Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow /metrics by default if auth is off #5974

Merged
merged 1 commit into from
Feb 8, 2021
Merged

Allow /metrics by default if auth is off #5974

merged 1 commit into from
Feb 8, 2021

Conversation

blairdrummond
Copy link
Contributor

Resolves #5973

How to test:

Use this dockerfile to compare

FROM jupyter/minimal-notebook:5cb007f03275  
RUN pip3 install -U git+git://github.com/blairdrummond/notebook.git@prometheus-auth-default

And run docker build . -t jupyter-prom-test

Using the old image, /metrics is blocked even if auth is off

# Auth is ENABLED
docker run -p 8888:8888 \
    -e JUPYTER_ENABLE_LAB=yes  \
     jupyter/minimal-notebook:5cb007f03275 jupyter notebook \
    --no-browser --ip=0.0.0.0  --ServerApp.allow_origin='*'

# Doesn't work, which is GOOD
curl http://0.0.0.0:8888/metrics

# Works
TOKEN=XXXXXXXXX
curl "http://0.0.0.0:8888/metrics?token=$TOKEN"

# Auth is OFF
docker run -p 8888:8888 \
    -e JUPYTER_ENABLE_LAB=yes  \
     jupyter/minimal-notebook:5cb007f03275 jupyter notebook \
    --no-browser --ip=0.0.0.0  --ServerApp.allow_origin='*' \
    --NotebookApp.token='' --ServerApp.password=''

##############################
# Doesn't work, which is BAD!!!!!!!!!!!!
curl http://0.0.0.0:8888/metrics

Using the new image

# Auth is ENABLED
docker run -p 8888:8888 \
    -e JUPYTER_ENABLE_LAB=yes  \
    jupyter-prom-test jupyter notebook \
    --no-browser --ip=0.0.0.0  --ServerApp.allow_origin='*'

# Doesn't work, which is GOOD
curl http://0.0.0.0:8888/metrics

# Works
TOKEN=XXXXXXXXX
curl "http://0.0.0.0:8888/metrics?token=$TOKEN"

# Auth is OFF
docker run -p 8888:8888 \
    -e JUPYTER_ENABLE_LAB=yes  \
    jupyter-prom-test jupyter notebook \
    --no-browser --ip=0.0.0.0  --ServerApp.allow_origin='*' \
    --NotebookApp.token='' --ServerApp.password=''

##############################
# Works!!! Which is GOOD!!!!!!!!!!!!
curl http://0.0.0.0:8888/metrics

@kevin-bates
Copy link
Member

Hi @blairdrummond - thank you for the pull request.

While this approach will certainly work, I was envisioning the initialization of authenticate_prometheus's default value (which is currently hard-coded to True) as the means of addressing this. This way, references to the other two trait values can remain in the application module.

A great example of this happens to be for the token trait's default-value function in which it checks the password's value. I think adding a _default_authenticate_prometheus() function that checks the token and password values would be the appropriate approach with the ultimate default value being True.

Another example is the mathjax_url default checking the enable_mathjax trait.

I hope that helps. Thank again.

@blairdrummond blairdrummond marked this pull request as draft February 4, 2021 22:43
@blairdrummond blairdrummond force-pushed the prometheus-auth-default branch 2 times, most recently from a1c8c17 to 36d5cee Compare February 4, 2021 23:14
@kevin-bates
Copy link
Member

Excellent update! I really like the idea of an informational message, but since authentication is on by default, I think it would be best to only indicate when it's disabled, particularly now that it can be disabled implicitly. Thanks!

@blairdrummond blairdrummond marked this pull request as ready for review February 5, 2021 15:14
@blairdrummond
Copy link
Contributor Author

@kevin-bates how's this?

kevin-bates
kevin-bates approved these changes Feb 5, 2021
View reviewed changes
Copy link
Member

@kevin-bates kevin-bates left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Blair!

@blairdrummond blairdrummond mentioned this pull request Feb 5, 2021
Merged
@kevin-bates kevin-bates merged commit fb443d3 into jupyter:master Feb 8, 2021
@blairdrummond blairdrummond deleted the prometheus-auth-default branch February 8, 2021 16:45
@blink1073 blink1073 added this to the 6.3 milestone Mar 18, 2021
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 15, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@kevin-bates kevin-bates kevin-bates approved these changes

Assignees
No one assigned
Labels
status:resolved-locked
Projects
None yet
Milestone
6.3
Development

Successfully merging this pull request may close these issues.

/metrics endpoint requires auth even if token and password are empty
3 participants
@blairdrummond @kevin-bates @blink1073