fix(httpd): add option to authenticate prometheus remote read (#18429)

2020-06-24 06:03:19 +08:00 · 2020-06-24 06:03:19 +08:00 · 57ea78e984
parent 78a05d1119
commit 57ea78e984
4 changed files with 20 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -6,6 +6,7 @@ v1.8.1 [unreleased]
 ### Bugfixes

 -	[#17638](https://github.com/influxdata/influxdb/pull/17638): Verify precision in write requests.
+-	[#18429](https://github.com/influxdata/influxdb/pull/18429): Add option to authenticate prometheus remote read

 v1.8.0 [unreleased]
 -------------------
--- a/etc/config.sample.toml
+++ b/etc/config.sample.toml
@ -301,6 +301,10 @@
  # endpoints. This setting has no effect if auth-enabled is set to false.
  # ping-auth-enabled = false

+  # Enables authentication on prometheus remote read api. This setting has no
+  # effect if auth-enabled is set to false.
+  # prom-read-auth-enabled = false
+
  # Determines whether HTTPS is enabled.
  # https-enabled = false

--- a/services/httpd/config.go
+++ b/services/httpd/config.go
@ -44,6 +44,7 @@ type Config struct {
 	PprofAuthEnabled        bool           `toml:"pprof-auth-enabled"`
 	DebugPprofEnabled       bool           `toml:"debug-pprof-enabled"`
 	PingAuthEnabled         bool           `toml:"ping-auth-enabled"`
+	PromReadAuthEnabled     bool           `toml:"prom-read-auth-enabled"`
 	HTTPSEnabled            bool           `toml:"https-enabled"`
 	HTTPSCertificate        string         `toml:"https-certificate"`
 	HTTPSPrivateKey         string         `toml:"https-private-key"`
@ -76,6 +77,7 @@ func NewConfig() Config {
 		PprofAuthEnabled:      false,
 		DebugPprofEnabled:     false,
 		PingAuthEnabled:       false,
+		PromReadAuthEnabled:   false,
 		HTTPSEnabled:          false,
 		HTTPSCertificate:      "/etc/ssl/influxdb.pem",
 		MaxRowLimit:           0,
--- a/services/httpd/handler.go
+++ b/services/httpd/handler.go
@ -1169,6 +1169,8 @@ func (h *Handler) servePromWrite(w http.ResponseWriter, r *http.Request, user me
 // servePromRead will convert a Prometheus remote read request into a storage
 // query and returns data in Prometheus remote read protobuf format.
 func (h *Handler) servePromRead(w http.ResponseWriter, r *http.Request, user meta.User) {
+	atomic.AddInt64(&h.stats.PromReadRequests, 1)
+	h.requestTracker.Add(r, user)
 	compressed, err := ioutil.ReadAll(r.Body)
 	if err != nil {
 		h.httpError(w, err.Error(), http.StatusInternalServerError)
@ -1191,6 +1193,17 @@ func (h *Handler) servePromRead(w http.ResponseWriter, r *http.Request, user met
 	db := r.FormValue("db")
 	rp := r.FormValue("rp")

+	if h.Config.AuthEnabled && h.Config.PromReadAuthEnabled {
+		if user == nil {
+			h.httpError(w, fmt.Sprintf("user is required to read from database %q", db), http.StatusForbidden)
+			return
+		}
+		if !user.AuthorizeDatabase(influxql.ReadPrivilege, db) {
+			h.httpError(w, fmt.Sprintf("user %q is not authorized to read from database %q", user.ID(), db), http.StatusForbidden)
+			return
+		}
+	}
+
 	readRequest, err := prometheus.ReadRequestToInfluxStorageRequest(&req, db, rp)
 	if err != nil {
 		h.httpError(w, err.Error(), http.StatusBadRequest)