Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Removing auth from /ping route #5316

Merged
merged 1 commit into from
Jan 25, 2019
Merged

Removing auth from /ping route #5316

merged 1 commit into from
Jan 25, 2019

Conversation

JeffAshton
Copy link
Contributor

Adding ability to disable authentication on ping route. Load balancers like AWS's ALBs don't support basic auth.

Required for all PRs:

  • [ X] Signed CLA.
  • [ X] Associated README.md updated.
  • [ X] Has appropriate unit tests.

@danielnelson
Copy link
Contributor

It's the healthcheck that doesn't support authentication?

@JeffAshton
Copy link
Contributor Author

That's correct. Here's the docs,,

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/target-group-health-checks.html

'm currently matching on the 401 response, but this shows up as auth failures in the internal stats, and I want to monitor this separately.

@JeffAshton JeffAshton force-pushed the http_listener_optional_ping_auth branch from 7b819b8 to 320c994 Compare January 21, 2019 16:19
@danielnelson
Copy link
Contributor

How would you feel about using a separate http_listener_v2 as the ping endpoint? This way we don't need to add a new option that InfluxDB itself doesn't have.

[[inputs.http_listener_v2]]
  service_address = ":8681"
  path = "/ping"

@JeffAshton
Copy link
Contributor Author

JeffAshton commented Jan 23, 2019
edited
Loading

So from my testing, influx doesn't actually do auth on the ping route:

influx-db:
    image: "influxdb:1.7.3-alpine"
    environment:
      INFLUXDB_HTTP_AUTH_ENABLED: 'true'
      INFLUXDB_ADMIN_USER: 'admin'
      INFLUXDB_ADMIN_PASSWORD: 'password'
    ports:
      - "18086:8086"
    restart: always

curl -Is http://localhost:18086/ping
HTTP/1.1 204 No Content
Content-Type: application/json
Request-Id: 1a3f533a-1f2d-11e9-8005-0242ac110005
X-Influxdb-Build: OSS
X-Influxdb-Version: 1.7.3
X-Request-Id: 1a3f533a-1f2d-11e9-8005-0242ac110005
Date: Wed, 23 Jan 2019 16:36:58 GMT

I've actually found a lot of the diagnostic routes to not require authentication.

/debug/requests
/debug/vars
/metrics

Ping doesn't bother me, but all of those list above do.

@danielnelson
Copy link
Contributor

Let's just remove the auth from the /ping endpoint, without any option. The goal for this plugin is to act as much like InfluxDB as possible and anytime we can avoid additional options I'm in favor.

Add to that list /debug/pprof, which can at least be disabled in the config. I found this issue influxdata/influxdb#5305 which mentions /debug/vars, but not these other endpoints.

@JeffAshton
Copy link
Contributor Author

Sounds good. Will update the PR tomorrow.

@JeffAshton JeffAshton force-pushed the http_listener_optional_ping_auth branch from 320c994 to 0f38767 Compare January 25, 2019 15:34
@JeffAshton JeffAshton changed the title Making the /ping route authentication optional Removing auth from /ping route Jan 25, 2019
JeffAshton
JeffAshton commented Jan 25, 2019
View reviewed changes
plugins/inputs/influxdb_listener/http_listener.go
h.AuthenticateIfSet(func(res http.ResponseWriter, req *http.Request) {
res.WriteHeader(http.StatusNoContent)
}, res, req)
res.WriteHeader(http.StatusNoContent)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Covered by existing test case:

telegraf/plugins/inputs/influxdb_listener/http_listener_test.go

Line 413 in 0f38767

func TestQueryAndPingHTTP(t *testing.T) {

@danielnelson danielnelson added this to the 1.10.0 milestone Jan 25, 2019
@danielnelson danielnelson merged commit 4ca0a04 into influxdata:master Jan 25, 2019
trevorwhitney pushed a commit to trevorwhitney/telegraf that referenced this pull request Feb 14, 2019
@JeffAshton
Removing authentication from the /ping route to match influxdb (influ…
7a49111 
…xdata#5316)
otherpirate pushed a commit to otherpirate/telegraf that referenced this pull request Mar 15, 2019
@JeffAshton @otherpirate
Removing authentication from the /ping route to match influxdb (influ…
7835705 
…xdata#5316)
otherpirate pushed a commit to otherpirate/telegraf that referenced this pull request Mar 15, 2019
@JeffAshton @otherpirate
Removing authentication from the /ping route to match influxdb (influ…
4525984 
…xdata#5316)
dupondje pushed a commit to dupondje/telegraf that referenced this pull request Apr 22, 2019
@JeffAshton
Removing authentication from the /ping route to match influxdb (influ…
99bf406 
…xdata#5316)
bitcharmer pushed a commit to bitcharmer/telegraf that referenced this pull request Oct 18, 2019
@JeffAshton @bitcharmer
Removing authentication from the /ping route to match influxdb (influ…
9846984 
…xdata#5316)
athoune pushed a commit to bearstech/telegraf that referenced this pull request Apr 17, 2020
@JeffAshton
Removing authentication from the /ping route to match influxdb (influ…
ffa9954 
…xdata#5316)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.10.0
Development

Successfully merging this pull request may close these issues.
2 participants
@JeffAshton @danielnelson