Prometheus is a free and open-source tool used for real-time monitoring and alerting written in Go. It records the metrics in a time-series database using the HTTP pull algorithm. This model allows high performance and scalability for Prometheus.
The Prometheus monitoring tool is made up of several components:
- PromQL – This is the query language used to create dashboards and filter multi-dimensional time-series data.
- Exporters – They run on the monitored hosts and are used to export metrics from third-party systems.
- Alertmanager – It triggers alerts based on the collected metrics.
- Prometheus – Centralizes and stores the metrics
- Grafana – This tool is used to visualize data polled by Prometheus. It produces dashboards for monitoring and analysis.
This guide aims to demonstrate how to secure Prometheus Server With Basic Authentication. Securing Prometheus Server With Basic Authentication means that you will set it to require a username and password for all users accessing the Prometheus instance.
For this guide, I assume that you already have the Prometheus Server installed and running. Otherwise, you will have to install it using the dedicated guides below:
- On Ubuntu
- On CentOS/Rocky/Alma Linux
Once installed, you can proceed with the below steps.
Step 1 – Hashing a password
For this guide, we will set a password for the admin user and set any preferred password. Generate a bcrypt hash of the preferred password. Of course, you need the python3-bcryptpackage which can be installed as below:
##On Debian/Ubuntu
sudo apt update
sudo apt install python3-bcrypt -y
##On CentOS/Rocky/Alma Linux
sudo yum -y install epel-release
sudo yum -y install python3-bcrypt
Once installed, create a python script that will prompt for the password.
$ vim gen-pass.py
import getpass
import bcrypt
password = getpass.getpass("password: ")
hashed_password = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt())
print(hashed_password.decode())Save the script and run it as below:
python3 gen-pass.pyProceed and provide the preferred password:
password: <INPUT-PASSWORD>
$2b$12$.9J0cFyfcLaNjwBW9McDWObbLjM0n0Wb0ToW9wZArxfmwVlctK8SS
Save the generated password somewhere, you will need it in the below steps.
Step 2 – Creating Web YAML File
Proceed and create a YAML Prometheus Web configuration file to be loaded. This file will be read upon each HTTP request. For this guide, I have my YAML file at /etc/prometheus/ as web.yml. Now add the authentication to the end points as below:
$ sudo vim /etc/prometheus/web.yml
basic_auth_users:
admin: '$2b$12$.9J0cFyfcLaNjwBW9McDWObbLjM0n0Wb0ToW9wZArxfmwVlctK8SS'Replace $2b$12$.9J0cFyfcLaNjwBW9McDWObbLjM0n0Wb0ToW9wZArxfmwVlctK8SS with your encrypted password value.
You can validate that file with the commands below.
$ promtool check web-config /etc/prometheus/web.yml
/etc/prometheus/web.yml SUCCESS
Step 3 – Launch Prometheus Server
Now we will launch the Prometheus Server using the created web configurations.
Update your Prometheus systemd unit file to include Web configuration file we just created.
$ sudo vim /etc/systemd/system/prometheus.service
[Unit]
Description=Prometheus
Documentation=https://prometheus.io/docs/introduction/overview/
Wants=network-online.target
After=network-online.target
[Service]
Type=simple
Environment="GOMAXPROCS=1"
User=prometheus
Group=prometheus
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/usr/local/bin/prometheus \
--config.file=/etc/prometheus/prometheus.yml \
--web.config.file=/etc/prometheus/web.yml \
--storage.tsdb.path=/var/lib/prometheus \
--web.console.templates=/etc/prometheus/consoles \
--web.console.libraries=/etc/prometheus/console_libraries \
--web.listen-address=0.0.0.0:9090 \
--web.external-url=
SyslogIdentifier=prometheus
Restart=always
[Install]
WantedBy=multi-user.target
You may also need to restart the Prometheus Server.
sudo systemctl daemon-reload
sudo systemctl restart prometheus
sudo systemctl enable prometheusConfirm Prometheus service is started without errors
$ systemctl status prometheus
● prometheus.service - Prometheus
Loaded: loaded (/etc/systemd/system/prometheus.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2022-04-26 08:05:50 UTC; 7s ago
Docs: https://prometheus.io/docs/introduction/overview/
Main PID: 12461 (prometheus)
Tasks: 7 (limit: 23694)
Memory: 21.8M
CGroup: /system.slice/prometheus.service
└─12461 /usr/local/bin/prometheus --config.file=/etc/prometheus/prometheus.yml --web.config.file=/etc/prometheus/web.yml --storage.tsdb.path=/var/lib/prometheus --web.console.template>Once launched, proceed and test if the password is working. Here we will use the cURL command to access the endpoint /metrics with the username:
$ curl -u admin http://localhost:9090/metrics
Enter host password for user 'admin': <Enter the set password>If password provided is wrong then authentication will fail:
$ curl -u admin http://localhost:9090/metrics
Enter host password for user 'admin':
UnauthorizedSample successful authentication output:
When accessing Prometheus Web console on browser you’ll be prompted to authenticate with username and password.
Conclusion.
That is it, we have successfully secured Prometheus Server With Basic Authentication. Now all users accessing the Prometheus instance. with be required to provide a username and password. I hope this was significant.
Related posts:
