Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

logcli: add support for basic token authentication #2889

Closed
wants to merge 3 commits into from
Closed

logcli: add support for basic token authentication #2889

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
acbfb2d
logcli: add support for basic token authentication
gcotone Nov 5, 2020
fef9d42
Update docs for logcli token authentication
gcotone Nov 6, 2020
b5c8d51
logcli: add support for basic token authentication II
gcotone Nov 6, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions cmd/logcli/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -191,6 +191,7 @@ func newQueryClient(app *kingpin.Application) client.Client {
app.Flag("cert", "Path to the client certificate. Can also be set using LOKI_CLIENT_CERT_PATH env var.").Default("").Envar("LOKI_CLIENT_CERT_PATH").StringVar(&client.TLSConfig.CertFile)
app.Flag("key", "Path to the client certificate key. Can also be set using LOKI_CLIENT_KEY_PATH env var.").Default("").Envar("LOKI_CLIENT_KEY_PATH").StringVar(&client.TLSConfig.KeyFile)
app.Flag("org-id", "adds X-Scope-OrgID to API requests for representing tenant ID. Useful for requesting tenant data when bypassing an auth gateway.").Default("").Envar("LOKI_ORG_ID").StringVar(&client.OrgID)
app.Flag("token", "adds Authorization header bearer to API requests for authentication purposes. Can also be set using LOKI_TOKEN env var.").Default("").Envar("LOKI_TOKEN").StringVar(&client.Token)

return client
}
Expand Down
10 changes: 9 additions & 1 deletion docs/sources/getting-started/logcli.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ $ export LOKI_ADDR=http://localhost:3100

> Note: If you are running Loki behind a proxy server and you have
> authentication configured, you will also have to pass in LOKI_USERNAME
> and LOKI_PASSWORD accordingly.
> and LOKI_PASSWORD, or LOKI_TOKEN accordingly.

```bash
$ logcli labels job
Expand Down Expand Up @@ -111,6 +111,8 @@ Flags:
--key="" Path to the client certificate key. Can also be set using LOKI_CLIENT_KEY_PATH env var.
--org-id="" adds X-Scope-OrgID to API requests for representing tenant ID. Useful for requesting tenant data when
bypassing an auth gateway.
--token="" adds Authorization header bearer to API requests for authentication purposes. Can also be set
gcotone marked this conversation as resolved.
Show resolved Hide resolved
using LOKI_TOKEN env var.

Commands:
help [<command>...]
Expand Down Expand Up @@ -195,6 +197,8 @@ Flags:
--key="" Path to the client certificate key. Can also be set using LOKI_CLIENT_KEY_PATH env var.
--org-id="" adds X-Scope-OrgID to API requests for representing tenant ID. Useful for requesting tenant data when
bypassing an auth gateway.
--token="" adds Authorization header bearer to API requests for authentication purposes. Can also be set
gcotone marked this conversation as resolved.
Show resolved Hide resolved
using LOKI_TOKEN env var.
--limit=30 Limit on number of entries to print.
--since=1h Lookback window.
--from=FROM Start looking for logs at this absolute time (inclusive).
Expand Down Expand Up @@ -243,6 +247,8 @@ Flags:
--key="" Path to the client certificate key. Can also be set using LOKI_CLIENT_KEY_PATH env var.
--org-id="" adds X-Scope-OrgID to API requests for representing tenant ID. Useful for requesting tenant data when
bypassing an auth gateway.
--token="" adds Authorization header bearer to API requests for authentication purposes. Can also be set
gcotone marked this conversation as resolved.
Show resolved Hide resolved
using LOKI_TOKEN env var.
--since=1h Lookback window.
--from=FROM Start looking for labels at this absolute time (inclusive).
--to=TO Stop looking for labels at this absolute time (exclusive).
Expand Down Expand Up @@ -274,6 +280,8 @@ Flags:
--key="" Path to the client certificate key. Can also be set using LOKI_CLIENT_KEY_PATH env var.
--org-id="" adds X-Scope-OrgID to API requests for representing tenant ID. Useful for requesting tenant data when
bypassing an auth gateway.
--token="" adds Authorization header bearer to API requests for authentication purposes. Can also be set
gcotone marked this conversation as resolved.
Show resolved Hide resolved
using LOKI_TOKEN env var.
--since=1h Lookback window.
--from=FROM Start looking for logs at this absolute time (inclusive).
--to=TO Stop looking for logs at this absolute time (exclusive).
Expand Down
11 changes: 11 additions & 0 deletions pkg/logcli/client/client.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ type DefaultClient struct {
Password string
Address string
OrgID string
Token string
}

// Query uses the /api/v1/query endpoint to execute an instant query
Expand Down Expand Up @@ -178,6 +179,12 @@ func (c *DefaultClient) doRequest(path, query string, quiet bool, out interface{
req.Header.Set("X-Scope-OrgID", c.OrgID)
}

//The token presence overrides basic-auth authentication
if c.Token != "" {
req.Header.Set("Authorization", "Bearer "+c.Token)
req.Header.Add("Accept", "application/json")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why does the Accept header get set here?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

logcli does not set this header elsewhere. By setting it here, we'd expect a 406 error if the response is not adequate (! application/json").
IMHO it should be set for all request but this PR's scope is to add support for bearer tokens.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Then leave it out of this PR entirely?

}

// Parse the URL to extract the host
clientConfig := config.HTTPClientConfig{
TLSConfig: c.TLSConfig,
Expand Down Expand Up @@ -232,6 +239,10 @@ func (c *DefaultClient) wsConnect(path, query string, quiet bool) (*websocket.Co
h.Set("X-Scope-OrgID", c.OrgID)
}

if c.Token != "" {
h.Set("Authorization", "Bearer "+c.Token)
}

ws := websocket.Dialer{
TLSClientConfig: tlsConfig,
}
Expand Down