pikvm/pikvm#1069: added option to disable auth on prometheus api

4 files changed, 22 insertions, 1 deletions

diff --git a/kvmd/apps/__init__.py b/kvmd/apps/__init__.py
index 4b840e70..4bd8a60d 100644
--- a/kvmd/apps/__init__.py
+++ b/kvmd/apps/__init__.py
@@ -397,6 +397,12 @@ def _get_config_scheme() -> dict:
                 "enabled": Option(True, type=valid_bool),
             },
 
+            "prometheus": {
+                "auth": {
+                    "enabled": Option(True, type=valid_bool),
+                },
+            },
+
             "hid": {
                 "type": Option("", type=valid_stripped_string_not_empty),
 
diff --git a/kvmd/apps/kvmd/__init__.py b/kvmd/apps/kvmd/__init__.py
index f02085e1..2d0219db 100644
--- a/kvmd/apps/kvmd/__init__.py
+++ b/kvmd/apps/kvmd/__init__.py
@@ -75,6 +75,7 @@ def main(argv: (list[str] | None)=None) -> None:
     KvmdServer(
         auth_manager=AuthManager(
             enabled=config.auth.enabled,
+            unauth_paths=([] if config.prometheus.auth.enabled else ["/export/prometheus/metrics"]),
 
             internal_type=config.auth.internal.type,
             internal_kwargs=config.auth.internal._unpack(ignore=["type", "force_users"]),
diff --git a/kvmd/apps/kvmd/api/auth.py b/kvmd/apps/kvmd/api/auth.py
index 7d2fad36..5f2e847e 100644
--- a/kvmd/apps/kvmd/api/auth.py
+++ b/kvmd/apps/kvmd/api/auth.py
@@ -44,7 +44,7 @@ _COOKIE_AUTH_TOKEN = "auth_token"
 
 
 async def check_request_auth(auth_manager: AuthManager, exposed: HttpExposed, request: Request) -> None:
-    if exposed.auth_required and auth_manager.is_auth_enabled():
+    if auth_manager.is_auth_required(exposed):
         user = request.headers.get("X-KVMD-User", "")
         if user:
             user = valid_user(user)
diff --git a/kvmd/apps/kvmd/auth.py b/kvmd/apps/kvmd/auth.py
index 21af1a93..8b0d104d 100644
--- a/kvmd/apps/kvmd/auth.py
+++ b/kvmd/apps/kvmd/auth.py
@@ -30,12 +30,15 @@ from ... import aiotools
 from ...plugins.auth import BaseAuthService
 from ...plugins.auth import get_auth_service_class
 
+from ...htserver import HttpExposed
+
 
 # =====
 class AuthManager:
     def __init__(
         self,
         enabled: bool,
+        unauth_paths: list[str],
 
         internal_type: str,
         internal_kwargs: dict,
@@ -51,6 +54,10 @@ class AuthManager:
         if not enabled:
             get_logger().warning("AUTHORIZATION IS DISABLED")
 
+        self.__unauth_paths = frozenset(unauth_paths)  # To speed up
+        for path in self.__unauth_paths:
+            get_logger().warning("Authorization is disabled for API %r", path)
+
         self.__internal_service: (BaseAuthService | None) = None
         if enabled:
             self.__internal_service = get_auth_service_class(internal_type)(**internal_kwargs)
@@ -70,6 +77,13 @@ class AuthManager:
     def is_auth_enabled(self) -> bool:
         return self.__enabled
 
+    def is_auth_required(self, exposed: HttpExposed) -> bool:
+        return (
+            self.is_auth_enabled()
+            and exposed.auth_required
+            and exposed.path not in self.__unauth_paths
+        )
+
     async def authorize(self, user: str, passwd: str) -> bool:
         assert user == user.strip()
         assert user