Page MenuHomeVyOS Platform

Monitoring: Loki Basic Authentication limitation prevents Cloud Monitoring
Open, NormalPublicBUG

Description

Telegraf Loki Authentication is limited to ASCII Chars with total of 128 chars. Certain Cloud providers (e.g. Grafana Cloud) use much longer Authentication tokens, these can not be manually changed / shortened if a native log transfer to the cloud is desired. Currently the only workaround is to send to local target (i.e Alloy) first to relay to the cloud

vyos@core1# set service monitoring telegraf loki authentication password glc_eyJvIjoiNjE0OTc0IiwibiI6InN0YWNrLTMyOTU4OS1obC13cml0ZS1sb2dzLW1ldHJpY3Mtd3JpdGUtdnlvcyIsImsiOiJZNXAzZTAxNVJJVDBBYm43SjNGczVBdzciLCJtIjp7InIiOiJldSJ9fQ==

  Password is limited to ASCII characters only, with a total length of 128
  Value validation failed
  Set failed
## echo glc_eyJvIjoiNjE0OTc0IiwibiI6InN0YWNrLTMyOTU4OS1obC13cml0ZS1sb2dzLW1ldHJpY3Mtd3JpdGUtdnlvcyIsImsiOiJZNXAzZTAxNVJJVDBBYm43SjNGczVBdzciLCJtIjp7InIiOiJldSJ9fQ== |wc -c
     157

Proposal: increase limit to higher value

Details

Version
VyOS 1.5-rolling-202410300007
Is it a breaking change?
Behavior change
Issue type
Bug (incorrect behavior)

Event Timeline

namtech changed Is it a breaking change? from Unspecified (possibly destroys the router) to Behavior change.Tue, Nov 12, 11:46 AM
Viacheslav subscribed.

We use common-generic password which uses limits
We should change it here.
What number of symbols is better to make?

technically the limit would be defined by the http header length (and httpd configured allowed header sizes), http basic auth itself has no restrictions in the context of being Base64 encoded.
Often restrictions are from tooling side, not protocol side. I.e Apache htpasswd generated passwords and usernames (under windows) are limited to 255 chars, but again this is a tool limit, not a header limit
(Source: https://httpd.apache.org/docs/2.4/programs/htpasswd.html#restrictions)
256 (255) could be a reasonable value that matches this specific constraint.

Another option, allow for the auth header to be set as base64

echo -n "joeuser:secretpass" | base64
am9ldXNlcjpzZWNyZXRwYXNz

set service monitoring telegraf loki authentication header am9ldXNlcjpzZWNyZXRwYXNz
?