From 639006e3025d96a4437b66176ee2a42b306d7fcd Mon Sep 17 00:00:00 2001
From: JimMoen <LnJimMoen@outlook.com>
Date: Thu, 3 Nov 2022 18:13:23 +0800
Subject: [PATCH] fix(prometheus): disable auth for prometheus endpoint on mgmt
 listener

---
 CHANGES-4.3.md                               | 2 +-
 apps/emqx_management/src/emqx_mgmt_http.erl  | 5 +++++
 changes/v4.3.22-en.md                        | 2 +-
 changes/v4.3.22-zh.md                        | 2 +-
 lib-ce/emqx_dashboard/src/emqx_dashboard.erl | 8 ++++----
 5 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/CHANGES-4.3.md b/CHANGES-4.3.md
index c812713db..097801127 100644
--- a/CHANGES-4.3.md
+++ b/CHANGES-4.3.md
@@ -30,7 +30,7 @@ File format:
 - TLS listener default buffer size to 4KB [#9007](https://github.com/emqx/emqx/pull/9007)
   Eliminate uncertainty that the buffer size is set by OS default.
 
-- Disable authorization for `api/v4/emqx_prometheus` endpoint. [8955](https://github.com/emqx/emqx/pull/8955)
+- Disable authorization for `api/v4/emqx_prometheus` endpoint. [#8955](https://github.com/emqx/emqx/pull/8955)
 
 - Added a test to prevent a last will testament message to be
   published when a client is denied connection. [#8894](https://github.com/emqx/emqx/pull/8894)
diff --git a/apps/emqx_management/src/emqx_mgmt_http.erl b/apps/emqx_management/src/emqx_mgmt_http.erl
index 8cddc11b2..57c54ed3f 100644
--- a/apps/emqx_management/src/emqx_mgmt_http.erl
+++ b/apps/emqx_management/src/emqx_mgmt_http.erl
@@ -124,6 +124,11 @@ handle_request(_Method, _Path, Req) ->
     cowboy_req:reply(400, #{<<"content-type">> => <<"text/plain">>}, <<"Not found.">>, Req).
 
 authorize_appid(Req) ->
+    authorize_appid(cowboy_req:method(Req), cowboy_req:path(Req), Req).
+
+authorize_appid(<<"GET">>, <<"/api/v4/emqx_prometheus">>, _Req) ->
+    true;
+authorize_appid(_Method, _Path, Req) ->
     try
         {basic, AppId, AppSecret} = cowboy_req:parse_header(<<"authorization">>, Req),
         emqx_mgmt_auth:is_authorized(AppId, AppSecret)
diff --git a/changes/v4.3.22-en.md b/changes/v4.3.22-en.md
index 386b9b0ff..1a83ae650 100644
--- a/changes/v4.3.22-en.md
+++ b/changes/v4.3.22-en.md
@@ -70,8 +70,8 @@
   Note that the `id` in `POST /api/v4/rules` should be literals (not encoded) when creating a `rule` or `resource`.
   See docs [Create Rule](https://www.emqx.io/docs/zh/v4.3/advanced/http-api.html#post-api-v4-rules) [Create Resource](https://www.emqx.io/docs/zh/v4.3/advanced/http-api.html#post-api-v4-resources).
 
-
 - Calling 'DELETE /alarms/deactivated' now deletes deactived alarms on all nodes, including remote nodes, not just the local node [#9280](https://github.com/emqx/emqx/pull/9280).
 
 - When republishing messages or bridge messages to other brokers, check the validity of the topic and make sure it does not have topic wildcards [#9291](https://github.com/emqx/emqx/pull/9291).
 
+- Disable authorization for `api/v4/emqx_prometheus` endpoint on management api listener (default 8081) [#9294](https://github.com/emqx/emqx/pull/9294).
diff --git a/changes/v4.3.22-zh.md b/changes/v4.3.22-zh.md
index 9304d5c2e..38944d499 100644
--- a/changes/v4.3.22-zh.md
+++ b/changes/v4.3.22-zh.md
@@ -64,8 +64,8 @@
   注意在创建规则或资源时，HTTP body 中的 `id` 字段仍为字面值，而不是编码之后的值。
   详情请参考 [创建规则](https://www.emqx.io/docs/zh/v4.3/advanced/http-api.html#post-api-v4-rules) 和 [创建资源](https://www.emqx.io/docs/zh/v4.3/advanced/http-api.html#post-api-v4-resources)。
 
-
 - 修复调用 'DELETE /alarms/deactivated' 只在单个节点上生效的问题，现在将会删除所有节点上的非活跃警告 [#9280](https://github.com/emqx/emqx/pull/9280)。
 
 - 在进行消息重发布或桥接消息到其他 mqtt broker 时，检查 topic 合法性，确定其不带有主题通配符 [#9291](https://github.com/emqx/emqx/pull/9291)。
 
+- 关闭管理端口（默认为8081）上对 HTTP API `api/v4/emqx_prometheus` 的认证，Prometheus 对时序数据抓取不在需要配置认证 [#9294](https://github.com/emqx/emqx/pull/9294)。
diff --git a/lib-ce/emqx_dashboard/src/emqx_dashboard.erl b/lib-ce/emqx_dashboard/src/emqx_dashboard.erl
index 517211607..3ad0694c4 100644
--- a/lib-ce/emqx_dashboard/src/emqx_dashboard.erl
+++ b/lib-ce/emqx_dashboard/src/emqx_dashboard.erl
@@ -107,13 +107,13 @@ http_handlers() ->
 %%--------------------------------------------------------------------
 
 is_authorized(Req) ->
-    is_authorized(binary_to_list(cowboy_req:path(Req)), Req).
+    is_authorized(cowboy_req:method(Req), cowboy_req:path(Req), Req).
 
-is_authorized("/api/v4/emqx_prometheus", _Req) ->
+is_authorized(<<"GET">>, <<"/api/v4/emqx_prometheus">>, _Req) ->
     true;
-is_authorized("/api/v4/auth", _Req) ->
+is_authorized(<<"POST">>, <<"/api/v4/auth">>, _Req) ->
     true;
-is_authorized(_Path, Req) ->
+is_authorized(_Method, _Path, Req) ->
     try
         {basic, Username, Password} = cowboy_req:parse_header(<<"authorization">>, Req),
         case emqx_dashboard_admin:check(iolist_to_binary(Username), iolist_to_binary(Password)) of