Prometheus/Security
From charlesreid1
Link: https://prometheus.io/docs/operating/security/#authentication/authorisation/encryption
Security Model
Prometheus makes the following assumptions:
- It is presumed that untrusted users have access to the Prometheus HTTP endpoint and logs. They have access to all time series information contained in the database, plus a variety of operational/debugging information.
- It is also presumed that only trusted users have the ability to change the command line, configuration file, rule files and other aspects of the runtime environment of Prometheus and other components.
- Which targets Prometheus scrapes, how often and with what other settings is determined entirely via the configuration file.
- (Prometheus 2.0) The --web.enable-admin-api flag controls access to the administrative HTTP API which includes functionality such as deleting time series. This is disabled by default. If enabled, administrative and mutating functionality will be accessible under the /api/*/admin/ paths. The --web.enable-lifecycle flag controls HTTP reloads and shutdowns of Prometheus. This is also disabled by default. If enabled they will be accessible under the /-/reload and /-/quit paths.
- The remote read feature allows anyone with HTTP access to send queries to the remote read endpoint. If for example the PromQL queries were ending up directly run against a relational database, then anyone with the ability to send queries to Prometheus (such as via Grafana) can run arbitrary SQL against that database.
This sounds quite insecure. Not to worry, though - server-side authentication, authorization, and encryption can be provided via a remote proxy.
Authentication and Encryption
Under the authentication/encryption section, it says:
Authentication/Authorisation/Encryption:Prometheus and its components do not provide any server-side authentication, authorisation or encryption. If you require this, it is recommended to use a reverse proxy.
Various Prometheus components support client-side authentication and encryption. If TLS client support is offered, there is often also an option called insecure_skip_verify which skips SSL verification.