[Feature request] HTTP Basic auth from file

[bbzg]

Hi,

First of all: thank you for your great work with the Prometheus eco system. Very well done.

After struggling for a couple of hours I realized ("read the code") that bearer_token_file prepends Bearer to the Authorization header.

What I want to do is to provide basic auth through a Kubernetes secret. The problem is that the only way to provide basic auth in Prometheus (that I can find?) is to write it verbatim in the config file, which I don't want to do. (And it does not seem like Prometheus supports supplying those credentials as run-time parameters / environment variables.)

When I think about it, the Prometheus configuration variables should have been named authorization_header and authorization_header_file? That way one could have put anything in there: Basic, Bearer... whatever floats one's boat. Or even more generic, just header and the user could use any form of auth, even Cookies...

That is not the case though, and I realize changing it would break compatibility so it would be nice if Prometheus could supply at least a basic_auth_file where one could supply a Base64(username:password) string to be used in util/config/config.go.

Thank you for considering my use-case.

Best Regards

[brian-brazil]

At present all secrets bar the bearer token must come from the configuration file, it is expected that you'll get your configuration management system to write them out while writing the rest of the file.

[bbzg]

Hi,

Thank you for answering so quickly!

Our configuration management system (helm) runs on a Jenkins machine, which does not have access to any secrets (except the permission to publish Images) - which I imagine is a common set-up - this is by design since a lot of people have access to Jenkins.

The actual runtime environment does not matter much, but I also imagine that it is a common practice to only have secrets distributed with the minimum amount of access, and in this case only a few people may read or write secrets in our Kubernetes cluster.

Will you accept pull requests for the proposed change, or is this a matter of philosophy for Prometheus? If you accept pull requests, I might work on it.

Again, thank you!

[brian-brazil]

The suggested way to handle this is to have the secrets interpolated into the config before you start Prometheus, for example you could do it with sed in simple cases.

Configuration management doesn't end at Helm, it goes all the way down to starting the binary. So this could include for example running a few commands before starting Prometheus.

Adding arbitrary headers is unlikely to be accepted (makes debugging too hard), nor are custom auth schemes (too niche, we recommend using a proxy for the rare time this comes up).

[bbzg]

I understand your point, but I am specifically asking about basic_auth_file only at this point.

I understand your wanting to keep the code base neat and simple, but since you have allowed bearer_token_file would it not make sense to have basic_auth_file, too?

Thanks!

[brian-brazil]

That's something that would require broader discussion. If we were to have it it'd be password_file.

[juliantaylor]

I would second the request for providing basic auth credentials via a file.
Having them in the monolithic configuration files makes it unnecessarily difficult to configure prometheus with a configmap.
It would also make the configuration of the two authentication methods symmetric.

[t3h2mas]

Thirded, should a ticket be open for asking for the password_file feature?

[brian-brazil]

This was added in 2.3.0.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.