prom-label-proxy icon indicating copy to clipboard operation
prom-label-proxy copied to clipboard

Published 20 hours ago verified publisher icon prometheus-community

Can't reasonably load Querier UI with prom-label-proxy

Open bill3tt opened this issue 4 years ago • 3 comments

Since https://github.com/prometheus-community/prom-label-proxy/pull/48 was merged, users are required to explicitly state an allowlist of endpoints (unsafe-passthrough-paths) that any tenant can retrieve without interference of prom-label-proxy.

This means that any UI components require explicit whitelisting to work, which often have complex URIs.

Configuring prom-label-proxy to serve the Thanos Querier UI required the following docker command:

docker run --net=host --rm \
    --name prom-label-proxy \
    quay.io/prometheuscommunity/prom-label-proxy:v0.3.0 \
    -label tenant \
    -upstream http://127.0.0.1:29090 \
    -insecure-listen-address 0.0.0.0:39090 \
    -enable-label-apis \
    -unsafe-passthrough-paths=/api/v1/stores,/api/v1/status/flags,/graph,/status,/api/v1/status/buildinfo,/api/v1/status/runtimeinfo,/flags,/static/css/2.a92efa4c.chunk.css,/static/css/main.e1aaea6d.chunk.css,/static/js/2.2de83b5e.chunk.js,/static/js/main.a767bdbf.chunk.js,/manifest.json

It worked :man_shrugging: but the UX was terrible. Each downstream UI component version will require a carefully constructed set of unsafe-passthrough-paths.

Personally, I have no requirements other than attempting to fix the tutorial (https://github.com/thanos-io/thanos/issues/4309). However, this is a reasonable enough use-case for others to require.

Safe-defaults were mentioned in https://github.com/prometheus-community/prom-label-proxy/pull/48#issuecomment-768225385, but does not appear to have been implemented.

bill3tt avatar Jun 07 '21 20:06 bill3tt

I would assume that /static/* endpoints are "safe" but the rest is more problematic IMHO. IIRC we decided on exact paths to avoid users shooting themselves in the foot but maybe it's fine to allow things like --unsafe-passthrough-paths=/static/*?

simonpasquier avatar Aug 27 '21 08:08 simonpasquier

Can we pass through all paths (other than the API endpoints specified explicitly) by default?

yeya24 avatar Sep 16 '21 05:09 yeya24

it was discussed in https://github.com/prometheus-community/prom-label-proxy/pull/48#issuecomment-716552994 but dismissed as being insecure (at least as long the legacy UI exists since the targets and configuration pages may expose sensitive informatoin).

simonpasquier avatar Sep 21 '21 13:09 simonpasquier