influxdata
unauthenticated /metrics endpoint
I am running influxdb:2.6.1 docker from docker hub...
I have noticed /health and /metrics endpoints which are relative to our domain unauthenticated.. Based on https://docs.influxdata.com/influxdb/v2.6/api/#tag/Health those endpoints should be Token Authenticated.. I have noticed /api/v2/metrics require an authentication. Especially the /metrics endpoint may contain sensitive information.
Hi @7c, this is an error in the documentation.
The /health endpoint is intended to be unauthenticated so that it can used by something like K8s readiness checks to validate that the instance is up and running.
The /metrics endpoint is unauthenticated as the current intended primary user is influxdb itself for easily reading back metrics and scrapers currently don't support authentication.
I don't believe that endpoint contains any sensitive information, is there any particular information you are concerned about?
Thanks @jeffreyssmith2nd . I agree they should be unauthenticated. Only concern i do have at /metrics is that directory structure of the installation seems to be part of the report. One might see which OS the host is or/and guess how many buckets/measurement one might be hosting. I am not sure if the IDs are somehow important.
The documentation still shows that these endpoints suport Token Authentication. Are the docs still incorrect or has authentication been added to these endpoints?
@MCWronski - I would like to clarify whether you are concerned about v2.x as the original issue is, or with another version of InfluxDB?
In v3, the /metrics endpoint is authenticated, with the ability to opt-out of it being authenticated at server start.
