logcli: add support for basic token authentication

[gcotone]

What this PR does / why we need it:
Add support for basic token authentication in cases where the loki-queriers/frontends are exposed through a reverse proxy doing token/bearer authentication.

Which issue(s) this PR fixes:
Fixes #395 (Partially - it does not implement oauth2)

Special notes for your reviewer:

Checklist

• Documentation added
• Tests updated

[CLAassistant]

All committers have signed the CLA.

[achatterjee-grafana]

@grafana/docs-squad, looking at this.

[codecov-io]

Codecov Report

Merging #2889 into master will decrease coverage by 0.03%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##           master    #2889      +/-   ##
==========================================
- Coverage   61.23%   61.20%   -0.04%     
==========================================
  Files         181      181              
  Lines       14574    14579       +5     
==========================================
- Hits         8925     8923       -2     
- Misses       4829     4836       +7     
  Partials      820      820              

Impacted Files	Coverage Δ
pkg/logcli/client/client.go	5.30% <0.00%> (-0.25%)	⬇️
pkg/querier/queryrange/downstreamer.go	95.29% <0.00%> (-2.36%)	⬇️

[achatterjee-grafana]

Added some copy-edits.

[achatterjee-grafana]

LGTM! Thank you for your contribution.

[jgehrcke]

--token

The world of tokens is huge :-). I think the command line flag's name should use the word "bearer" to narrow down the scope a little, semantically.

Adds Authorization header bearer to API requests

I think this sentence can could still be polished, right? :-).

Maybe the most important feedback: personally, I do like the semantics and documentation of bearer_token_file in the Prometheus ecosystem. It's good to enable/encourage setting this sensitive value from a file as the primary method.

From the Prometheus docs:

# Sets the `Authorization` header on every scrape request with the bearer token
# read from the configured file. It is mutually exclusive with `bearer_token`.
[ bearer_token_file: <filename> ]

Related: #2739

What do you think about adding a --bearer-token-file PATH arg instead of --token VALUE?

[daurnimator]

whitespace is off here

[daurnimator]

Why does the Accept header get set here?

[gcotone]

logcli does not set this header elsewhere. By setting it here, we'd expect a 406 error if the response is not adequate (! application/json").
IMHO it should be set for all request but this PR's scope is to add support for bearer tokens.

[daurnimator]

Then leave it out of this PR entirely?

[gcotone]

--token

The world of tokens is huge :-). I think the command line flag's name should use the word "bearer" to narrow down the scope a little, semantically.

Adds Authorization header bearer to API requests

I think this sentence can could still be polished, right? :-).

Maybe the most important feedback: personally, I do like the semantics and documentation of bearer_token_file in the Prometheus ecosystem. It's good to enable/encourage setting this sensitive value from a file as the primary method.

From the Prometheus docs:

# Sets the `Authorization` header on every scrape request with the bearer token
# read from the configured file. It is mutually exclusive with `bearer_token`.
[ bearer_token_file: <filename> ]bearer_token_file

Related: #2739

What do you think about adding a --bearer-token-file PATH arg instead of --token VALUE?

@jgehrcke fair point. Prometheus actually supports both bearer_token and bearer_token_file. I'll adapt this PR to implement them following prometheus semantics.

[stale]

This issue has been automatically marked as stale because it has not had any activity in the past 30 days. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.

[dbluxo]

@gcotone We would need that too, do you still plan to work on it?

[gcotone]

@dbluxo not in the next month or so.

[dbluxo]

@gcotone I have created a new PR: #3585 (based on yours)