diff options
author | Maxim Devaev <[email protected]> | 2023-08-18 00:21:07 +0300 |
---|---|---|
committer | Maxim Devaev <[email protected]> | 2023-08-18 00:21:07 +0300 |
commit | 61ce81ab6401046a02aa3eb048af6deed004f840 (patch) | |
tree | 35cc2e044e064318269152426f457cc98b938a69 /kvmd | |
parent | 32560563dc41f19633944e18cf16fef05b88c407 (diff) |
pikvm/pikvm#1069: added option to disable auth on prometheus api
Diffstat (limited to 'kvmd')
-rw-r--r-- | kvmd/apps/__init__.py | 6 | ||||
-rw-r--r-- | kvmd/apps/kvmd/__init__.py | 1 | ||||
-rw-r--r-- | kvmd/apps/kvmd/api/auth.py | 2 | ||||
-rw-r--r-- | kvmd/apps/kvmd/auth.py | 14 |
4 files changed, 22 insertions, 1 deletions
diff --git a/kvmd/apps/__init__.py b/kvmd/apps/__init__.py index 4b840e70..4bd8a60d 100644 --- a/kvmd/apps/__init__.py +++ b/kvmd/apps/__init__.py @@ -397,6 +397,12 @@ def _get_config_scheme() -> dict: "enabled": Option(True, type=valid_bool), }, + "prometheus": { + "auth": { + "enabled": Option(True, type=valid_bool), + }, + }, + "hid": { "type": Option("", type=valid_stripped_string_not_empty), diff --git a/kvmd/apps/kvmd/__init__.py b/kvmd/apps/kvmd/__init__.py index f02085e1..2d0219db 100644 --- a/kvmd/apps/kvmd/__init__.py +++ b/kvmd/apps/kvmd/__init__.py @@ -75,6 +75,7 @@ def main(argv: (list[str] | None)=None) -> None: KvmdServer( auth_manager=AuthManager( enabled=config.auth.enabled, + unauth_paths=([] if config.prometheus.auth.enabled else ["/export/prometheus/metrics"]), internal_type=config.auth.internal.type, internal_kwargs=config.auth.internal._unpack(ignore=["type", "force_users"]), diff --git a/kvmd/apps/kvmd/api/auth.py b/kvmd/apps/kvmd/api/auth.py index 7d2fad36..5f2e847e 100644 --- a/kvmd/apps/kvmd/api/auth.py +++ b/kvmd/apps/kvmd/api/auth.py @@ -44,7 +44,7 @@ _COOKIE_AUTH_TOKEN = "auth_token" async def check_request_auth(auth_manager: AuthManager, exposed: HttpExposed, request: Request) -> None: - if exposed.auth_required and auth_manager.is_auth_enabled(): + if auth_manager.is_auth_required(exposed): user = request.headers.get("X-KVMD-User", "") if user: user = valid_user(user) diff --git a/kvmd/apps/kvmd/auth.py b/kvmd/apps/kvmd/auth.py index 21af1a93..8b0d104d 100644 --- a/kvmd/apps/kvmd/auth.py +++ b/kvmd/apps/kvmd/auth.py @@ -30,12 +30,15 @@ from ... import aiotools from ...plugins.auth import BaseAuthService from ...plugins.auth import get_auth_service_class +from ...htserver import HttpExposed + # ===== class AuthManager: def __init__( self, enabled: bool, + unauth_paths: list[str], internal_type: str, internal_kwargs: dict, @@ -51,6 +54,10 @@ class AuthManager: if not enabled: get_logger().warning("AUTHORIZATION IS DISABLED") + self.__unauth_paths = frozenset(unauth_paths) # To speed up + for path in self.__unauth_paths: + get_logger().warning("Authorization is disabled for API %r", path) + self.__internal_service: (BaseAuthService | None) = None if enabled: self.__internal_service = get_auth_service_class(internal_type)(**internal_kwargs) @@ -70,6 +77,13 @@ class AuthManager: def is_auth_enabled(self) -> bool: return self.__enabled + def is_auth_required(self, exposed: HttpExposed) -> bool: + return ( + self.is_auth_enabled() + and exposed.auth_required + and exposed.path not in self.__unauth_paths + ) + async def authorize(self, user: str, passwd: str) -> bool: assert user == user.strip() assert user |