support reading basic_auth_password_file for HTTP basic auth

[adamdecaf]

This requires the BasicAuthPasswordFile added to common. See https://github.com/prometheus/common/pull/129/files#diff-a2356a3b837239d300d6a0326a452aafR70

Issue: #4076

[brian-brazil]

There should be no code changes required, Prometheus shouldn't be duplicating this code.

[adamdecaf]

@brian-brazil I've updated prometheus/common#129 in prometheus from master, but am not seeing successful auth'd requests. I think this block of code is duplicated in prometheus.

[brian-brazil]

To be clear, I'm saying to stop Prometheus duplicating this code. It's was meant to be switched to the code from common.

[adamdecaf]

Ok. I'm testing that change now locally.

[adamdecaf]

@brian-brazil I'm having trouble implementing prometheus/common#129 into prometheus. I think the reimplementation of basicAuthRoundTripper breaks the ability to compose timeouts with the Authorization header.

Inside util/httpclient/client.go I have:

Details

// NewRoundTripperFromConfig returns a new HTTP RoundTripper configured for the
// given config.HTTPClientConfig. The name is used as go-conntrack metric label.
func NewRoundTripperFromConfig(cfg config_util.HTTPClientConfig, name string) (http.RoundTripper, error) {
	client, err := config_util.NewHTTPClientFromConfig(&cfg)
	if err != nil {
		return nil, err
	}

	// The only timeout we care about is the configured scrape timeout.
	// It is applied on request. So we leave out any timings here.
	if client.Transport == nil {
		client.Transport = &http.Transport{}
	}
	// Apply http.Transport specific settings
	rt, ok := client.Transport.(*http.Transport)
	if ok {
		rt.Proxy = http.ProxyURL(cfg.ProxyURL.URL)
		rt.MaxIdleConns = 20000
		rt.MaxIdleConnsPerHost = 1000 // see https://github.com/golang/go/issues/13801
		rt.DisableKeepAlives = false
		rt.DisableCompression = true
		// 5 minutes is typically above the maximum sane scrape interval. So we can
		// use keepalive for all configurations.
		rt.IdleConnTimeout = 5 * time.Minute
		rt.DialContext = conntrack.NewDialContextFunc(
			conntrack.DialWithTracing(),
			conntrack.DialWithName(name),
		)
		client.Transport = rt
	}

	return client.Transport, nil
}

Prometheus isn't making successful authed requests though.

[adamdecaf]

Hang on. It's a problem with my credentials.

[adamdecaf]

After copying httputil over to the common repo I manually vendored it back into prometheus and then updated the imports/calls.

I'm going to test this out manually to verify the marathon case works.

Edit: It's working.

[adamdecaf]

@brian-brazil Thanks for the prometheus/common merge. I cleaned up this branch and revendored that change here. I'm going to test it locally again just to double check, but this should be g2g.

Edit: It's working for me.

[brian-brazil]

End sentences with a full stop.

[brian-brazil]

This is not the only basic_auth in this file.

[adamdecaf]

@brian-brazil Updated.

[adamdecaf]

That test failed before on this branch too, but it's passing for me locally. All tests pass locally for me.

$ go test -race github.com/prometheus/prometheus/discovery/kubernetes -count 1
ok  	github.com/prometheus/prometheus/discovery/kubernetes	1.474s

[brian-brazil]

That test is known to be flaky.

[brian-brazil]

Thanks!

[juliusv]

This broke basic auth configs without a username due to the new code now requiring them, see #4173.

[alexellis]

Hi folks, what is the static on this PR? Our users could really benefit from this security fix. I can't see it documented in the published site yet? https://prometheus.io/docs/alerting/configuration/#http_config

Thanks,

Alex cc @LucasRoesler

[simonpasquier]

@alexellis the option is already available in AlertManager v0.15.3 but it is true that it isn't documented. As it was implemented in github.com/prometheus/commong, it got added to AlertManager in stealth mode ;-)