HTTP basic auth

[nanowish]

Hi ,

in reference to #100 and #160

why removing basic auth from exporters ? whereas exporters binding in port and exposes they metrics, a minimal auth or any controlled access method to metrics its needed. At least basic auth must be in all exporters to easily control metrics access. I can"t imagine installing nginx or other proxy in all servers who only needs node_exporter, seems totally overkill. Or am I missing something?

[SuperQ]

Using basic auth would necessitate SSL setup to provide any sane safety. We don't have the bandwidth to support SSL in all exporters at this time.

This is something I would like to see change, but it is not something the community can agree on right now.

"Most" Prometheus setups are not exposed to the Internet, and there should be no user PII exposed by the node_expoerter.

[wanrui]

mark

[discordianfish]

TLS support is being revisited btw, see #1198

[PRIHLOP]

Now TLS is supported, please revert back basic auth.

[discordianfish]

@SuperQ Thoughts? I'm conflicted. I'd rather require client certs than using basic auth these days I think.

[SuperQ]

We agreed in the same dev summit about TLS that basic auth and/or bearer tokens was something we were OK with. I'm not personally invested in implementing it, but we should open a new basic auth design issue.

My idea for how to implement this involved being able to support Apache-style htpasswd files with some kind of ability to reload or watch them. I'd like to get the "how to inject the secrets" figured out.

[brian-brazil]

We didn't say we'd support bearer tokens, only TLS and basic auth.

[discordianfish]

@SuperQ Well I would have re-open this one but if you prefer a new one, please open one.

[m-yosefpor]

@discordianfish I couldn't find the new issue about basic auth, nor this issue is re-opened. If there is an open issue about the basic auth implementation, please mention that here.

[obitech]

The new tls_config allows to set basic client auth:

tlsConfig :
  # Certificate and key files for server to use to authenticate to client
  tlsCertPath : <filename>
  tlsKeyPath : <filename>

  # Server policy for client authentication. Maps to ClientAuth Policies
  # For more detail on clientAuth options: [ClientAuthType](https://golang.org/pkg/crypto/tls/#ClientAuthType)
  [ clientAuth : <string> | default = "NoClientCert" ]

  # CA certificate for client certificate authentication to the server
  [ clientCAs : <filename> ]

[m-yosefpor]

The new tls_config allows to set basic client auth:

tlsConfig :
  # Certificate and key files for server to use to authenticate to client
  tlsCertPath : <filename>
  tlsKeyPath : <filename>

  # Server policy for client authentication. Maps to ClientAuth Policies
  # For more detail on clientAuth options: [ClientAuthType](https://golang.org/pkg/crypto/tls/#ClientAuthType)
  [ clientAuth : <string> | default = "NoClientCert" ]

  # CA certificate for client certificate authentication to the server
  [ clientCAs : <filename> ]

Actually, I meant a user/pass authentication method (for simpler usage), but thanks anyway, I used self-signed client cert for auth.

[copocaneta]

There is this "basic_auth_users" at the HTTPS package README (https://github.com/prometheus/node_exporter/blob/master/https/README.md)

Where and how do I supply these credentials on the prometheus server side when adding a node exporter that uses basic_auth_users?

[m-yosefpor]

Cool so it is fixed with #1683
@copocaneta You can find that in prometheus docs https://prometheus.io/docs/prometheus/latest/configuration/configuration/

[copocaneta]

Thank you very much @m-yosefpor