archive/netdata_netdata
0
0
Fork 0
mirror of https://github.com/netdata/netdata.git synced 2025-04-23 13:00:23 +00:00
Code Issues Projects Releases Wiki Activity

Bug fix for netdata behind authenticated proxies ()

Browse source 
* Was incorrectly updating the headers when the Authorization header was being sent

* Use X-Auth-Token instead of Authorization header, to allow the management API to work authenticated behind proxies as well
This commit is contained in:
Chris Akritidis 2019-01-18 23:06:51 +01:00 committed by GitHub
parent 67cd486e7a
commit 68e5ce8f9a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 9 additions and 16 deletions
tests/health_mgmtapi
health-cmdapi-test.sh.in
web
api/health
README.md
server
web_client.c

2
tests/health_mgmtapi/health-cmdapi-test.sh.in
View file

@ -41,7 +41,7 @@ check () {
cmd () { cmd () {
echo -e "${WHITE}Cmd '${1}', expecting '${2}'" echo -e "${WHITE}Cmd '${1}', expecting '${2}'"
RESPONSE=$(curl -s "http://$URL/api/v1/manage/health?${1}" -H "Authorization: Bearer $TOKEN" 2>&1) RESPONSE=$(curl -s "http://$URL/api/v1/manage/health?${1}" -H "X-Auth-Token: $TOKEN" 2>&1)
if [ "${RESPONSE}" != "${2}" ] ; then if [ "${RESPONSE}" != "${2}" ] ; then
echo -e "${RED}ERROR: Response '${RESPONSE}' != '${2}'" echo -e "${RED}ERROR: Response '${RESPONSE}' != '${2}'"
err=$((err+1)) err=$((err+1))

10
web/api/health/README.md
View file

@ -61,7 +61,7 @@ The API is available by default, but it is protected by an `api authorization to
You can access the API via GET requests, by adding the bearer token to an `Authorization` http header, like this: You can access the API via GET requests, by adding the bearer token to an `Authorization` http header, like this:
``` ```
curl "http://myserver/api/v1/manage/health?cmd=RESET" -H "Authorization: Bearer Mytoken" curl "http://myserver/api/v1/manage/health?cmd=RESET" -H "X-Auth-Token: Mytoken"
``` ```
The command `RESET` just returns netdata to the default operation, with all health checks and notifications enabled. The command `RESET` just returns netdata to the default operation, with all health checks and notifications enabled.
@ -71,13 +71,13 @@ If you've configured and entered your token correclty, you should see the plain
If all you need is temporarily disable all health checks, then you issue the following before your maintenance period starts: If all you need is temporarily disable all health checks, then you issue the following before your maintenance period starts:
``` ```
curl "http://myserver/api/v1/manage/health?cmd=DISABLE ALL" -H "Authorization: Bearer Mytoken" curl "http://myserver/api/v1/manage/health?cmd=DISABLE ALL" -H "X-Auth-Token: Mytoken"
``` ```
The effect of disabling health checks is that the alarm criteria are not evaluated at all and nothing is written in the alarm log. The effect of disabling health checks is that the alarm criteria are not evaluated at all and nothing is written in the alarm log.
If you want the health checks to be running but to not receive any notifications during your maintenance period, you can instead use this: If you want the health checks to be running but to not receive any notifications during your maintenance period, you can instead use this:
``` ```
curl "http://myserver/api/v1/manage/health?cmd=SILENCE ALL" -H "Authorization: Bearer Mytoken" curl "http://myserver/api/v1/manage/health?cmd=SILENCE ALL" -H "X-Auth-Token: Mytoken"
``` ```
Alarms may then still be raised and logged in netdata, so you'll be able to see them via the UI. Alarms may then still be raised and logged in netdata, so you'll be able to see them via the UI.
@ -85,7 +85,7 @@ Alarms may then still be raised and logged in netdata, so you'll be able to see
Regardless of the option you choose, at the end of your maintenance period you revert to the normal state via the RESET command. Regardless of the option you choose, at the end of your maintenance period you revert to the normal state via the RESET command.
``` ```
curl "http://myserver/api/v1/manage/health?cmd=RESET" -H "Authorization: Bearer Mytoken" curl "http://myserver/api/v1/manage/health?cmd=RESET" -H "X-Auth-Token: Mytoken"
``` ```
### Disable or silence specific alarms ### Disable or silence specific alarms
@ -108,7 +108,7 @@ To clear all selectors and reset the mode to default, use the `RESET` command.
The following example silences notifications for all the alarms with context=load: The following example silences notifications for all the alarms with context=load:
``` ```
curl "http://myserver/api/v1/manage/health?cmd=SILENCE&context=load" -H "Authorization: Bearer Mytoken" curl "http://myserver/api/v1/manage/health?cmd=SILENCE&context=load" -H "X-Auth-Token: Mytoken"
``` ```
#### Selection criteria #### Selection criteria

13
web/server/web_client.c
View file

@ -732,7 +732,7 @@ static inline char *http_header_parse(struct web_client *w, char *s, int parse_u
hash_accept_encoding = simple_uhash("Accept-Encoding"); hash_accept_encoding = simple_uhash("Accept-Encoding");
hash_donottrack = simple_uhash("DNT"); hash_donottrack = simple_uhash("DNT");
hash_useragent = simple_uhash("User-Agent"); hash_useragent = simple_uhash("User-Agent");
hash_authorization = simple_uhash("Authorization"); hash_authorization = simple_uhash("X-Auth-Token");
} }
char *e = s; char *e = s;
@ -777,15 +777,8 @@ static inline char *http_header_parse(struct web_client *w, char *s, int parse_u
} }
else if(parse_useragent && hash == hash_useragent && !strcasecmp(s, "User-Agent")) { else if(parse_useragent && hash == hash_useragent && !strcasecmp(s, "User-Agent")) {
w->user_agent = strdupz(v); w->user_agent = strdupz(v);
} else if(hash == hash_authorization&& !strcasecmp(s, "Authorization")) { } else if(hash == hash_authorization&& !strcasecmp(s, "X-Auth-Token")) {
if (strlen(v) > 8) { // Must contain at least "Bearer " w->auth_bearer_token = strdupz(v);
char *auth_key=v+6;
*auth_key='\0';
if (!strcasecmp(v,"Bearer")) {
auth_key++;
w->auth_bearer_token=strdupz(auth_key);
}
}
} }
#ifdef NETDATA_WITH_ZLIB #ifdef NETDATA_WITH_ZLIB
else if(hash == hash_accept_encoding && !strcasecmp(s, "Accept-Encoding")) { else if(hash == hash_accept_encoding && !strcasecmp(s, "Accept-Encoding")) {