liunx下prometheus页面设置用户名密码登陆

前言  前两天公司漏洞通报prometheus未设置鉴权，漏洞详情如下图所示。

 

操作前须知

Prometheus于2.24版本（包括2.24）之后提供Basic Auth功能进行加密访问，在浏览器登录UI的时候需要输入用户密码，访问Prometheus api的时候也需要加上用户密码

1、 安装依赖

yum -y install  epel-release python3 python3-bcrypt

2、通过python脚本生产密码

[root@localhost home]# cat python_passwd.py
import getpass
import bcrypt

password = getpass.getpass("password: ")
hashed_password = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt())
print(hashed_password.decode())

3、运行python脚本生成密码

[root@localhost home]# python3 ./python_passwd.py

password: 交互输入密码

4、prometheus配置文件

[root@localhost prometheus-2.24.0.linux-amd64]# pwd
/home/prometheus-2.24.0.linux-amd64

[root@localhost prometheus-2.24.0.linux-amd64]# cat webconfig.yml
basic_auth_users:
admin: $2b$12$ic7SmeIcedgf8whWBhsiIugN7m4ZXCm5Om73mMShJ..Yc1lFmzIcq   
#admin是账号:后面是密码 明文是：NGM1YTM^3YzUxZDdlM

[root@localhost prometheus-2.24.0.linux-amd64]# cat prometheus.yml | egrep -v '^#|^$'
global:
scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
# scrape_timeout is set to the global default (10s).
alerting:
alertmanagers:
- static_configs:
- targets:
# - alertmanager:9093
rule_files:
# - "first_rules.yml"
# - "second_rules.yml"
scrape_configs:
# The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
- job_name: 'prometheus'
static_configs:
- targets: ['localhost:9090']
- job_name: 'localhost'
static_configs:
- targets: ['localhost:9100']

5、检测webconfig.yml是否可用

[root@localhost prometheus-2.24.0.linux-amd64]# ./promtool check web-config webconfig.yml
webconfig.yml SUCCESS

6、启动 prometheus

nohup ./prometheus --web.config.file=web.yml &

7、访问链接提示输入账号密码

http://ip:9090

 8、服务正常