Provision to include request context(query params, headers) in AuthenticatorFunc #4806
Comments
|
How about we have a list of properties that the authenticator should propagate down via the context? The config would look like this: receivers:
myhttpreceiver:
auth:
propagate:
headers:
- x-tenant-id
query:
- access_tokenToday, we'd just blindly propagate everything, which is user-friendly but potentially resource-intensive. This change would be resource efficient, but will not be as user-friendly as before. Also, if the payload changes and a new header is sent, the collector's config needs to be changed to make use of that. Or perhaps we should propagate everything, except when this new |
|
While writing an authenticator for our distribution, I actually thought of using something similar to above in the
This is indeed a good approach. We make There are a few things which we should make a note of-
|
|
Note that the propagation happens in the confighttp/configgrpc code, not in the authenticator itself.
Yes, the only change is to the contents of the incoming map.
Do you have an example of that?
gRPC would be affected, as the list would restrict what we get from its metadata. |
|
Yes I understood that this would be a part of confighttp/configgrpc Regarding auth data in the body, only one concrete instance I have is wrt to statsd receiver. It is over UDP and accepts plaintext statsd format metrics data. I know that auth is not a part of that configuration. One possible way of sending auth(tokens) would be via tags and we would need that tag to be parsed which is present as request body itself. I
But for gRPC auth, we wont have |
Good point. I can see how this would become a problem down the chain, so, let's consider this in the future if we ever need it. I believe that the proposal from this issue here could be easily changed to add body propagation. We'd need a way to drop that after we used it, but that's also something that can be done in the future.
Both HTTP and gRPC share the same auth object: opentelemetry-collector/config/confighttp/confighttp.go Lines 61 to 62 in 7cdf8c7 opentelemetry-collector/config/configgrpc/configgrpc.go Lines 98 to 99 in 7cdf8c7 opentelemetry-collector/config/configauth/configauth.go Lines 31 to 35 in 7cdf8c7 My idea is to add the |
|
Agreed. My contention was that for grpc, |
|
@jpkrohling the list of "requirements" can be embedded in the code. Something like the "AuthExtension" can have a "Requirements()" API that tells the HTTP/GRPC what infos are required? |
|
please don't forget the Host property |
What if the requirement is coming from a processor down the line? Or perhaps even from an exporter (for routing capabilities, like described in #4814) |
|
@jpkrohling maybe can use "Host" as the intermediary, components can "record their needs"? Not sold necessary on the "Host" but you can come up with a solution :) |
|
Hello, friendly reminder :) Is there any finished plan for this issue? |
|
Not yet. It's in my queue, but I have a few things to complete before going to this one. |
|
@jpkrohling I took the liberty to work on this. Kindly check #5080 |
|
I'll take a look! |
|
Friendly reminder on this one :) |
|
I'm back from my leave, I have this on my queue. |
This PR adds a new option to the ServerConfig's Auth option, allowing users to specify a list of query parameters to add to the sources of auth data, in addition to HTTP headers. Instead of simply adding all parameters, which might be numeruous, we require users to specify which ones to include. Auth extensions don't need to be changed, but should document which attributes they expect to find in the context and how to configure confighttp to accomplish that. Fixes open-telemetry#4806 Signed-off-by: Juraci Paixão Kröhling <[email protected]>
|
This took a little longer than planned, but it's finally there for review. |
|
The current implementation of this feature changes only |
TylerHelmuth
modified the milestones:
go.opentelemetry.io/collector/configauth 1.0,
confighttp
TylerHelmuth
modified the milestones:
confighttp,
go.opentelemetry.io/collector/confighttp 1.0
This PR adds a new option to the ServerConfig's Auth option, allowing users to specify a list of query parameters to add to the sources of auth data, in addition to HTTP headers. Instead of simply adding all parameters, which might be numeruous, we require users to specify which ones to include. Auth extensions don't need to be changed, but should document which attributes they expect to find in the context and how to configure confighttp to accomplish that. Fixes open-telemetry#4806 Signed-off-by: Juraci Paixão Kröhling <[email protected]>
This PR adds a new option to the ServerConfig's Auth option, allowing users to specify a list of query parameters to add to the sources of auth data, in addition to HTTP headers. Instead of simply adding all parameters, which might be numeruous, we require users to specify which ones to include. Auth extensions don't need to be changed, but should document which attributes they expect to find in the context and how to configure confighttp to accomplish that. Fixes open-telemetry#4806 Signed-off-by: Juraci Paixão Kröhling <[email protected]>
Is your feature request related to a problem? Please describe.
A facility to access request params such as query string in addition to already existing headers would be useful in the
AuthenticatorFuncDescribe alternatives you've considered
Pass the queryParams along with headers in the map passed to the above func. Probably not the best approach.
Additional context
Authenticators such as apiToken validators would need to pick the token from either the header or query string. In such case, the current implementation wont be sufficient.
We need a more generic way of handling this.
@jpkrohling
The text was updated successfully, but these errors were encountered: