nomad
nomad copied to clipboard
hashicorp
Support for Basic Auth
Proposal
Support passing the X-Nomad-Token via HTTP Basic Auth to use the Nomad API, by ignoring the username section and parsing the password section as if it were a token.
Use-cases
Not all external systems allow specifying Bearer auth or allow specifying custom HTTP request headers. Basic Auth might be the only way for those systems to specify authentication.
Attempted Solutions
- Transforming it in the load balancer (haproxy in our case), which works and looks something like this:
frontend http
# Allow using Basic Auth with "bearer" as the username, to transform it into a Bearer auth (e.g. for webhooks)
acl is_bearer_token hdr(Authorization) -m beg "Basic YmVhcmVyO" # The Authorization is HTTP Basic and the username starts with bearer
http-request set-header Authorization "Bearer %[hdr(Authorization),regsub(^Basic\s+,,i),b64dec,regsub(.*:,,i)]" if is_bearer_token
Heya, thanks for the report!
This is an interesting suggestion, but has at least one potential gotcha I can think of that could break current clusters. Our Go api package supports sending basic auth (old PR #1431), not because Nomad can handle it, but because proxies in front of Nomad can. The risk of Nomad attempting to parse it, too, could result in rejected requests for any proxies that don't strip or mutate the basic auth header before forwarding to Nomad.
I'm curious if you might elaborate on any specific systems that are restricted in this way? We may end up erring on the side of proxy->Nomad safety and keep the concerns separate, especially since you do have a proxy transform at hand.
We are currently using HaloPSA, which has limited authentication options:
I understand and appreciate your concerns! Feel free to open or close this issue as-needed, this background info might be useful to some.