You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by GitBox <gi...@apache.org> on 2020/04/02 17:20:47 UTC
[GitHub] [hadoop-ozone] xiaoyuyao commented on issue #751: HDDS-3321. Prometheus endpoint should not have Authentication filter …
xiaoyuyao commented on issue #751: HDDS-3321. Prometheus endpoint should not have Authentication filter …
URL: https://github.com/apache/hadoop-ozone/pull/751#issuecomment-607980977
@elek historically, hadoop web endpoint apply authentication filter only on the public ones and not the internal ones. Later on, we harden the endpoint protection by enforcing authentication filter on an All OR NONE basis.
Given the fact that prometheus does not support SPNEGO yet, there are three options:
1. disable /prom endpoint completely when http authentication is configured.
2. leave /prom endpoint as is and wait for prometheus to support SPNEGO.
3. skip authentication filter for /prom endpoint which is the approach taken in this PR so that prometheus server can access the endpoint without SPNEGO.
Both 1,2 will make /prom endpoint useless in production (secured) environment. With security concern on 3, we could have a configuration switch to disable this by default and revert it when SPNEGO is supported by prometheus.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-issues-help@hadoop.apache.org