i couldn't find the admin password anymore!

service/prometheus.md

@@ -65,6 +65,9 @@ The main Prometheus web interface is available at:
 
 <https://prometheus.torproject.org>
 
+It's protected by the same "web password" as Grafana, see the [basic
+authentication in Grafana](howto/grafana#basic-authentication) for more information.
+
 A simple query you can try is to pick any metric in the list and click
 `Execute`. For example, [this link][] will show the 5-minute load
 over the last two weeks for the known servers.
@@ -2940,12 +2943,21 @@ inspect alerts, and issue silences. It's used in our test suite.
 
 ## Authentication
 
-The web interface is accessed via HTTP Basic Authentication. Currently all
-access is done through a single user. We plan to setup one user per person
-before merging the external monitoring server to the main setup.
-
-Polling from the prometheus servers to the exporters on servers is permitted by
-IP address specifically just for the prometheus server IPs.
+The web interface is protected by HTTP basic authentication backed by
+LDAP. Users with access to LDAP can set a `webPassword` password which
+gets propagated to the server. There is a "fallback" user (hardcoded
+`admin` username, password in Trocla
+(`profile::prometheus::server::password_fallback`) and the password
+manager (under `services/prometheus.torproject.org`) that can be used in
+case the other system fails.
+
+See the [basic authentication in Grafana](howto/grafana#basic-authentication) for more information for
+users.
+
+Polling from the Prometheus servers to the exporters on servers is
+permitted by IP address specifically just for the Prometheus server
+IPs. Some more sensitive exporters require a secret token to access
+their metrics.
 
 ## Implementation