Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(auth): support basic auth #60

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(auth): support basic auth #60

wants to merge 1 commit into from

Conversation

mitchnielsen
Copy link
Contributor

@mitchnielsen mitchnielsen commented Jan 17, 2025
edited
Loading

Summary

In PrefectHQ/prefect#16408, Prefect server added support for basic auth.

This adds support for setting PREFECT_API_AUTH_STRING. The exporter will base64 encode this value and apply the value as a Basic auth header.

Closes #59

Closes https://linear.app/prefect/issue/PLA-931/prometheus-prefect-exporter-doesnt-support-basic-authentication-when

Testing

Supply the authorization setting to the server and the client (exporter in this case):

diff --git a/compose.yml b/compose.yml
index f71c1da..d439195 100644
--- a/compose.yml
+++ b/compose.yml
@@ -5,7 +5,7 @@ services:
       - "4200:4200"
     environment:
       PREFECT_LOGGING_LEVEL: debug
-      # PREFECT_SERVER_API_AUTH_STRING: ""
+      PREFECT_SERVER_API_AUTH_STRING: "admin:admin"
     command:
       - prefect
       - server
@@ -24,7 +24,7 @@ services:
       - "8000:8000"
     environment:
       PREFECT_API_URL: http://prefect:4200/api
-      # PREFECT_API_AUTH_STRING: ""
+      PREFECT_API_AUTH_STRING: "admin:admin"
     depends_on:
       prefect:
         condition: service_healthy

Then run docker compose up -d. This should build the exporter image, but if you need to refresh that image, run docker compose build.

Check the logs with docker compose logs -f. You should see successful requests to the endpoints:

...
prefect-1              | INFO:     172.30.0.4:55276 - "POST /api/flows/filter HTTP/1.1" 200 OK
prefect-1              | INFO:     172.30.0.4:55286 - "POST /api/flows/filter HTTP/1.1" 200 OK
prefect-1              | INFO:     172.30.0.4:55298 - "POST /api/flow_runs/filter HTTP/1.1" 200 OK
prefect-1              | INFO:     172.30.0.4:55314 - "POST /api/flow_runs/filter HTTP/1.1" 200 OK
prefect-1              | INFO:     172.30.0.4:55318 - "POST /api/flow_runs/filter HTTP/1.1" 200 OK
prefect-1              | INFO:     172.30.0.4:55332 - "POST /api/flow_runs/filter HTTP/1.1" 200 OK
prefect-1              | INFO:     172.30.0.4:55344 - "POST /api/work_pools/filter HTTP/1.1" 200 OK
prefect-1              | INFO:     172.30.0.4:55346 - "POST /api/work_queues/filter HTTP/1.1" 200 OK
...

And if you run some test flows, you should see metrics update at http://localhost:8000.

If you want to confirm auth is active, you can go to http://localhost:4200 and you should see an authorization window asking for the password before you can reach the UI.

@mitchnielsen
feat(auth): support basic auth
b04e3d1 
In PrefectHQ/prefect#16408, Prefect server
added support for basic auth.

This adds support for setting PREFECT_API_AUTH_STRING. The exporter will
base64 encode this value and apply the value as a Basic auth header.

Closes #59

Closes https://linear.app/prefect/issue/PLA-931/prometheus-prefect-exporter-doesnt-support-basic-authentication-when
@mitchnielsen mitchnielsen self-assigned this Jan 17, 2025
mitchnielsen
mitchnielsen commented Jan 17, 2025
View reviewed changes
main.py
Comment on lines +37 to +39
if api_auth_string:
api_auth_string_encoded = base64.b64encode(api_auth_string.encode("utf-8")).decode("utf-8")
headers["Authorization"] = f"Basic {api_auth_string_encoded}"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This matches the encoding approach upstream: https://github.com/PrefectHQ/prefect/pull/16408/files#diff-a52d8326344d84ccd617e704df9a030fd4a813a8d705510f778538423e7cf21dR307-R310

mitchnielsen
mitchnielsen commented Jan 17, 2025
View reviewed changes
README.md
@@ -92,6 +92,7 @@ You can now reach each service locally:
You can modify environment variables to change the behavior of the exporter.
- An API Key is only required for auth-enabled, on-prem, self-managed solutions.
- An API key is not required for open-source or Prefect Server.
- If an API key and API auth string are provided, then the API key takes precedence.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was reading up on this and if there was some scenario that would require both to be passed, you can supposedly supply one "Authorization" header key with a comma-separated list of values and that should work.

@mitchnielsen mitchnielsen marked this pull request as ready for review January 17, 2025 22:00
@mitchnielsen mitchnielsen requested a review from a team as a code owner January 17, 2025 22:00
@mitchnielsen mitchnielsen mentioned this pull request Jan 17, 2025
Open
@mitchnielsen
Copy link
Contributor Author

If this doesn't merge before I'm out next week, Platform/anyone can feel free to take this over - otherwise I'll pick it up again when I'm back on Jan 28.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jamiezieziula jamiezieziula jamiezieziula approved these changes

Assignees

@mitchnielsen mitchnielsen

Labels
feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Prometheus Prefect Exporter doesn't support basic Authentication when implemented on prefect-server
2 participants
@mitchnielsen @jamiezieziula