Prometheus is a free and open-source tool used for real-time monitoring and alerting written in Go. It records the metrics in a time-series database using the HTTP pull algorithm. This model allows high performance and scalability for Prometheus.
The Prometheus monitoring tool is made up of several components:
- PromQL – This is the query language used to create dashboards and filter multi-dimensional time-series data.
- Exporters – They run on the monitored hosts and are used to export metrics from third-party systems.
- Alertmanager – It triggers alerts based on the collected metrics.
- Prometheus – Centralizes and stores the metrics
- Grafana – This tool is used to visualize data polled by Prometheus. It produces dashboards for monitoring and analysis.
This guide aims to demonstrate how to secure Prometheus Server With Basic Authentication. Securing Prometheus Server With Basic Authentication means that you will set it to require a username and password for all users accessing the Prometheus instance.
For this guide, I assume that you already have the Prometheus Server installed and running. Otherwise, you will have to install it using the dedicated guides below:
- On Ubuntu
- On CentOS/Rocky/Alma Linux
Once installed, you can proceed with the below steps.
Step 1 – Hashing a password
For this guide, we will set a password for the admin user and set any preferred password. Generate a bcrypt hash of the preferred password. Of course, you need the
python3-bcryptpackage which can be installed as below:
##On Debian/Ubuntu sudo apt update sudo apt install python3-bcrypt -y ##On CentOS/Rocky/Alma Linux sudo yum -y install epel-release sudo yum -y install python3-bcrypt
Once installed, create a python script that will prompt for the password.
$ vim gen-pass.py import getpass import bcrypt password = getpass.getpass("password: ") hashed_password = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt()) print(hashed_password.decode())
Save the script and run it as below:
Proceed and provide the preferred password:
Save the generated password somewhere, you will need it in the below steps.
Step 2 – Creating Web YAML File
Proceed and create a YAML Prometheus Web configuration file to be loaded. This file will be read upon each HTTP request. For this guide, I have my YAML file at /etc/prometheus/ as web.yml. Now add the authentication to the end points as below:
$ sudo vim /etc/prometheus/web.yml basic_auth_users: admin: '$2b$12$.9J0cFyfcLaNjwBW9McDWObbLjM0n0Wb0ToW9wZArxfmwVlctK8SS'
Replace $2b$12$.9J0cFyfcLaNjwBW9McDWObbLjM0n0Wb0ToW9wZArxfmwVlctK8SS with your encrypted password value.
You can validate that file with the commands below.
$ promtool check web-config /etc/prometheus/web.yml /etc/prometheus/web.yml SUCCESS
Step 3 – Launch Prometheus Server
Now we will launch the Prometheus Server using the created web configurations.
Update your Prometheus systemd unit file to include Web configuration file we just created.
$ sudo vim /etc/systemd/system/prometheus.service [Unit] Description=Prometheus Documentation=https://prometheus.io/docs/introduction/overview/ Wants=network-online.target After=network-online.target [Service] Type=simple Environment="GOMAXPROCS=1" User=prometheus Group=prometheus ExecReload=/bin/kill -HUP $MAINPID ExecStart=/usr/local/bin/prometheus \ --config.file=/etc/prometheus/prometheus.yml \ --web.config.file=/etc/prometheus/web.yml \ --storage.tsdb.path=/var/lib/prometheus \ --web.console.templates=/etc/prometheus/consoles \ --web.console.libraries=/etc/prometheus/console_libraries \ --web.listen-address=0.0.0.0:9090 \ --web.external-url= SyslogIdentifier=prometheus Restart=always [Install] WantedBy=multi-user.target
You may also need to restart the Prometheus Server.
sudo systemctl daemon-reload sudo systemctl restart prometheus sudo systemctl enable prometheus
Confirm Prometheus service is started without errors
$ systemctl status prometheus ● prometheus.service - Prometheus Loaded: loaded (/etc/systemd/system/prometheus.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2022-04-26 08:05:50 UTC; 7s ago Docs: https://prometheus.io/docs/introduction/overview/ Main PID: 12461 (prometheus) Tasks: 7 (limit: 23694) Memory: 21.8M CGroup: /system.slice/prometheus.service └─12461 /usr/local/bin/prometheus --config.file=/etc/prometheus/prometheus.yml --web.config.file=/etc/prometheus/web.yml --storage.tsdb.path=/var/lib/prometheus --web.console.template>
Once launched, proceed and test if the password is working. Here we will use the cURL command to access the endpoint /metrics with the username:
$ curl -u admin http://localhost:9090/metrics Enter host password for user 'admin':
If password provided is wrong then authentication will fail:
$ curl -u admin http://localhost:9090/metrics Enter host password for user 'admin': Unauthorized
Sample successful authentication output:
When accessing Prometheus Web console on browser you’ll be prompted to authenticate with username and password.
That is it, we have successfully secured Prometheus Server With Basic Authentication. Now all users accessing the Prometheus instance. with be required to provide a username and password. I hope this was significant.