You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
It looks like authentication for the metrics endpoint has been disabled by #1129.
I am pretty sure that these metrics can allow an external party to gather some information on what is going on in a system, as it can leak information that developers may not have thought to ever be available to the outside, like the task names.
When basic authentication is enabled, this endpoint should also require authentication by default, as many users will either not use the metrics endpoint at all, or will be able to configure a scraper to use these credentials.
Alternatively, at least allow to enable authentication here as well. For me, this renders the built-in authentication completely useless and I will need to set it up in my reverse proxy instead.
To Reproduce
Steps to reproduce the behavior:
Set up Basic Authentication for flower
Access the /metrics endpoint without authentication
Expected behavior
By default, the metrics endpoint requires authentication.
The text was updated successfully, but these errors were encountered:
I'd also like to add that even though the list of unauthenticated endpoints is at the top of the documentation page, many people will skip the introduction and go straight through their preferred authentication method, and not realising that the metrics won't be protected.
Describe the bug
It looks like authentication for the metrics endpoint has been disabled by #1129.
I am pretty sure that these metrics can allow an external party to gather some information on what is going on in a system, as it can leak information that developers may not have thought to ever be available to the outside, like the task names.
When basic authentication is enabled, this endpoint should also require authentication by default, as many users will either not use the metrics endpoint at all, or will be able to configure a scraper to use these credentials.
Alternatively, at least allow to enable authentication here as well. For me, this renders the built-in authentication completely useless and I will need to set it up in my reverse proxy instead.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
By default, the metrics endpoint requires authentication.
The text was updated successfully, but these errors were encountered: