How to enable basic user authentication and secure Prometheus with TLS – Yugabyte

Environment

YugabyteDB Anywhere

Overview

Often times, Users want to enable authentication for prometheus. This knowledge-base article describes the steps to enable the basic authentication for Prometheus.
Enable SSL/TLS for Prometheus and secure with HTTPS protocol.

NOTE: It is advisable to enable TLS (HTTPS) first before turning on User Authentication in Prometheus to prevent sending the username and password in plain text over the network.

Steps to Enable HTTPS and Basic User Authentication for Prometheus

Connect to Yugabyte Anywhere Server:
- Use SSH to connect to your Yugabyte Anywhere server.

Check Current Status:

As the root user, run the following command to check the current status of your services:

$ yba-ctl status

The output should look similar to this:

              YBA Url |   Install Root |            yba-ctl config |              yba-ctl Logs |
  https://10.9.x.x |  /opt/yugabyte |  /opt/yba-ctl/yba-ctl.yml |  /opt/yba-ctl/yba-ctl.log |

Services:
  Systemd service |          Version |  Port |                            Log File Locations |  Running Status |
         postgres |            14.11 |  5432 |          /opt/yugabyte/data/logs/postgres.log |         Running |
       prometheus |           2.47.1 |  9090 |  /opt/yugabyte/data/prometheus/prometheus.log |         Running |
      yb-platform |  2024.1.0.0-b129 |   443 |       /opt/yugabyte/data/logs/application.log |         Running |

Locate Configuration File:
- Identify the location of the yba-ctl configuration file. In this example, it is located at /opt/yba-ctl/yba-ctl.yml.

Edit Configuration File:

Open the configuration file in your preferred text editor and locate the prometheus section. The configuration should look like this:

prometheus:
    port: 9090
    restartSeconds: 10 # time (in seconds) to sleep before restarting prometheus service
    scrapeInterval: 10s # time between prometheus data scrapes
    scrapeTimeout: 10s # time before a scrape request times out
    maxConcurrency: 20 # max number of queries to execute concurrently
    maxSamples: 5000000 # max number of samples prometheus can load to process single query
    timeout: 30s # time before a query times out
    retentionTime: 15d # time to retain metrics
    enableHttps: false # enable HTTPS for prometheus web UI
    enableAuth: false # enable authentication for prometheus
    authUsername: prometheus # username to authenticate to prometheus (if enableAuth)
    authPassword: "" # password to authenticate to prometheus (if enableAuth)
    oomScoreAdjust: 500 # OOMScoreAdjust value for the prometheus systemd service

Update Configuration:
- Modify the prometheus section to enable HTTPS and authentication. Set enableHttps and enableAuth to true.
- Then specify the desired authUsername and authPassword to enables Basic Authentication. Here is an example:
```
    enableHttps: true # enable HTTPS for prometheus web UI
    enableAuth: true # enable authentication for prometheus
    authUsername: prometheus # username to authenticate to prometheus (if enableAuth)
    authPassword: password # password to authenticate to prometheus (if enableAuth)
```
  Apply Changes:
  - Save the configuration file and run the following command to apply the changes. Please not that this will restart all associated services:
```
$ yba-ctl reconfigure
```

Also Read: How to enable Basic Authentication and secure Node Exporter with TLS in a YugabyteDB Universe

Related to

Environment

Overview

Related articles