Turn on authentication

references #8
Calvinverse · Jan 12, 2020 · 84d7f62 · 84d7f62
1 parent 5cea562
commit 84d7f62
Show file tree

Hide file tree

Showing 4 changed files with 64 additions and 35 deletions.
diff --git a/src/cookbooks/resource_metrics_storage/attributes/default.rb b/src/cookbooks/resource_metrics_storage/attributes/default.rb
@@ -45,6 +45,9 @@
 default['influxdb']['port']['graphite'] = 2003
 default['influxdb']['port']['http'] = 8086
 
+default['influxdb']['users']['interal_metrics']['username'] = 'user.internal.read'
+default['influxdb']['users']['interal_metrics']['password'] = SecureRandom.uuid
+
 # For influxdb versions >= 1.0.x
 # ref: https://docs.influxdata.com/influxdb/v1.0/administration/config/
 default['influxdb']['config'] = {
@@ -100,7 +103,7 @@
   'http' => {
     'enabled' => true,
     'bind-address' => ":#{node['influxdb']['port']['http']}",
-    'auth-enabled' => false,
+    'auth-enabled' => true,
     'log-enabled' => true,
     'write-tracing' => false,
     'pprof-enabled' => false,

diff --git a/src/cookbooks/resource_metrics_storage/metadata.rb b/src/cookbooks/resource_metrics_storage/metadata.rb
@@ -13,6 +13,6 @@
 
 supports 'ubuntu', '>= 16.04'
 
-depends 'firewall', '= 2.6.2'
-depends 'influxdb', '= 6.2.0'
+depends 'firewall', '= 2.7.0'
+depends 'influxdb', '= 6.3.1'
 depends 'systemd', '= 3.2.3'
diff --git a/src/cookbooks/resource_metrics_storage/recipes/influxdb.rb b/src/cookbooks/resource_metrics_storage/recipes/influxdb.rb
@@ -393,6 +393,7 @@
 
 #
 # ALLOW INFLUXDB THROUGH THE FIREWALL
+# CREATE THE USERS
 #
 
 influxdb_admin_port = node['influxdb']['port']['admin']
@@ -433,6 +434,11 @@
   description 'Allow InfluxDB HTTP traffic'
   dest_port influxdb_http_port
   direction :in
+influxdb_user node['influxdb']['users']['interal_metrics']['username'] do
+  action :create
+  databases ['_internal']
+  password node['influxdb']['users']['interal_metrics']['password']
+  permissions ['READ']
 end
 
 #
@@ -586,6 +592,10 @@
         "http://localhost:#{influxdb_http_port}/debug/vars"
       ]
 
+      ## Username and password to send using HTTP Basic Authentication.
+      username = "#{node['influxdb']['users']['interal_metrics']['username']}"
+      password = "#{node['influxdb']['users']['interal_metrics']['password']}"
+
       ## Optional SSL Config
       # ssl_ca = "/etc/telegraf/ca.pem"
       # ssl_cert = "/etc/telegraf/cert.pem"

diff --git a/src/cookbooks/resource_metrics_storage/spec/influxdb_spec.rb b/src/cookbooks/resource_metrics_storage/spec/influxdb_spec.rb
@@ -377,8 +377,18 @@
     end
   end
 
-  context 'creates the services database' do
+  context 'creates the users' do
     let(:chef_run) { ChefSpec::SoloRunner.converge(described_recipe) }
+    let(:node) { chef_run.node }
+
+    it 'creates the internal database read user' do
+      user_internal_read_username = node['influxdb']['users']['interal_metrics']['username']
+      user_internal_read_password = node['influxdb']['users']['interal_metrics']['password']
+      expect(chef_run).to create_influxdb_user(user_internal_read_username).with(
+        databases: '_internal',
+        permissions: 'READ'
+      )
+    end
   end
 
   context 'configures the firewall for InfluxDB' do
@@ -551,39 +561,45 @@
 
   context 'adds the consul-template files for telegraf monitoring of influxdb' do
     let(:chef_run) { ChefSpec::SoloRunner.converge(described_recipe) }
+    let(:node) { chef_run.node }
 
-    telegraf_influxdb_inputs_template_content = <<~CONF
-      # Telegraf Configuration
-
-      ###############################################################################
-      #                            INPUT PLUGINS                                    #
-      ###############################################################################
-
-      # Read InfluxDB-formatted JSON metrics from one or more HTTP endpoints
-      [[inputs.influxdb]]
-        ## Works with InfluxDB debug endpoints out of the box,
-        ## but other services can use this format too.
-        ## See the influxdb plugin's README for more details.
-
-        ## Multiple URLs from which to read InfluxDB-formatted JSON
-        ## Default is "http://localhost:8086/debug/vars".
-        urls = [
-          "http://localhost:8086/debug/vars"
-        ]
-
-        ## Optional SSL Config
-        # ssl_ca = "/etc/telegraf/ca.pem"
-        # ssl_cert = "/etc/telegraf/cert.pem"
-        # ssl_key = "/etc/telegraf/key.pem"
-        ## Use SSL but skip chain & host verification
-        # insecure_skip_verify = false
-
-        ## http request & header timeout
-        timeout = "5s"
-        [inputs.influxdb.tags]
-          influxdb_database = "{{ keyOrDefault "config/services/metrics/databases/services" "services" }}"
-    CONF
     it 'creates telegraf influxdb input template file in the consul-template template directory' do
+      telegraf_influxdb_inputs_template_content = <<~CONF
+        # Telegraf Configuration
+
+        ###############################################################################
+        #                            INPUT PLUGINS                                    #
+        ###############################################################################
+
+        # Read InfluxDB-formatted JSON metrics from one or more HTTP endpoints
+        [[inputs.influxdb]]
+          ## Works with InfluxDB debug endpoints out of the box,
+          ## but other services can use this format too.
+          ## See the influxdb plugin's README for more details.
+
+          ## Multiple URLs from which to read InfluxDB-formatted JSON
+          ## Default is "http://localhost:8086/debug/vars".
+          urls = [
+            "http://localhost:8086/debug/vars"
+          ]
+
+          ## Username and password to send using HTTP Basic Authentication.
+          username = "#{node['influxdb']['users']['interal_metrics']['username']}"
+          password = "#{node['influxdb']['users']['interal_metrics']['password']}"
+
+          ## Optional SSL Config
+          # ssl_ca = "/etc/telegraf/ca.pem"
+          # ssl_cert = "/etc/telegraf/cert.pem"
+          # ssl_key = "/etc/telegraf/key.pem"
+          ## Use SSL but skip chain & host verification
+          # insecure_skip_verify = false
+
+          ## http request & header timeout
+          timeout = "5s"
+          [inputs.influxdb.tags]
+            influxdb_database = "{{ keyOrDefault "config/services/metrics/databases/services" "services" }}"
+      CONF
+
       expect(chef_run).to create_file('/etc/consul-template.d/templates/telegraf_influxdb_inputs.ctmpl')
         .with_content(telegraf_influxdb_inputs_template_content)
         .with(