fix(prometheus): disable auth for prometheus endpoint on mgmt listener

CHANGES-4.3.md

@@ -30,7 +30,7 @@ File format:
 - TLS listener default buffer size to 4KB [#9007](https://github.com/emqx/emqx/pull/9007)
   Eliminate uncertainty that the buffer size is set by OS default.
 
-- Disable authorization for `api/v4/emqx_prometheus` endpoint. [8955](https://github.com/emqx/emqx/pull/8955)
+- Disable authorization for `api/v4/emqx_prometheus` endpoint. [#8955](https://github.com/emqx/emqx/pull/8955)
 
 - Added a test to prevent a last will testament message to be
   published when a client is denied connection. [#8894](https://github.com/emqx/emqx/pull/8894)

apps/emqx_management/src/emqx_mgmt_http.erl

@@ -124,6 +124,11 @@ handle_request(_Method, _Path, Req) ->
     cowboy_req:reply(400, #{<<"content-type">> => <<"text/plain">>}, <<"Not found.">>, Req).
 
 authorize_appid(Req) ->
+    authorize_appid(cowboy_req:method(Req), cowboy_req:path(Req), Req).
+
+authorize_appid(<<"GET">>, <<"/api/v4/emqx_prometheus">>, _Req) ->
+    true;
+authorize_appid(_Method, _Path, Req) ->
     try
         {basic, AppId, AppSecret} = cowboy_req:parse_header(<<"authorization">>, Req),
         emqx_mgmt_auth:is_authorized(AppId, AppSecret)

changes/v4.3.22-en.md

@@ -70,8 +70,8 @@
   Note that the `id` in `POST /api/v4/rules` should be literals (not encoded) when creating a `rule` or `resource`.
   See docs [Create Rule](https://www.emqx.io/docs/zh/v4.3/advanced/http-api.html#post-api-v4-rules) [Create Resource](https://www.emqx.io/docs/zh/v4.3/advanced/http-api.html#post-api-v4-resources).
 
-
 - Calling 'DELETE /alarms/deactivated' now deletes deactived alarms on all nodes, including remote nodes, not just the local node [#9280](https://github.com/emqx/emqx/pull/9280).
 
 - When republishing messages or bridge messages to other brokers, check the validity of the topic and make sure it does not have topic wildcards [#9291](https://github.com/emqx/emqx/pull/9291).
 
+- Disable authorization for `api/v4/emqx_prometheus` endpoint on management api listener (default 8081) [#9294](https://github.com/emqx/emqx/pull/9294).

changes/v4.3.22-zh.md

@@ -64,8 +64,8 @@
   注意在创建规则或资源时，HTTP body 中的 `id` 字段仍为字面值，而不是编码之后的值。
   详情请参考 [创建规则](https://www.emqx.io/docs/zh/v4.3/advanced/http-api.html#post-api-v4-rules) 和 [创建资源](https://www.emqx.io/docs/zh/v4.3/advanced/http-api.html#post-api-v4-resources)。
 
-
 - 修复调用 'DELETE /alarms/deactivated' 只在单个节点上生效的问题，现在将会删除所有节点上的非活跃警告 [#9280](https://github.com/emqx/emqx/pull/9280)。
 
 - 在进行消息重发布或桥接消息到其他 mqtt broker 时，检查 topic 合法性，确定其不带有主题通配符 [#9291](https://github.com/emqx/emqx/pull/9291)。
 
+- 关闭管理端口（默认为8081）上对 HTTP API `api/v4/emqx_prometheus` 的认证，Prometheus 对时序数据抓取不在需要配置认证 [#9294](https://github.com/emqx/emqx/pull/9294)。

lib-ce/emqx_dashboard/src/emqx_dashboard.erl

@@ -107,13 +107,13 @@ http_handlers() ->
 %%--------------------------------------------------------------------
 
 is_authorized(Req) ->
-    is_authorized(binary_to_list(cowboy_req:path(Req)), Req).
+    is_authorized(cowboy_req:method(Req), cowboy_req:path(Req), Req).
 
-is_authorized("/api/v4/emqx_prometheus", _Req) ->
+is_authorized(<<"GET">>, <<"/api/v4/emqx_prometheus">>, _Req) ->
     true;
-is_authorized("/api/v4/auth", _Req) ->
+is_authorized(<<"POST">>, <<"/api/v4/auth">>, _Req) ->
     true;
-is_authorized(_Path, Req) ->
+is_authorized(_Method, _Path, Req) ->
     try
         {basic, Username, Password} = cowboy_req:parse_header(<<"authorization">>, Req),
         case emqx_dashboard_admin:check(iolist_to_binary(Username), iolist_to_binary(Password)) of