Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

does quickwit support any auth to protect the quickwit APIs? #5602

Open
zywsky opened this issue Jan 8, 2025 · 5 comments
Open

does quickwit support any auth to protect the quickwit APIs? #5602

zywsky opened this issue Jan 8, 2025 · 5 comments
Labels
enhancement New feature or request

Comments

@zywsky
Copy link

zywsky commented Jan 8, 2025
edited
Loading

We build the quickwit cluster and grafana UI. Grafana side is calling quickwit API, through quickwit datasource.

Currently, anyone can call the quickwit search API or the APIs in the quickwit swagger of control plane if he knows the URL. This is not what we want.

We want add some auth in quickwit side, and grafana side will call the quickwit side with related credentials. Or it can be in another way, grafana and quickwit side can do certificate mutual authentication.
Any way, we want quickwit not expose its API directly and want to do some protection.

So want to query and confirm if quickwit side support adding some auth currently?

Thanks a lot.
@zywsky zywsky added the bug Something isn't working label Jan 8, 2025
@zywsky
Copy link
Author

zywsky commented Jan 8, 2025

This is not a bug, just enhancement..

@rdettai rdettai added enhancement New feature or request and removed bug Something isn't working labels Jan 9, 2025
@rdettai
Copy link
Collaborator

rdettai commented Jan 9, 2025

There has been some work in that regard (#5533), but we don't have an ETA. For now, I would recommend using a proxy sidecare that does auth and SSL.

@vavdoshka
Copy link

@rdettai any pointers to how this proxy can be setup? In the context of cluster-mode when qw nodes need to talk to each other, it seem the proxy with auth is a problem for that.

@rdettai
Copy link
Collaborator

rdettai commented Jan 23, 2025

I'm sorry @vavdoshka but there are many ways to do that and the best solution will likely depend on the details of your infra. To begin with, QW should probably not be exposed to the public internet, even if it had SSL and authentication support. It's also a problematic that's a bit orthogonal to QW's main focus. To make sure the solution you come up with is robust and secure, you should definitively reach out to an expert.

@vavdoshka
Copy link

Thanks for the feedback @rdettai. My use-case is really how to protect the access to the data exposed through QW internally in private network, so that only authorized internal client services can talk to it. We tried with standard approach with nginx sidecar proxy but faced with a difficulty that QW itself can not chat with peer QW nodes in HA mode, it can not propagate the auth info, it expects the communication to happen without any authentication, hence my question is about this specific part - how the QW can work in cluster mode behind authentication if possible? Thanks for any hints.
cc: @kulinskyvs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rdettai @vavdoshka @zywsky