Secure Prometheus Server With Basic Password Authentication

Posted on 121 views

Prometheus is a free and open-source tool used for real-time monitoring and alerting written in Go. It records the metrics in a time-series database using the HTTP pull algorithm. This model allows high performance and scalability for Prometheus.

The Prometheus monitoring tool is made up of several components:

  • PromQL – This is the query language used to create dashboards and filter multi-dimensional time-series data.
  • Exporters – They run on the monitored hosts and are used to export metrics from third-party systems.
  • Alertmanager – It triggers alerts based on the collected metrics.
  • Prometheus – Centralizes and stores the metrics
  • Grafana – This tool is used to visualize data polled by Prometheus. It produces dashboards for monitoring and analysis.

This guide aims to demonstrate how to secure Prometheus Server With Basic Authentication. Securing Prometheus Server With Basic Authentication means that you will set it to require a username and password for all users accessing the Prometheus instance.

For this guide, I assume that you already have the Prometheus Server installed and running. Otherwise, you will have to install it using the dedicated guides below:

Once installed, you can proceed with the below steps.

Step 1 – Hashing a password

For this guide, we will set a password for the admin user and set any preferred password. Generate a bcrypt hash of the preferred password. Of course, you need the python3-bcryptpackage which can be installed as below:

##On Debian/Ubuntu
sudo apt update
sudo apt install python3-bcrypt -y

##On CentOS/Rocky/Alma Linux
sudo yum -y install epel-release
sudo yum -y install python3-bcrypt

Once installed, create a python script that will prompt for the password.

$ vim gen-pass.py
import getpass
import bcrypt

password = getpass.getpass("password: ")
hashed_password = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt())
print(hashed_password.decode())

Save the script and run it as below:

python3 gen-pass.py

Proceed and provide the preferred password:

password: 
$2b$12$.9J0cFyfcLaNjwBW9McDWObbLjM0n0Wb0ToW9wZArxfmwVlctK8SS

Save the generated password somewhere, you will need it in the below steps.

Step 2 – Creating Web YAML File

Proceed and create a YAML Prometheus Web configuration file to be loaded. This file will be read upon each HTTP request. For this guide, I have my YAML file at /etc/prometheus/ as web.yml. Now add the authentication to the end points as below:

$ sudo vim /etc/prometheus/web.yml
basic_auth_users:
       admin: '$2b$12$.9J0cFyfcLaNjwBW9McDWObbLjM0n0Wb0ToW9wZArxfmwVlctK8SS'

Replace $2b$12$.9J0cFyfcLaNjwBW9McDWObbLjM0n0Wb0ToW9wZArxfmwVlctK8SS with your encrypted password value.

You can validate that file with the commands below.

$ promtool check web-config /etc/prometheus/web.yml
/etc/prometheus/web.yml SUCCESS

Step 3 – Launch Prometheus Server

Now we will launch the Prometheus Server using the created web configurations.

Update your Prometheus systemd unit file to include Web configuration file we just created.

$ sudo vim /etc/systemd/system/prometheus.service 
[Unit]
Description=Prometheus
Documentation=https://prometheus.io/docs/introduction/overview/
Wants=network-online.target
After=network-online.target

[Service]
Type=simple
Environment="GOMAXPROCS=1"
User=prometheus
Group=prometheus
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/usr/local/bin/prometheus \
  --config.file=/etc/prometheus/prometheus.yml \
  --web.config.file=/etc/prometheus/web.yml \
  --storage.tsdb.path=/var/lib/prometheus \
  --web.console.templates=/etc/prometheus/consoles \
  --web.console.libraries=/etc/prometheus/console_libraries \
  --web.listen-address=0.0.0.0:9090 \
  --web.external-url=

SyslogIdentifier=prometheus
Restart=always

[Install]
WantedBy=multi-user.target

You may also need to restart the Prometheus Server.

sudo systemctl daemon-reload
sudo systemctl restart prometheus
sudo systemctl enable prometheus

Confirm Prometheus service is started without errors

$ systemctl status prometheus
 prometheus.service - Prometheus
   Loaded: loaded (/etc/systemd/system/prometheus.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2022-04-26 08:05:50 UTC; 7s ago
     Docs: https://prometheus.io/docs/introduction/overview/
 Main PID: 12461 (prometheus)
    Tasks: 7 (limit: 23694)
   Memory: 21.8M
   CGroup: /system.slice/prometheus.service
           └─12461 /usr/local/bin/prometheus --config.file=/etc/prometheus/prometheus.yml --web.config.file=/etc/prometheus/web.yml --storage.tsdb.path=/var/lib/prometheus --web.console.template>

Once launched, proceed and test if the password is working. Here we will use the cURL command to access the endpoint /metrics with the username:

$ curl -u admin http://localhost:9090/metrics
Enter host password for user 'admin': 

If password provided is wrong then authentication will fail:

$ curl -u admin http://localhost:9090/metrics
Enter host password for user 'admin':
Unauthorized

Sample successful authentication output:

How-To-Secure-Prometheus-Server-With-Basic-Authentication-768x461

When accessing Prometheus Web console on browser you’ll be prompted to authenticate with username and password.

prometheus-authentication-768x362

Conclusion.

That is it, we have successfully secured Prometheus Server With Basic Authentication. Now all users accessing the Prometheus instance. with be required to provide a username and password. I hope this was significant.

coffee

Gravatar Image
A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.