liunx下prometheus页面设置用户名密码登陆

前言  前两天公司漏洞通报prometheus未设置鉴权，漏洞详情如下图所示。

 

 安装依赖

yum -y install  epel-release python3 python3-bcrypt

通过python脚本生产密码

[root@localhost home]# cat python_passwd.py
import getpass
import bcryptpassword = getpass.getpass("password: ")
hashed_password = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt())
print(hashed_password.decode())

运行

[root@localhost home]# python3 ./python_passwd.pypassword: 交互输入密码

配置prometheus

[root@localhost prometheus-2.24.0.linux-amd64]# pwd
/home/prometheus-2.24.0.linux-amd64[root@localhost prometheus-2.24.0.linux-amd64]# cat webconfig.yml
basic_auth_users:
admin: $2b$12$ic7SmeIcedgf8whWBhsiIugN7m4ZXCm5Om73mMShJ..Yc1lFmzIcq   
#admin是账号:后面是密码 明文是：NGM1YTM^3YzUxZDdlM

[root@localhost prometheus-2.24.0.linux-amd64]# cat prometheus.yml | egrep -v '^#|^$'
global:
scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
# scrape_timeout is set to the global default (10s).
alerting:
alertmanagers:
- static_configs:
- targets:
# - alertmanager:9093
rule_files:
# - "first_rules.yml"
# - "second_rules.yml"
scrape_configs:
# The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
- job_name: 'prometheus'
static_configs:
- targets: ['localhost:9090']
- job_name: 'localhost'
static_configs:
- targets: ['localhost:9100']

检测webconfig.yml是否可用

[root@localhost prometheus-2.24.0.linux-amd64]# ./promtool check web-config webconfig.yml
webconfig.yml SUCCESS

启动 prometheus

nohup ./prometheus --web.config.file=web.yml &

访问链接提示输入账号密码

http://ip:9090

 

服务正常