Support Basic/Bearer Authorization for prometheus metrics query #2961
Conversation
Signed-off-by: trsteel <trsteel@github.com>
|
@trsteel Thanks for your contribution. Would you provide test result in the description? Great thanks. |
I'm not sure what kind of test result should i provide here. |
|
In my mind, query in promethuse server usally does not need authorization. It depends on the configuration of promethuse server. So the authorization conf should be optional. |
If you do not config username/password/bearertoken/bearertokenfile, |
|
Please update relative docs at volcano/docs/design/usage-based-scheduling.md Lines 39 to 69 in 5302995 |
Signed-off-by: trsteel <trsteel@github.com>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
volcano-sh-bot
added
the
size/M
I pushed a new commit to update |
that's ok. How about another review-comment? |
the first review-comment I already replied. The auth config is aleady optional. If prometheus do not need auth, you just leave auth config empty. I'm not sure if there have any other comment I missed. |
|
Hi, @trsteel , can you see this comment as the following screenshot? I mean if both basic auth and token auth are set, there will be a error, right? Maybe we need to do some check about the conf? And another comment about UT: you use different path to test the promethuse server, but in product env the promthuse server address is configurated at root path. The UT can not cover the code. If the basic auth and token auth are both set, there may will be error, right? 
|
| tConf := &transport.Config{ | ||
| Username: p.conf["username"], | ||
| Password: p.conf["password"], | ||
| BearerToken: p.conf["bearertoken"], |
There was a problem hiding this comment.
- Would you please update the relative help docs?
- How about both basic auth and token auth are set? I find
HTTPWrappersForConfigwill check it and return error. link: https://github.com/kubernetes/client-go/blob/0c7c900fd55e3f77909f123388a3171d56346d7d/transport/round_trippers.go#L48-L49
There was a problem hiding this comment.
- already updated
- yes,we can trust the check in HTTPWrapperForConfig.
There was a problem hiding this comment.
If we don't handle this error, then the node metrics will not take effect. How bout do some check on the conf?
There was a problem hiding this comment.
Here is aleady many checks in HTTPWrappersForConfig, our check will same with it. Add a check function, and returns an error if check failed. I think it change nothing and improve nothing.
// After adding checkSomehing function, we just return another error(different with `HTTPWrappersForConfig`) if auth config wrong.
if err := checkSomehing(p.conf); err != nil {
return nil, err
}
tConf := &transport.Config{
Username: p.conf["username"],
Password: p.conf["password"],
BearerToken: p.conf["bearertoken"],
BearerTokenFile: p.conf["bearertokenfile"],
}
There was a problem hiding this comment.
Add a check function, and returns an error if check failed. I think it change nothing and improve nothing.
How about give a default setting to make it works if both basic auth and token auth are set?
There was a problem hiding this comment.
That's a good ideal. I create a new commit for it. If basic auth is set, token will be clear.
There was a problem hiding this comment.
That's ok. How about the UT? I think UT should test server with root path and let conf with only basic auth, token auth, or both basic auth and token auth are set.
| defer testServer.Close() | ||
| // test basic auth | ||
| conf := map[string]string{"username": basicAuthUser, "password": basicAuthPwd} | ||
| metricsClient, _ := NewPrometheusMetricsClient(testServer.URL+"/basic-auth", conf) |
There was a problem hiding this comment.
You use different path to test the promethuse server, but in product env the promthuse server address is configurated at root path. If the basic auth and token auth are both set, there may will be error, right?
There was a problem hiding this comment.
NewPrometheusMetricsClient will returns an error if auth config wrong. My test focus on checking auth configs appear in http req Header.
|
Hi, @hwdef @wangyang0616 , would you please help to review it? thanks. |
Signed-off-by: trsteel <trsteel@github.com>
Signed-off-by: trsteel <trsteel@github.com>
|
Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward? This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
stale
bot
added
the
lifecycle/stale
|
/reopen |
|
@hwdef: Reopened this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
stale
bot
removed
lifecycle/stale
|
Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward? This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
stale
bot
added
the
lifecycle/stale
|
/ok-to-test |
stale
bot
removed
the
lifecycle/stale
volcano-sh-bot
added
ok-to-test
|
@trsteel: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
For security reasons, Prometheus generally adds some permission verification, such as Basic Authorization, Bearer Authorization. Someone may have encountered similar problems, so I support this feature.