bcrypt is the current best practice, I'd be very wary of using anything else.

You can adjust how long it takes by changing the number of rounds. How long are we actually talking here?

[SuperQ]

Minor nits.

Can you add an entry to the top level CHANGELOG?

* [FEATURE] Add basic authentication #1673

[roidelapluie]

Yes, I'll also add WWW-Authenticate header

[roidelapluie]

Bcrypt is the current best practice, I'd be very wary of using anything else.

You can adjust how long it takes by changing the number of rounds. How long are we actually talking here?

70ms for 'test1234' with 10 rounds.

[brian-brazil]

70ms isn't too bad overall, maybe just mention it in the docs as a note? It's up to the user how many rounds to use when generating the hash.

[SuperQ]

I agree, we should support bcrypt to start. Apache 2.4 htpasswd still defaults to 5 rounds, which is pretty small.

It seems like basic auth is getting hashed on every scrape. Is there a way to cache this?

Setting bcrypt cost to 16 causes each scrape to take 3.9s.

We should document this in the README.

[roidelapluie]

Added README

Added ability to use basic auth without TLS

Added empty web config file support

Use Strict Unmarshal ( fix #1691 )

[roidelapluie]

I have pushed further commits.

[roidelapluie]

I have squashed, rebased add added CHANGELOG entry.

[roidelapluie]

Another change I made is to allow to use empty usernames / passwords:

basic_auth_users:
  "": "$2y$10$qvD2EZmkSwB0qh004ylOBOQA15KGjqknWM.rxKTAr.7FOxWWyYr/q"

curl -u : http://127.0.0.1:9100
<html>
                        <head><title>Node Exporter</title></head>
                        <body>
                        <h1>Node Exporter</h1>
                        <p><a href="/metrics">Metrics</a></p>
                        </body>
                        </html>

[brian-brazil]

👍

We might also want a test for an empty username/password.

[roidelapluie]

Done.

We do not threat empty username/password differently than anything else. We can add a test later ; but it does not sound like a strong requirement for now.

[SuperQ]

LGTM