2028335 – [RFE][cephadm] Allow the configuration of prometheus authentication using cephadm

Bug 2028335 - [RFE][cephadm] Allow the configuration of prometheus authentication using cephadm

Summary: [RFE][cephadm] Allow the configuration of prometheus authentication using cep...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	Cephadm
Sub Component:
Version:	5.1
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	7.0
Assignee:	Redouane Kachach Elhichou
QA Contact:	Sayalee
Docs Contact:	Rivka Pollack
URL:
Whiteboard:
Depends On:
Blocks:	2237662
TreeView+	depends on / blocked

Reported:	2021-12-02 04:24 UTC by James Biao
Modified:	2024-05-20 18:01 UTC (History)
CC List:	10 users (show)
Fixed In Version:	ceph-18.2.0-1
Doc Type:	Enhancement
Doc Text:	.Enhanced security of the monitoring stack With this enhancement, to safeguard data integrity, confidentiality, and to align with the security best practices, the authentication feature for Prometheus, Alert manager, and the Node exporter is implemented. This enhances the security of the whole monitoring stack by enabling TLS in all the monitoring components and requiring users to provide valid credentials before accessing Prometheus and Alert Manager data. By using this new feature, an additional layer of protection is provided by using secure communication and preventing the unauthorized access to sensitive metrics and monitoring data. With TLS enabled in all the monitoring stack components and authentication in place, users must authenticate before accessing monitoring and metrics data, enhancing overall security and control over data access.
Clone Of:
Environment:
Last Closed:	2023-12-13 15:18:42 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1994251	1	high	CLOSED	[RFE][GSS] Need ssl between node-exporter, Prometheus and mgr module	2023-12-13 15:19:44 UTC
Red Hat Bugzilla	2028173	1	unspecified	NEW	[cee/sd][ceph-dashboard][RFE] Allow the configuration of LDAP for authenticating users for Grafana dashboard.	2025-05-15 05:07:21 UTC
Red Hat Issue Tracker	RHCEPH-2479	0	None	None	None	2021-12-02 04:25:04 UTC
Red Hat Knowledge Base (Solution)	7033374	0	None	None	None	2023-09-14 13:46:25 UTC
Red Hat Product Errata	RHBA-2023:7780	0	None	None	None	2023-12-13 15:18:46 UTC

Comment 1 Sebastian Wagner 2021-12-02 09:34:31 UTC

Ok this gets complicated. 

cephadm doesn't support SSL at this point. See https://bugzilla.redhat.com/show_bug.cgi?id=1994251

cephadm doesn't support deploying additional files for existing daemon types. See https://prometheus.io/docs/guides/basic-auth/#creating-web-yml and 

---

For now you can manually deploy your own Prometheus and Grafana. Does this help?

Comment 2 Sebastian Wagner 2021-12-02 12:17:25 UTC

relates to https://bugzilla.redhat.com/show_bug.cgi?id=2028173

Comment 13 Redouane Kachach Elhichou 2023-03-13 09:55:59 UTC

Support for the first part (basic auth) has been add by the following upstream PR: https://github.com/ceph/ceph/pull/46601. More changes
are needed to make the authentication configurable.

Comment 33 errata-xmlrpc 2023-12-13 15:18:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Ceph Storage 7.0 Bug Fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:7780

Note You need to log in before you can comment on or make changes to this bug.