How to configure basic auth reverse proxy to prometheus

[brackend]

Hi,

I'd like to control access to Prometheus through Openunison reverse-proxy. We have the following configuration for implementing oidc but how do I configure this for basic auth to Premetheus:

apiVersion: openunison.tremolo.io/v1
kind: Trust
metadata:
  name: {{ .Values.grafana.client }}
  namespace: openunison
  labels:
    app.kubernetes.io/name: openunison
    app.kubernetes.io/instance: openunison-orchestra
    app.kubernetes.io/component: grafanaacces
    app.kubernetes.io/part-of: openunison
spec:
  accessTokenSkewMillis: 120000
  accessTokenTimeToLive: 60000
  authChainName: login-service
  clientId: {{ .Values.grafana.client }}
  clientSecret:
    keyName: {{ .Values..grafana.client }}
    secretName: <secretname>
  codeLastMileKeyName: lastmile-oidc
  codeTokenSkewMilis: 60000
  publicEndpoint: false
  redirectURI:
  - https://{{ .Values.grafana.redirect }}
  signedUserInfo: false
  verifyRedirect: true

[mlbiam]

Prometheus through Openunison reverse-proxy.

Are you using openunison's reverse proxy now, or another reverse proxy?

We have the following configuration for implementing oidc but how do I configure this for basic auth to Premetheus:

Do you want it to work with both? (as in you want a remote service to use basic auth but users to still use OpenUnison's auth login form?)

[brackend]

Yes openunison. Yes if that's possible - assuming you mean we access one application using one method and another applicaiton using another.

User ===OIDC ====> openunison(impersonation) ====basiic auth ====>prometheus User ===OIDC ====> openunison(impersonation) ====lastmile-oidc====>grafana

[mlbiam]

User ===OIDC ====> openunison(impersonation) ====basiic auth ====>prometheus

ok, to make sure I understand:

https://prometheus.domain.com/ --> OIDC Login https://prometheus-api.domain.com --> Basic Auth

?

Also, I assume you're using LDAP to authenticate your users?

[brackend]

Users login using OIDC. Redirected to pingidentity, authenticated, callback, and retrieves groups from user-info.

If I understand it, it can then use other authn methods to access the applications behind openunison. Currently: Kiali, k8s dashboard, grafana, and now hopefully prometheus ui

[mlbiam]

If I understand it, it can then use other authn methods to access the applications behind openunison.

Yes, but how? If you're using basic auth, OpenUnison needs to validate the credential against something.

[mlbiam]

Do you want to forward the basic auth request to ping?

[brackend]

I'm not sure how that would work.

So we want users who are members of at least one group, say "admin" group to have access to prometheus( seems only basic auth is the only access control for prometheus).

I'm guessing that OpenU could be cnfigured to access Promethues using basic auth. But TBH I'm not at all clear how it can control say members of a given groups. Not sure either how forwarding basic auth to ping would work.

[mlbiam]

OH! Ok, I misunderstood what you were trying to do. You want to limit who has access to Prometheus based on a specific group coming from Ping?

[brackend]

yep sorry that's probably how I should have put it :)

[mlbiam]

Ok, this is much easier. You're using OpenUnison as the reverse proxy right? You should have an Application for it (if you followed the instructions from https://openunison.github.io/documentation/custom-sso/#using-a-new-host it's probably called prometheus There's a section called azRules that probably looks like:

    azRules:
    - scope: dn
      constraint: o=Tremolo

This means anyone who's authenticated can access it (there's an authorization rule on the identity provider too). You can change this to:

    azRules:
    - scope: filter
      constraint: (group=my-prometheus-group)

and it will stop access for anyone that isn't in the group my-prometheus-group