Hello!
I'm writing to inform you that TPA's been moving on something that should make it possible to eventually merge both of the prometheus / grafana servers: we're moving towards per-user passwords that need to be set through LDAP and deprecating the shared passwords.
I would invite everyone who needs to continue accessing prometheus and grafana (either on prometheus1.tpo or prometheus2.tpo) to head over to https://db.torproject.org/ , login and set yourself a password in the "Web password" field. That field was previously hidden but it was recently added to the form.
The password will take some time to get synchronized to the servers, so allow some 1 to 2 hours before you test out your new credentials. When ready, head over to https://grafana2.torproject.org/ and use your ldap username with your new web password to confirm that you're able to login there.
The shared passwords that are currently in use are bound to be removed on April 17th.
If you're having issues with setting up and/or using your own credentials to access prometheus and grafana, please contact TPA and we'll take a look with you into what's happening.
Cheers!
additional note for TPA members: we now have a fallback password that's present in our password manager. it should let us access the monitoring sites even if ldap has a disruption. you can try that one as well.
On 2025-04-01 16:41:55, Gabriel Filion wrote:
[...]
Some precisions here, if I may. :)
The password will take some time to get synchronized to the servers, so allow some 1 to 2 hours before you test out your new credentials. When ready, head over to https://grafana2.torproject.org/ and use your ldap username with your new web password to confirm that you're able to login there.
The delay is normally between 5 to 15 minutes:
https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/ldap#know-when-will...
The shared passwords that are currently in use are bound to be removed on April 17th.
Specifically, here we're talking about the "metrics" Grafana (and Prometheus!) user you folks have been sharing around with each other. I don't know exactly how far it was shared, but you need to, now, let those people know that this password will stop working soon.
Also be aware, as announced in TPA-RFC-33, that this effectively gives access to all users with an LDAP account to the Prometheus server. When we last discussed this, it was okayed by people here, but it's still time to review that policy. It would be more complicated for us because we'd need to grant access on a username basis (like "hiro can login") but it's possible.
[...]
additional note for TPA members: we now have a fallback password that's present in our password manager. it should let us access the monitoring sites even if ldap has a disruption. you can try that one as well.
For TPA folks, that's in services/prometheus.torproject.org. You *should* use your "web password" to operate prometheus on a daily basis however: for now, you can write that in your .netrc file (like we do for the KGB bot password), but I have plans to hook that up to pass(1) instead.
Let me know if you think that should be expedited.
a.
network-health@lists.torproject.org
-
Antoine Beaupré -
Gabriel Filion