Does Federation support authentication?

Prabhakaran Venugopal

unread,

Feb 24, 2020, 10:36:17 PM2/24/20

to Prometheus Users

Hello Experts,

Does Prometheus Federation support Authentication ?

Julien Pivotto

unread,

Feb 25, 2020, 3:11:58 AM2/25/20

to Prabhakaran Venugopal, Prometheus Users

On 25 Feb 09:06, Prabhakaran Venugopal wrote:
> Hello Experts,
> Does Prometheus Federation support Authentication ?

Hello,

It does not. You need a reverse proxy in front of your Prometheus
instance. We have a small guide about this:
https://prometheus.io/docs/guides/basic-auth/

However, Prometheus can connect to another server via client certificate,
basic auth, or via proxy.

>
> --
> You received this message because you are subscribed to the Google Groups "Prometheus Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-use...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/CAJ83S%2BRz%2BwbwFVvpODy4kiXNn7ieX9TbRjy1egATe8THN27mPw%40mail.gmail.com.

--
(o- Julien Pivotto
//\ Open-Source Consultant
V_/_ Inuits - https://www.inuits.eu

signature.asc

Prabhakaran Venugopal

unread,

Feb 25, 2020, 11:00:18 PM2/25/20

to Julien Pivotto, Prometheus Users

Thanks for the pointer.

Assume that region-A Prometheus is behind Reverse Proxy with OAuth enabled. Can Master-Region Prometheus access the region-A Prometheus using [ bearer_token: <secret> ] in Federation ?

Steve

unread,

Mar 17, 2020, 12:28:35 PM3/17/20

to Julien Pivotto, Prabhakaran Venugopal, Prometheus Users

Hi

A couple of follow-up questions:

1) What are the reasons for *not* supporting TLS with client certificates for connections to Prometheus server instance? Any plan to support it in the near future?

2) Can connections from Prometheus server instance to alertManagers and connections from alertManager to webhook receivers be secured using TLS with certificates today?

-Steve

To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/20200225081151.GA26873%40oxygen.

Brian Candler

unread,

Mar 17, 2020, 12:43:30 PM3/17/20

to Prometheus Users

On Tuesday, 17 March 2020 16:28:35 UTC, Steve wrote:

1) What are the reasons for *not* supporting TLS with client certificates for connections to Prometheus server instance? Any plan to support it in the near future?

Presumably because this is functionality which is easily provided separately via a reverse-proxy:

https://www.robustperception.io/adding-basic-auth-to-prometheus-with-nginx

Note that node_exporter 1.0.0 (which is in RC status) has gained some TLS server functionality:

https://github.com/prometheus/node_exporter/releases

https://github.com/prometheus/node_exporter/pull/1277

It can validate a client cert, but AFAICS it can't check the certificate identity, so will accept *any* cert signed by the given CA.

2) Can connections from Prometheus server instance to alertManagers and connections from alertManager to webhook receivers be secured using TLS with certificates today?

Yes: all *outbound* connections (including exporter scrapes) can use TLS, and can authenticate themselves using client cert, basic auth and/or bearer token.

https://prometheus.io/docs/prometheus/latest/configuration/configuration/#tls_config

Reply all

Reply to author

Forward