Skip to content
Open
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Comment thread
hagen1778 marked this conversation as resolved.
Outdated
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we sure that every user will understand curl flags like -u and -H? 😁
Probably it is better to just use username, without password and route details, like:

frontend-logs-viewer -> vmauth --{service=frontend-logs}--> victorialogs
mobile-logs-viewer -> vmauth --{service=mobile-logs}--> victorialogs
audit-logs-viewer -> vmauth --(no filters enforced)--> victorialogs

I think the config above this diagram makes the details clear enough. The diagram itself should just show high-level routing without the extra details

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll change the text as suggested and we can see how it looks. If we're not convinced we can change it further.

Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Comment thread
hagen1778 marked this conversation as resolved.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Comment thread
hagen1778 marked this conversation as resolved.
Outdated
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
1 change: 0 additions & 1 deletion docs/victorialogs/security-and-lb-tenants.excalidraw

This file was deleted.

Binary file removed docs/victorialogs/security-and-lb-tenants.webp
Binary file not shown.
17,701 changes: 17,701 additions & 0 deletions docs/victorialogs/security-and-lb.excalidraw

Large diffs are not rendered by default.

15 changes: 12 additions & 3 deletions docs/victorialogs/security-and-lb.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ to [these docs](https://docs.victoriametrics.com/victoriametrics/vmauth/#authori

See also [how to protect security-sensitive HTTP-based endpoints](https://docs.victoriametrics.com/victorialogs/security-and-lb/#system-endpoints).

## Vmauth config examples
## vmauth config examples

This document contains the following configuration examples for `vmauth`:

Expand Down Expand Up @@ -61,6 +61,8 @@ users:

This config instructs `vmauth` accepting requests for the Basic Auth user `foo` with the password `bar`.

![Using vmauth for load balancing with basic authentication](security-and-lb-search-authorization.webp)

Successfully authenticated requests are proxied (load balanced) to one of the VictoriaLogs instances specified in the `url_prefix` list,
if these requests match the `src_paths` regexp, i.e. if they start with `/select/` path prefix.
See [these docs](https://docs.victoriametrics.com/victoriametrics/vmauth/#routing-by-path) for details about the `src_path`.
Expand Down Expand Up @@ -97,6 +99,8 @@ and requests with the path prefix `/hot/select/` to the backend at `http://victo
The backends can be either single-node instances of VictoriaLogs or `vmauth` in front of `vlselect` nodes in [VictoriaLogs cluster](https://docs.victoriametrics.com/victorialogs/cluster/).
See [how to set up `vmauth` in front on multiple `vlselect` nodes](https://docs.victoriametrics.com/victorialogs/security-and-lb/#search-authorization).

![Using vmauth to route by path](security-and-lb-cluster-routing.webp)

This approach is useful when applying different retention policies for various types of logs.
For example, you might store warn-level and higher severity logs in the cold instance/cluster with longer retention,
while keeping debug-level and lower severity logs only in the hot instance/cluster with shorter retention.
Expand Down Expand Up @@ -140,6 +144,8 @@ unauthorized_user:
This allows building a VictoriaLogs storage system with distinct per-tenant retention configs
similar to [this one](https://github.com/VictoriaMetrics/VictoriaLogs/issues/15#issuecomment-3043557052).

![Using vmauth to route by HTTP header](security-and-lb-tenant-based-request-proxying.webp)

See [these docs](https://docs.victoriametrics.com/victoriametrics/vmauth/#routing-by-header) on how to setup request routing in `vmauth` by request headers.
See [these docs](https://docs.victoriametrics.com/victoriametrics/vmauth/#modifying-http-headers) on how to modify request headers before proxying the requests to backends.

Expand Down Expand Up @@ -208,6 +214,8 @@ users:
This configuration allows user `foo` to access 3 different tenants, and user `admin` to access all tenants.
The user `admin` needs to set the required `AccountID` or `ProjectID` headers, because `vmauth` doesn't set them.

![Enforcing TenantID and ProjectID with vmauth and basic authentication](security-and-lb-proxying-requests-to-the-given-tenants.webp)

In Grafana you need to create a separate data source for each tenant and user, an example of such an address is: `http://vmauth:8427/my-account/mobile-logs/`.
Using the configuration above, you do not need to set the tenant in the Grafana data source settings because `vmauth` overrides it to `AccountID: 1`, `ProjectID: 6`.
Each tenant exposes [`vmui`](https://docs.victoriametrics.com/victorialogs/querying/#web-ui) at `/select/vmui/`, for example: `http://vmauth:8427/my-account/mobile-logs/select/vmui/`.
Expand Down Expand Up @@ -294,6 +302,8 @@ users:
`extra_filters` and `extra_stream_filters` should be [percent-encoded](https://en.wikipedia.org/wiki/Percent-encoding) when they include characters that are not URL-safe.
For example, the query `_stream:{service=frontend-logs}` should be written as `_stream%3A%7Bservice%3Dfrontend-logs%7D`.

![Enforcing stream filters with vmauth and basic authentication](security-and-lb-access-control-inside-a-single-tenant.webp)

Prefer using `extra_stream_filters` over `extra_filters` whenever possible.
See [LogsQL performance optimization tips](https://docs.victoriametrics.com/victorialogs/logsql/#performance-tips).

Expand Down Expand Up @@ -364,8 +374,7 @@ users:

Below is a diagram of this configuration:

![security-and-lb-tenants.webp](security-and-lb-tenants.webp)
{width="600"}
![Enforcing tenantID and projectID with vmauth and basic authentication](security-and-lb-tenant-assignment.webp)

See [how to override http request headers before proxying the requests to backends](https://docs.victoriametrics.com/victoriametrics/vmauth/#modifying-http-headers).

Expand Down