feat: 引入 vmauth 鉴权与严格多租户

- 对外端口统一为 18428（vmauth 入口），VM 不再直接暴露宿主机端口
- 边缘 vmagent 与中央 Prometheus remote_write 增加 basic auth
- 支持 tenants.csv 驱动的 per-tenant 写入/查询隔离，并提供管理员跨租户只读查询
- 更新 Grafana provisioning 与部署/文档

Made-with: Cursor

central-server/config/grafana/provisioning/datasources/victoriametrics.yml

@@ -1,16 +1,20 @@
 # VictoriaMetrics 数据源（边缘节点上报的数据存储在此）
 # 边缘节点通过 remote_write 推送到中央 VictoriaMetrics，本数据源用于在 Grafana 中查询这些数据
-# 使用前需在边缘节点配置：remote_write 指向中央服务器 VictoriaMetrics 地址（如 http://中央IP:8428/api/v1/write）
+# 使用前需在边缘节点配置：remote_write 指向中央服务器 VictoriaMetrics 地址（如 http://中央IP:18428/api/v1/write）
 apiVersion: 1
 
 datasources:
   - name: VictoriaMetrics
     type: prometheus
     access: proxy
-    url: http://victoria-metrics:8428
+    url: http://vmauth:8427
     isDefault: false
     editable: true
+    basicAuth: true
+    basicAuthUser: ${VMAUTH_READ_USER}
     jsonData:
       httpMethod: POST
       queryTimeout: 60s
       timeInterval: 15s
+    secureJsonData:
+      basicAuthPassword: ${VMAUTH_READ_PASSWORD}

central-server/config/grafana/provisioning/datasources/victoriametrics.yml.template

@@ -0,0 +1,18 @@
+# VictoriaMetrics 数据源（通过 vmauth 进行鉴权访问）
+apiVersion: 1
+
+datasources:
+  - name: VictoriaMetrics
+    type: prometheus
+    access: proxy
+    url: http://vmauth:8427
+    isDefault: false
+    editable: true
+    basicAuth: true
+    basicAuthUser: "${VMAUTH_READ_USER}"
+    jsonData:
+      httpMethod: POST
+      queryTimeout: 60s
+      timeInterval: 15s
+    secureJsonData:
+      basicAuthPassword: "${VMAUTH_READ_PASSWORD}"

central-server/config/prometheus/prometheus.yml

@@ -21,7 +21,10 @@ global:
 # 远程写入：将中央 Prometheus 抓取到的本地服务指标推送到 VictoriaMetrics
 # （边缘节点由 vmagent 直接 remote_write 到 VictoriaMetrics）
 remote_write:
-  - url: http://victoria-metrics:8428/api/v1/write
+  - url: http://vmauth:8427/api/v1/write
+    basic_auth:
+      username: ${VMAUTH_WRITE_USER}
+      password: ${VMAUTH_WRITE_PASSWORD}
     queue_config:
       max_samples_per_send: 10000
       capacity: 20000

central-server/config/prometheus/prometheus.yml.template

@@ -21,7 +21,10 @@ global:
 # 远程写入：将中央 Prometheus 抓取到的本地服务指标推送到 VictoriaMetrics
 # （边缘节点由 vmagent 直接 remote_write 到 VictoriaMetrics）
 remote_write:
-  - url: http://victoria-metrics:${VICTORIAMETRICS_PORT}/api/v1/write
+  - url: http://vmauth:8427/api/v1/write
+    basic_auth:
+      username: ${VMAUTH_WRITE_USER}
+      password: ${VMAUTH_WRITE_PASSWORD}
     queue_config:
       max_samples_per_send: ${PROMETHEUS_REMOTE_WRITE_MAX_SAMPLES}
       capacity: ${PROMETHEUS_REMOTE_WRITE_CAPACITY}
@@ -40,7 +43,7 @@ scrape_configs:
     scrape_interval: ${PROMETHEUS_SCRAPE_INTERVAL}s
     metrics_path: '/metrics'
     static_configs:
-      - targets: ['victoria-metrics:${VICTORIAMETRICS_PORT}']
+      - targets: ['victoria-metrics:8428']
 
   # 抓取Alertmanager
   - job_name: 'alertmanager'

central-server/config/vmauth/tenants.csv.example

@@ -0,0 +1,3 @@
+tenant_id,edge_node_id,write_user,write_password,read_user,read_password
+1001,edge_a,edge_a_write,CHANGE_ME,edge_a_read,CHANGE_ME
+1002,edge_b,edge_b_write,CHANGE_ME,edge_b_read,CHANGE_ME

central-server/config/vmauth/vmauth.yml.template

@@ -0,0 +1,6 @@
+unauthorized_user:
+  # 未认证请求默认拒绝
+  url_map: []
+
+# 注意：本文件将由 deploy.sh 根据 config/vmauth/tenants.csv 自动生成。
+users: []