thanos icon indicating copy to clipboard operation
thanos copied to clipboard

Published 20 hours ago verified publisher icon thanos-io

Query: unable to get basic authentication work for thanos querier service

Open arunmarria opened this issue 3 years ago • 8 comments

Thanos, Prometheus and Golang version used: Thanos - 0.23.1-scratch-r1 Prometheus - v2.27.1

Object Storage Provider: AWS s3 bucket

What happened: We want to expose thanos querier service as loadbalancer and restrict access using some authentication mechanism so not everyone on the internet can access it. So we are following this guide - https://thanos.io/tip/operating/https.md/ but this does not seem to be working. We know this section is experimental but can we have a working example of the configuration?

What you expected to happen: The users mentioned in this example should be able to login to querier. https://thanos.io/tip/operating/https.md/#example

How to reproduce it (as minimally and precisely as possible): Follow steps here https://thanos.io/tip/operating/https.md/

Full logs to relevant components: no logs - configuration does not even seem to be supported. As the pod crashes saying expected string got map for http.config args.

Anything else we need to know:

Further the guide is a bit ambiguous, as we were unable to find references regarding this configuration in source code. Can you confirm if this is even supported?

arunmarria avatar Jun 14 '22 21:06 arunmarria

@bwplotka @saswatamcode Guess you guys could provide some help on this issue? Thanks!

yangyang919 avatar Jun 15 '22 06:06 yangyang919

It's a bit difficult to guess what's wrong based on this. Can you provide the K8s YAML config for Querier, as it seems to be not detecting the path to the HTTP config file? :)

Also, regarding docs, yes it's a good idea to make a detailed guide around it, maybe even Katacoda/Killercode scenario. FWIW Prometheus also has similar docs on the same https://github.com/prometheus/prometheus/blob/main/docs/configuration/https.md.

saswatamcode avatar Jun 15 '22 06:06 saswatamcode

@yangyang919 @arunmarria for a simpler local example, this works,

Generating cert and key

openssl genrsa 2048 > host.key
chmod 400 host.key
openssl req -new -x509 -nodes -sha256 -days 365 -key host.key -out host.cert

Preparing config.yaml file with one user,

tls_server_config:
  cert_file: host.cert
  key_file: host.key

basic_auth_users:
  saswata: $2a$12$J.WYlq8UmWfxu3Z/ZQV4du5WBI0fahilMFkFTPyqCZLfsN/9N/VrW

Starting Querier (some dummy stores),

thanos query \     
    --http-address "127.0.0.1:39090" \
    --grpc-address="0.0.0.0:39091" \
    --store "127.0.0.1:10907" \
    --store "127.0.0.1:10902" \
    --http.config="config.yaml"

You can then login with saswata & hello on https://localhost:39090.

saswatamcode avatar Jun 15 '22 06:06 saswatamcode

Thanks for checking @saswatamcode , I will give this a try and update if it works for us.

arunmarria avatar Jun 15 '22 19:06 arunmarria

Sorry arunmarria, we are trying to do the same. Finally, it works correctly?. Which configuration did you use?. BRs.

ctsanjuan avatar Aug 18 '22 11:08 ctsanjuan

@ctsanjuan I actually started working on a new project and didn't attempt that proposed configuration.

arunmarria avatar Sep 02 '22 16:09 arunmarria

Hello 👋 Looks like there was no activity on this issue for the last two months. Do you mind updating us on the status? Is this still reproducible or needed? If yes, just comment on this PR or push a commit. Thanks! 🤗 If there will be no activity in the next two weeks, this issue will be closed (we can always reopen an issue if we need!). Alternatively, use remind command if you wish to be reminded at some point in future.

stale[bot] avatar Nov 13 '22 15:11 stale[bot]

any update, i am also trying to do the same

aesakif avatar Jan 29 '24 11:01 aesakif