Configuration option to return 403 (Forbidden) instead of 401 (Unauthorized) #6959
Milestone
Comments
|
@jwilder is this an OK API change? I think what @PaulKuiper is describing is what it's supposed to be as part of the HTTP spec. I think a 401 is only supposed to be returned if there is something the user can do about not having access (like providing credentials) while a 403 is sent if the user has provided credentials and isn't authorized. It might be worth adding to the 1.0 milestone too if we have time. |
|
Super, thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Feature request:
Is it possible to add an option in the InfluxDB config file to return a 403 error code (Forbidden) instead of 401 error code (Unauthorized) when a user is not allowed to access the database?
Reason:
Our InfluxDB instances are behind a Apache proxy server. The Apache server checks the user credentials and forwards the requests to InfluxDB HTTP interface. In the process it prepends the username to the url (and a standard password) it sends to Influx as proxy. A user that tries to access a database he is not allowed to see will get a error response from InfluxDB. The response is a 401 HTTP error code (Unauthorized). This http message is proxied back to the user. The browser will show a a login pop up as a response to the 401 error code. This is an unwanted situation because the user has been Authenticated by the Apache server, it just has no access to the database resource and therefore no popup should appear. It is not possible in Apache to capture the 401 error code and transform it to a 403 (Fobidden) error code (I tried everything). Therefore it would be great if this is configurable in Influx itself.
The text was updated successfully, but these errors were encountered: