In Prometheus, do we have any login mechanism. For eg. until user dont have access on specific active directory group s/he won’t be able to login on portal
No, as it’s out of scope of Prometheus.
But there are (at least) two strategies to implement authenticated access:
- Reverse Proxy: Just take the one that supports your authentication mechanism (like nginx, traefik etc.), point it to your local Prometheus instance and don’t expose the 9090 Port of Prometheus outside of localhost (eg
--web.listen-address="127.0.0.1:9090"or any firewall solution).
- Grafana: Even with the free Grafana offering you can setup basic LDAP Authentication. Combined with proxied Prometheus (see Datasource configuration screen) and locked down direct-access to Prometheus (see 1.) you should be fine. You still might want to be able to access the instance for maintenance reasons eg. using Reverse Proxy or ssh tunnels.
Thank you for the details. 2nd one will work for me. But is it possible to combine with the first. So in my organisation we already have enterprise grafana hosted. We just need to add datasource and we can start working on the dashboard.
<@UDBJM0RRS> , but one thing to highlight here is we can’t add ldap authentication or any other type of at both the ends. Because in that grafana wont be able to reach Prometheus directly. We need to keep Prometheus loose so that we can directly set alerts in grafana.
Is my understanding correct here
So if you mean following:
User -(auth)-> Grafana -(auth)-> Prometheus
Yeah, in that case you might indeed need another component in between Grafana and Prom. In Grafana you have several options to authenticate against the Reverse Proxy, like Basic auth, custom headers, Certificates or even forward the OAuth identity of the user.
Ultimately it really comes down to the requirements and the individual constraints of your exisiting setup.
Also check the documentation for basic auth:
<@UDBJM0RRS> Hmm but all the authentications in grafana will stay at grafana. Dont you think While calling the data source from grafana, reverse proxy must be intelligent enough to detect that call is a service to service and not client to service hence behave in that way. Means some different type of authentication. For eg. Something like adding these basic auth credentials in grafana through which it hits the datasource. And, for others like client to service where it will be explicitly ask for credentials in some pop up etc.
In this way i think both the pipelines will be authentic. No idea if it is possible to do this in grafana. Secondly, dont know how to detect service to service and client to service at reverse proxy level.
I would not allow the usage of the Prometheus UI to any clients (speaking of end-users or developers) at all - just for maintenance tasks like troubleshooting to designated administrators. These could use an alternative way connecting with the instance, like tunneling or dedicated credentials.
The reverse proxy does not need that much of intelligence, IMHO. Either some generated dedicated credentials for Grafana, or Certificate.
If you’re running grafana and prometheus on the same host - the case is clear. Just use the comman-line flag to listen to localhost only ( all direct external traffic is permitted ). Then point Grafana to localhost:9090 (the local prom instance) without authentication and optional another local Reverse Proxy with enabled BasicAuth for maintenance.
If they are dedicated instances: Setup a reverse proxy and setup multiple BasicAuth users - eg. one for grafana and one for the maintenance staff. Even if you’re only using one user, every client will be prompted to authenticate against the endpoint using eg. BasicAuth.
To be clear - not every user is setting up their own “Datasource” in grafana, but you as an Administrator set it up and share it with the appropriate groups. Grafana will take care of the authorization part and restricting the access from unauthorized users.
<@UDBJM0RRS> oh ok. So enable connectivity between enterprise grafana and my Prometheus instance with basic auth i.e. one specific credentials and enable ldap authentication for other users only for grafana.
Now for Prometheus portal only admin need access, so we can also also use the same basic auth creds to open that.
Hence normal user will never have access on Prometheus portal. Am I correct here
But one more thing is there any role level mechanism in Prometheus. The problem is that grafana in my case is company hosted. Let say I create basic auth and give read role to it.
Then use that to integrate grafana with Prometheus
<@UDBJM0RRS> why I’m asking this is because at reverse proxy we can manage the authentication but authorization only application can understand
> So enable connectivity between enterprise grafana and my Prometheus instance with basic auth i.e. one specific credentials and enable ldap authentication for other users only for grafana.
> But one more thing is there any role level mechanism in Prometheus. The problem is that grafana in my case is company hosted. Let say I create basic auth and give read role to it.
Shared grafana is not an issue - you can set access permission per Datasource to groups. You can have as many Datasources as you like. It’ll rather be tricky to use a shared Prometheus. But then you’ll be anyway facing different scaling challenges and I would start looking into Cortex or Thanos.
<@UDBJM0RRS> hmm got it. No issue i’ll go with basic auth then. Though even grafana will be having the complete access on it. But in case of shared resource we can trust the teams. Thanks a lot for the info. Take care. Have a nice day.
Have a nice day, too!