How Protected Prometheus (OpenID Auth enaled) can be use as target in federation Prometheus scrape config

[chandan kashayp]

Hello Guys,

I am stuck at point by doing integration of openid auth enabled prometheus to federation. Let me explain in detail about the configuration and blocker.

My slave Prometheus is openid auth enabled. Whenever, We try to access the prometheus it ask for login authentication and get us IN if authorization get success. Post successful login, prometheus dashboard and its graph can be see.

Federation prometheus is running at different place. Federation prometheus scrape_configs looks like below

scrape_configs:

• job_name: 'federate'
  scrape_interval: 15s

  honor_labels: true
  metrics_path: '/federate'

  params:
  'match[]':
  - '{job="prometheus"}'
  - '{name=~"job:.*"}'

  static_configs:

  • targets:
    • 'prometheus-slave.xyz.com:443' (my slave prometheus endpoint)

Issue : The target status is DOWN and Status is "server returned HTTP status 403 Forbidden".

I know the error is coming because of federation Prometheus has not getting credential to access slave Prometheus. But, I am not getting anything at federation prometheus where credentials related configuration will be done which allow federation Prometheus to access auth protected slave prometheus.

Suggestion & help need !!!!!!
#FederationPrometheus

[Stuart Clark]

On 2020-07-06 11:17, chandan kashayp wrote:
> Hello Guys,
>
> I am stuck at point by doing integration of openid auth enabled
> prometheus to federation. Let me explain in detail about the
> configuration and blocker.
>
> My slave Prometheus is openid auth enabled. Whenever, We try to access
> the prometheus it ask for login authentication and get us IN if
> authorization get success. Post successful login, prometheus dashboard
> and its graph can be see.
>
> Federation prometheus is running at different place. Federation
> prometheus scrape_configs looks like below
>
> scrape_configs:
>

> *

>
> job_name: 'federate'
> scrape_interval: 15s
>
> honor_labels: true
> metrics_path: '/federate'
>
> params:
> 'match[]':
> - '{job="prometheus"}'
> - '{name=~"job:.*"}'
>
> static_configs:
>

> * targets:
>
> * 'prometheus-slave.xyz.com:443' (my slave prometheus endpoint)

>
> Issue : The target status is DOWN and Status is "server returned HTTP
> status 403 Forbidden".
>
> I know the error is coming because of federation Prometheus has not
> getting credential to access slave Prometheus. But, I am not getting
> anything at federation prometheus where credentials related
> configuration will be done which allow federation Prometheus to access
> auth protected slave prometheus.
>
> Suggestion & help need !!!!!!
> #FederationPrometheus
>

I don't believe Prometheus supports OIDC authenticaiton, so you would
need to allow other authentication or whitelisting methods for your
federation. OIDC is really best suited for people, with other forms
better for machines.

--
Stuart Clark

[chandan kashayp]

What would be the other auth methods suitable in my case. I didn't find any docs which relate like how federate Prometheus can access slave targets if it have some auth is involved.

[Aliaksandr Valialkin]

Prometheus supports basic auth and/or mutual TLS for scraping targets - see `basic_auth` and `tls_config` sections in https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config for details.

--
You received this message because you are subscribed to the Google Groups "Prometheus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/cb2e02f3-c6af-47c6-9029-d1c5f0b66c9do%40googlegroups.com.

--

Best Regards,

Aliaksandr Valialkin, CTO VictoriaMetrics