search

prometheus-community / prom-label-proxy

A proxy that enforces a given label in a given PromQL query.
Apache License 2.0
269 stars 97 forks source link

Can't reasonably load Querier UI with prom-label-proxy #68

Open bill3tt opened 3 years ago

bill3tt commented 3 years ago

Since https://github.com/prometheus-community/prom-label-proxy/pull/48 was merged, users are required to explicitly state an allowlist of endpoints (unsafe-passthrough-paths) that any tenant can retrieve without interference of prom-label-proxy.

This means that any UI components require explicit whitelisting to work, which often have complex URIs.

Configuring prom-label-proxy to serve the Thanos Querier UI required the following docker command:

docker run --net=host --rm \
    --name prom-label-proxy \
    quay.io/prometheuscommunity/prom-label-proxy:v0.3.0 \
    -label tenant \
    -upstream http://127.0.0.1:29090 \
    -insecure-listen-address 0.0.0.0:39090 \
    -enable-label-apis \
    -unsafe-passthrough-paths=/api/v1/stores,/api/v1/status/flags,/graph,/status,/api/v1/status/buildinfo,/api/v1/status/runtimeinfo,/flags,/static/css/2.a92efa4c.chunk.css,/static/css/main.e1aaea6d.chunk.css,/static/js/2.2de83b5e.chunk.js,/static/js/main.a767bdbf.chunk.js,/manifest.json

It worked :man_shrugging: but the UX was terrible. Each downstream UI component version will require a carefully constructed set of unsafe-passthrough-paths.

Personally, I have no requirements other than attempting to fix the tutorial (https://github.com/thanos-io/thanos/issues/4309). However, this is a reasonable enough use-case for others to require.

Safe-defaults were mentioned in https://github.com/prometheus-community/prom-label-proxy/pull/48#issuecomment-768225385, but does not appear to have been implemented.

simonpasquier commented 3 years ago

I would assume that /static/* endpoints are "safe" but the rest is more problematic IMHO. IIRC we decided on exact paths to avoid users shooting themselves in the foot but maybe it's fine to allow things like --unsafe-passthrough-paths=/static/*?

yeya24 commented 3 years ago

Can we pass through all paths (other than the API endpoints specified explicitly) by default?

simonpasquier commented 3 years ago

it was discussed in https://github.com/prometheus-community/prom-label-proxy/pull/48#issuecomment-716552994 but dismissed as being insecure (at least as long the legacy UI exists since the targets and configuration pages may expose sensitive informatoin).