does quickwit support any auth to protect the quickwit APIs?

[zywsky]

We build the quickwit cluster and grafana UI. Grafana side is calling quickwit API, through quickwit datasource.

Currently, anyone can call the quickwit search API or the APIs in the quickwit swagger of control plane if he knows the URL. This is not what we want.

We want add some auth in quickwit side, and grafana side will call the quickwit side with related credentials. Or it can be in another way, grafana and quickwit side can do certificate mutual authentication.
Any way, we want quickwit not expose its API directly and want to do some protection.

So want to query and confirm if quickwit side support adding some auth currently?

Thanks a lot.

[zywsky]

This is not a bug, just enhancement..

[rdettai]

There has been some work in that regard (#5533), but we don't have an ETA. For now, I would recommend using a proxy sidecare that does auth and SSL.

[vavdoshka]

@rdettai any pointers to how this proxy can be setup? In the context of cluster-mode when qw nodes need to talk to each other, it seem the proxy with auth is a problem for that.

[rdettai]

I'm sorry @vavdoshka but there are many ways to do that and the best solution will likely depend on the details of your infra. To begin with, QW should probably not be exposed to the public internet, even if it had SSL and authentication support. It's also a problematic that's a bit orthogonal to QW's main focus. To make sure the solution you come up with is robust and secure, you should definitively reach out to an expert.

[vavdoshka]

Thanks for the feedback @rdettai. My use-case is really how to protect the access to the data exposed through QW internally in private network, so that only authorized internal client services can talk to it. We tried with standard approach with nginx sidecar proxy but faced with a difficulty that QW itself can not chat with peer QW nodes in HA mode, it can not propagate the auth info, it expects the communication to happen without any authentication, hence my question is about this specific part - how the QW can work in cluster mode behind authentication if possible? Thanks for any hints.
cc: @kulinskyvs

[katlim-br]

(depending if you are using K8s)

In the helm chart, you can activate an ingress.

If you are running in e.g. AWS, you can map that ingress (nginx) to an ALB that is only internal to your VPC.

[rdettai]

support for TLS is comming: #5689