flower
flower copied to clipboard
Enable authentication for /metrics by default if authentication is enabled
Describe the bug It looks like authentication for the metrics endpoint has been disabled by #1129.
I am pretty sure that these metrics can allow an external party to gather some information on what is going on in a system, as it can leak information that developers may not have thought to ever be available to the outside, like the task names.
When basic authentication is enabled, this endpoint should also require authentication by default, as many users will either not use the metrics endpoint at all, or will be able to configure a scraper to use these credentials.
Alternatively, at least allow to enable authentication here as well. For me, this renders the built-in authentication completely useless and I will need to set it up in my reverse proxy instead.
To Reproduce Steps to reproduce the behavior:
- Set up Basic Authentication for flower
- Access the /metrics endpoint without authentication
Expected behavior By default, the metrics endpoint requires authentication.
I'd also like to add that even though the list of unauthenticated endpoints is at the top of the documentation page, many people will skip the introduction and go straight through their preferred authentication method, and not realising that the metrics won't be protected.