VictoriaMetrics vmauth 说明

VictoriaMetrics 的auth 组件是为了增强安全的,基于golang 的httputil.ReverseProxy ,当前支持的模式比较简单(基于配置文件)

包含的命令

vmauth-20200511-085829-heads-cluster-0-g6c88e352
Usage of ./vmauth:
  -auth.config string
        Path to auth config. See https://github.com/VictoriaMetrics/VictoriaMetrics/blob/master/app/vmauth/README.md for details on the format of this auth config
  -enableTCP6
        Whether to enable IPv6 for listening and dialing. By default only IPv4 TCP is used
  -http.disableResponseCompression
        Disable compression of HTTP responses for saving CPU resources. By default compression is enabled to save network bandwidth
  -http.maxGracefulShutdownDuration duration
        The maximum duration for graceful shutdown of HTTP server. Highly loaded server may require increased value for graceful shutdown (default 7s)
  -http.pathPrefix string
        An optional prefix to add to all the paths handled by http server. For example, if '-http.pathPrefix=/foo/bar' is set, then all the http requests will be handled on '/foo/bar/*' paths. This may be useful for proxied requests. See https://www.robustperception.io/using-external-urls-and-proxies-with-prometheus
  -http.shutdownDelay duration
        Optional delay before http server shutdown. During this dealy the servier returns non-OK responses from /health page, so load balancers can route new requests to other servers
  -httpListenAddr string
        TCP address to listen for http connections (default ":8427")
  -loggerFormat string
        Format for logs. Possible values: default, json (default "default")
  -loggerLevel string
        Minimum level of errors to log. Possible values: INFO, WARN, ERROR, FATAL, PANIC (default "INFO")
  -loggerOutput string
        Output for the logs. Supported values: stderr, stdout (default "stderr")
  -memory.allowedPercent float
        Allowed percent of system memory VictoriaMetrics caches may occupy. Too low value may increase cache miss rate, which usually results in higher CPU and disk IO usage. Too high value may evict too much data from OS page cache, which will result in higher disk IO usage (default 60)
  -version
        Show VictoriaMetrics version

配置参考格式

yaml 格式:

users:
  # The user for querying local single-node VictoriaMetrics.
  # All the requests to http://vmauth:8427 with the given Basic Auth (username:password)
  # will be routed to http://localhost:8428 .
  # For example, http://vmauth:8427/api/v1/query is routed to http://localhost:8428/api/v1/query
- username: "local-single-node"
  password: "***"
  url_prefix: "http://localhost:8428"
  # The user for querying account 123 in VictoriaMetrics cluster
  # See https://github.com/VictoriaMetrics/VictoriaMetrics/blob/cluster/README.md#url-format
  # All the requests to http://vmauth:8427 with the given Basic Auth (username:password)
  # will be routed to http://vmselect:8481/select/123/prometheus .
  # For example, http://vmauth:8427/api/v1/query is routed to http://vmselect:8481/select/123/prometheus/api/v1/select
- username: "cluster-select-account-123"
  password: "***"
  url_prefix: "http://vmselect:8481/select/123/prometheus"
  # The user for inserting Prometheus data into VictoriaMetrics cluster under account 42
  # See https://github.com/VictoriaMetrics/VictoriaMetrics/blob/cluster/README.md#url-format
  # All the reuqests to http://vmauth:8427 with the given Basic Auth (username:password)
  # will be routed to http://vminsert:8480/insert/42/prometheus .
  # For example, http://vmauth:8427/api/v1/write is routed to http://vminsert:8480/insert/42/prometheus/api/v1/write
- username: "cluster-insert-account-42"
  password: "***"
  url_prefix: "http://vminsert:8480/insert/42/prometheus"
   
  • 说明
    当前配置还是比较简单的,主要是基于静态配置文件,后期应该会有调整的,用户动态代理基于username

启动

  • 命令
 
vmauth -auth.config=/path/to/auth/config.yaml
  • 说明
    以上是默认配置,当然实际使用推荐的还是基于tls的

说明

当前VictoriaMetrics 的vmauth,对于账户管理还是比较简单的,实际上我们也可以自己扩展,比如基于webhook的模式,以及基于ldap,还有db
存储的模式

参考资料

https://github.com/VictoriaMetrics/VictoriaMetrics/blob/master/app/vmauth/README.md

上一篇:VictoriaMetrics v1.36.0 的一些新功能


下一篇:vmagent 方便的prometheus存储兼容的agent