pikvm/pikvm#1069: added option to disable auth on prometheus api

2026-01-29 00:51:53 +08:00 · 2023-08-18 00:21:07 +03:00
parent 32560563dc
commit 61ce81ab64
5 changed files with 64 additions and 3 deletions
--- a/kvmd/apps/init.py
+++ b/kvmd/apps/init.py
@@ -397,6 +397,12 @@ def _get_config_scheme() -> dict:
                "enabled": Option(True, type=valid_bool),
            },

+            "prometheus": {
+                "auth": {
+                    "enabled": Option(True, type=valid_bool),
+                },
+            },
+
            "hid": {
                "type": Option("", type=valid_stripped_string_not_empty),

--- a/kvmd/apps/kvmd/init.py
+++ b/kvmd/apps/kvmd/init.py
@@ -75,6 +75,7 @@ def main(argv: (list[str] | None)=None) -> None:
    KvmdServer(
        auth_manager=AuthManager(
            enabled=config.auth.enabled,
+            unauth_paths=([] if config.prometheus.auth.enabled else ["/export/prometheus/metrics"]),

            internal_type=config.auth.internal.type,
            internal_kwargs=config.auth.internal._unpack(ignore=["type", "force_users"]),
--- a/kvmd/apps/kvmd/api/auth.py
+++ b/kvmd/apps/kvmd/api/auth.py
@@ -44,7 +44,7 @@ _COOKIE_AUTH_TOKEN = "auth_token"


 async def check_request_auth(auth_manager: AuthManager, exposed: HttpExposed, request: Request) -> None:
-    if exposed.auth_required and auth_manager.is_auth_enabled():
+    if auth_manager.is_auth_required(exposed):
        user = request.headers.get("X-KVMD-User", "")
        if user:
            user = valid_user(user)
--- a/kvmd/apps/kvmd/auth.py
+++ b/kvmd/apps/kvmd/auth.py
@@ -30,12 +30,15 @@ from ... import aiotools
 from ...plugins.auth import BaseAuthService
 from ...plugins.auth import get_auth_service_class

+from ...htserver import HttpExposed
+

 # =====
 class AuthManager:
    def __init__(
        self,
        enabled: bool,
+        unauth_paths: list[str],

        internal_type: str,
        internal_kwargs: dict,
@@ -51,6 +54,10 @@ class AuthManager:
        if not enabled:
            get_logger().warning("AUTHORIZATION IS DISABLED")

+        self.__unauth_paths = frozenset(unauth_paths)  # To speed up
+        for path in self.__unauth_paths:
+            get_logger().warning("Authorization is disabled for API %r", path)
+
        self.__internal_service: (BaseAuthService | None) = None
        if enabled:
            self.__internal_service = get_auth_service_class(internal_type)(**internal_kwargs)
@@ -70,6 +77,13 @@ class AuthManager:
    def is_auth_enabled(self) -> bool:
        return self.__enabled

+    def is_auth_required(self, exposed: HttpExposed) -> bool:
+        return (
+            self.is_auth_enabled()
+            and exposed.auth_required
+            and exposed.path not in self.__unauth_paths
+        )
+
    async def authorize(self, user: str, passwd: str) -> bool:
        assert user == user.strip()
        assert user