The O11y toolkit has a new tool this week, the passwords file generator for Prometheus.
This tool enables you to generate a web.yml file that can be consumed by
Prometheus to protect its endpoints with Basic Authentication.
Prometheus web configuration
Since Prometheus 2.24, you can protect your Prometheus server natively with
basic authentication and TLS.
All you have to do is to generate a specific configuration
file and
pass it to Prometheus’ --web.config.file command line parameter.
The passwords in this file are hashed with bcrypt. Bcrypt is salted and adaptive. It means you can increase the number of iterations to make it slower, so it remains resistant to brute-force attacks even with increasing computation power.
How to generate bcrypt passwords
There are numerous options to generate bcrypt passwords. Many imply posting the passwords to a third-party website or installing software such as httpd’s htpasswd tool.
htpasswd availability depends a lot on the machine/OS you are using, and sending passwords to third-party websites is also risky.
However, having bcrypt password hashing available directly in the browser is handy. Therefore, we decided to provide the best of both worlds: a “local” application that can run in your browser and generate your Prometheus web configuration directly.
WebAssembly
The technology we use to generate bycrypt passwords is WebAssembly (WASM). The code of the application is written in Go, the programming language of Prometheus. Then, it is cross-compiled to WASM, which runs natively in the browser.
Therefore, your computer is computing the hashes locally. We do not receive any data when you use the application.
Other features
Next to be able to hash the passwords, the application generates the whole
web.yml file required to secure your Prometheus server.
It also supports multiple users. You can add and remove lines in the form, with one user per line. You would have a user for Prometheus to scrape itself and one for the admin that needs to interact with the server.
Depending on your security requirements, you can also adapt the bcrypt cost. Increasing the cost will increase (a lot) the CPU usage of Prometheus when it needs to authenticate users. A value between 10 and 12 seems reasonable.
Compatibility
Prometheus 2.24 and later are compatible with this basic authentication configuration, but the latest releases of Alertmanager, Pushgateway, Node Exporter, and many other official exporters support the same configuration format.
