Security on Prometheus target

[Guna Kambalimath]

Hey there,

Two questions:

Query 1:

How does prometheus basic_auth exactly work on targets ? (basically security of scrape target)? Would be helpful if you could tell the same in detail. 

Query 2:

Based on my exploration on security over Prometheus target, we can either give username/password (in file also),  or bearer token. 

Is it possible to configure prometheus in such a way that it does one time login, basically post a curl request with username and password as payload on a give URL like <ip>:<port>/login, which in turn gives token and prometheus uses the same token every time it fetches metrics from the target. 

Thanks,

Guna

[b.ca...@pobox.com]

1. basic_auth is HTTP basic authentication: a standard and well-documented HTTP mechanism.  The exporter itself will have to implement this mechanism of course (or you can sit the exporter behind a proxy which implements it)

2. the authentication mechanisms which Prometheus can use during a scrape are documented.

If you want to do something other form of authentication like the one you described, you could write a HTTP proxy which does it (passing a query parameter for the target).

Alternatively, you could use basic_auth with password_file, or bearer_token_file, and have an external program which writes to that file.  However I haven't tested whether prometheus reads that file on every scrape, or whether you'd have to signal to prometheus when it changes.