From 071a93efbd6bf5377719ab70f39b54b64b49ec95 Mon Sep 17 00:00:00 2001 From: Guillaume Thouvenin Date: Mon, 24 Oct 2016 17:22:23 +0200 Subject: [PATCH] Configure an admin user, databases, users and grants --- README.rst | 77 ++++++++++++++++++++++++++++++++++++ influxdb/files/influxdb.conf | 4 ++ influxdb/server.sls | 68 +++++++++++++++++++++++++++++++ 3 files changed, 149 insertions(+) diff --git a/README.rst b/README.rst index c43b53c..48a494f 100644 --- a/README.rst +++ b/README.rst @@ -40,6 +40,83 @@ Single-node influxdb, SSL for http frontend: key_file: /etc/influxdb/ssl/key.pem cert_file: /etc/influxdb/ssl/cert.pem +Single-node influxdb with an admin user: + +.. code-block:: yaml + + influxdb: + server: + enabled: true + http: + enabled: true + bind: + address: 0.0.0.0 + port: 8086 + admin: + enabled: true + bind: + address: 0.0.0.0 + port: 8083 + user: + enabled: true + name: root + password: secret + +Single-node influxdb with new users: + +.. code-block:: yaml + + influxdb: + server: + user: + user1: + enabled: true + admin: true + name: username1 + password: keepsecret1 + user2: + enabled: true + admin: false + name: username2 + password: keepsecret2 + +Single-node influxdb with new databases: + +.. code-block:: yaml + + influxdb: + server: + database: + mydb1: + enabled: true + name: mydb1 + mydb2: + enabled: true + name: mydb2 + +Here is how to manage grants on database: + +.. code-block:: yaml + + influxdb: + server: + grant: + username1_mydb1: + enabled: true + user: username1 + database: mydb1 + privilege: all + username2_mydb1: + enabled: true + user: username2 + database: mydb1 + privilege: read + username2_mydb2: + enabled: true + user: username2 + database: mydb2 + privilege: write + InfluxDB relay: .. code-block:: yaml diff --git a/influxdb/files/influxdb.conf b/influxdb/files/influxdb.conf index cdd3bd9..c569239 100644 --- a/influxdb/files/influxdb.conf +++ b/influxdb/files/influxdb.conf @@ -187,7 +187,11 @@ reporting-disabled = false [http] enabled = true bind-address = "{{ server.http.bind.address }}:{{ server.http.bind.port }}" + {%- if server.admin.get('user', {}).get('enabled', false) %} + auth-enabled = true + {%- else %} auth-enabled = false + {%- endif %} log-enabled = true write-tracing = false pprof-enabled = false diff --git a/influxdb/server.sls b/influxdb/server.sls index 06643b5..c0f0ea6 100644 --- a/influxdb/server.sls +++ b/influxdb/server.sls @@ -25,8 +25,76 @@ influxdb_service: service.running: - enable: true - name: {{ server.service }} + # This delay is needed before being able to send data to server to create + # users and databases. + - init_delay: 5 - watch: - file: influxdb_config - file: influxdb_default +{% set url_for_query = "http://{}:{}/query".format(server.http.bind.address, server.http.bind.port) %} +{% set admin_created = false %} + +{%- if server.admin.get('user', {}).get('enabled', false) %} + {% set query_create_admin = "--data-urlencode \"q=CREATE USER {} WITH PASSWORD '{}' WITH ALL PRIVILEGES\"".format(server.admin.user.name, server.admin.user.password) %} + {% set admin_url = "http://{}:{}/query?u={}&p={}".format(server.http.bind.address, server.http.bind.port, server.admin.user.name, server.admin.user.password) %} +influxdb_create_admin: + cmd.run: + - name: curl -f -S -POST "{{ url_for_query }}" {{ query_create_admin }} || curl -f -S -POST "{{ admin_url }}" {{ query_create_admin }} + - require: + - service: influxdb_service + {% set url_for_query = admin_url %} + {% set admin_created = true %} +{%- endif %} + +# An admin must exist before creating others users +{%- if admin_created %} + {%- for user_name, user in server.get('user', {}).iteritems() %} + {%- if user.get('enabled', false) %} + {%- if user.get('admin', false) %} + {% set query_create_user = "--data-urlencode \"q=CREATE USER {} WITH PASSWORD '{}' WITH ALL PRIVILEGES\"".format(user.name, user.password) %} + {%- else %} + {% set query_create_user = "--data-urlencode \"q=CREATE USER {} WITH PASSWORD '{}'\"".format(user.name, user.password) %} + {%- endif %} +influxdb_create_user_{{user.name}}: + cmd.run: + - name: curl -f -S -POST "{{ url_for_query }}" {{ query_create_user }} + - require: + - cmd: influxdb_create_admin + # TODO: manage user deletion + {%- endif %} + {%- endfor %} +{%- endif %} + +{%- for db_name, db in server.get('database', {}).iteritems() %} + {%- if db.get('enabled', false) %} + {% set query_create_db = "--data-urlencode \"q=CREATE DATABASE {}\"".format(db.name) %} +influxdb_create_db_{{db.name}}: + cmd.run: + - name: curl -f -S -POST "{{ url_for_query }}" {{ query_create_db }} + {%- if admin_created %} + - require: + - cmd: influxdb_create_admin + {%- endif %} + # TODO: manage database deletion + {%- endif %} +{%- endfor %} + +# An admin must exist to manage grants, otherwise there is no user. +{%- if admin_created %} +{%- for grant_name, grant in server.get('grant', {}).iteritems() %} + {%- if grant.get('enabled', false) %} + {% set query_grant_user_access = "--data-urlencode \"q=GRANT {} ON {} TO {}\"".format(grant.privilege, grant.database, grant.user) %} +influxdb_grant_{{grant_name}}: + cmd.run: + - name: curl -f -S -POST "{{ url_for_query }}" {{ query_grant_user_access }} + - require: + - cmd: influxdb_create_db_{{grant.database}} + - cmd: influxdb_create_user_{{grant.user}} + - cmd: influxdb_create_admin + # TODO: manage grant deletion (if needed) + {%- endif %} +{%- endfor %} +{%- endif %} + {%- endif %} -- 2.32.7