vSphere Performance - Telegraf, InfluxDB and Grafana 7 - Configure InfluxDB Authentication and https

Page content

Intro

This is the eleventh part of a blog series about Telegraf, InfluxDB and Grafana where we use vSphere performance data as our metric data.

In the last post we discussed a few dashboards I’ve created that makes use of the features we’ve discussed so far in this series.

In this post we’ll focus more on InfluxDB it self, and how to set up some authentication.

The posts in this series build on each other, but you should hopefully be able to use them as reference if you’re just jumping in to a specific post. I am using vSphere performance data from an InfluxDB database pulled by Telegraf for my examples.

InfluxDB security

By default, when you install InfluxDB there will be no authentication set up on the database, and it uses http as the protocol.

Although this makes it very easy to get up and running, it might be wise to set up authentication and authorization on your InfluxDB instances.

Be aware that even though the authentication is enabled through the [http] section of Influx’s configuration it also affects the CLI as this uses the http API behind the scenes.

In addition to enabling authentication it’s wise to enable https for InfluxDB so that the communication through the API is encrypted. Let’s start with the certificates.

Enable SSL

In this example I’ll create a self-signed certificate on the VM running InfluxDB. Normally you’ll request and get the certificate from a central PKI.

openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/key.pem -out /etc/ssl/cert.pem -days 365 -nodes
Create self-signed cert

Note that I’m not setting any passphrase for the key.

Now let’s make use of these in Influx. We’ll open up the InfluxDB configuration file

vi /etc/influxdb/influxdb.conf

We’ll scroll down to the [http] section, and change the following lines

  # Determines whether HTTPS is enabled.
    https-enabled = true

  # The SSL certificate to use when HTTPS is enabled.
    https-certificate = "/etc/ssl/cert.pem"

  # Use a separate private key location.
    https-private-key = "/etc/ssl/key.pem"

Now save the file, and restart the InfluxDB service, and also check that the service is running after the restart

systemctl restart influxdb

systemctl status influxdb
Restarting InfluxDB

Remember that I mentioned that the influx CLI is using the API behind the scenes? If I try to access the CLI without specifying anything I should get a message stating that the connection is refused

Connection refused in the CLI

This is now also affecting Grafana, and Telegraf that collects data.

Connection refused in Grafana

Before fixing Grafana and Telegraf, let’s verify that SSL is working through the CLI. We’ll start the CLI with the -ssl parameter. You might also need to add the -unsafeSsl parameter like in my example

influx -ssl -unsafeSsl
Testing CLI with https

Configure Telegraf to use SSL

Now that Influx is working through https we need to update the Telegraf config to reflect this.

We’ll have to edit /etc/telegraf/telegraf.conf and the [[outputs.influxdb]] section. First we’ll edit the urls option to use https (note that if you’re running Telegraf on the same server as InfluxDB this might be commented), and we will also change the insecure_skip_verify option to true if we’re using self-signed certificates

[[outputs.influxdb]]
  ## The full HTTP or UDP URL for your InfluxDB instance.
  ##
  ## Multiple URLs can be specified for a single cluster, only ONE of the
  ## urls will be written to each interval.
  # urls = ["unix:///var/run/influxdb.sock"]
  # urls = ["udp://127.0.0.1:8089"]
   urls = ["https://127.0.0.1:8086"]

  -----

   insecure_skip_verify = true

Now restart the Telegraf agent to update the configuration

systemctl restart telegraf

Configure Grafana to use SSL

Over in the Grafana UI we will go to our Datasource configuration and find our InfluxDB datasource. Edit the URL and optionally enable the Skip TLS Verify

Configure Grafana to use SSL for InfluxDB

Click Save & Test to verify that the datasource is working

Grafana datasource config working

Finally verify that our dashboards is yet again showing data. Note that there are a small gap in our graphs, this is the time when Telegraf wasn’t able to access Influx through the API

Grafana graphs working

So, we have InfluxDB configured to use SSL, and both Telegraf and Grafana is updated to contact Influx with the new configuration.

Now let’s add some authentication to InfluxDB.

Authentication

Before enabling authentication in InfluxDB it’s a good idea to read through the documentation on that topic. Both to learn the available roles, and also to note that Influx expects you to create atleast one admin user before enabling authentication

In my setup I will create three InfluxDB users:

  • One admin user for administrative tasks
  • A user for writing data
  • A user for reading data.

If you have multiple databases in your setup you might want to add more users and separate access on the individual databases.

Create user accounts

The process of creating user accounts is documented here

Users are created with the CREATE USER command, and privileges granted with the GRANT [READ, WRITE, ALL] command. The admin user will get it’s privileges granted upon creation

In my case I’ll create the admin user first, then the read and write users, and finally give the privileges on the Telegraf database

CREATE USER "influxadmin" WITH PASSWORD 'Passw0rd.' WITH ALL PRIVILEGES
CREATE USER "influxread" WITH PASSWORD 'Passw0rd.'
CREATE USER "influxwrite" WITH PASSWORD 'Passw0rd.'

GRANT READ ON "telegraf" TO "influxread"
GRANT WRITE ON "telegraf" TO "influxwrite"
Create users in InfluxDB

We can verify that our users have been created and the grants given

Show users in InfluxDB

Enable authentication

Now it’s time for enabling authentication in the InfluxDB configuration file. The option to change is the auth-enabled which needs to be set to true

auth-enabled = true

Now restart the InfluxDB service

systemctl restart influxdb

If we now start the Influx CLI we can see that we can start it, but as soon as we try to run a command we get an error stating that we’re not authenticated

Start CLI unauthenticated

Let’s run the auth command inside the CLI and specify our admin credentials

Login to the CLI

Now we can run our commands.

Note that you can login to the CLI while starting it. Check the documentation for more information

Configure Telegraf to use authentication

Now, we need to tell Telegaf to use our write user when writing to InfluxDB. We’ll modify the username and password options under the [[outputs.influxdb]] section in /etc/telegraf/telegraf.conf

## HTTP Basic Auth
username = "influxwrite"
password = "Passw0rd."

In this example I’m putting the credentials in the config file itself. Please note that this is a security risk

Again, restart Telegraf to make the configuration change

systemctl restart telegraf

Note. If you, like in my example, create a non admin user for writing to InfluxDB you also need to specify skip database creation in the Telegraf config

It seems that Telegraf will try to create the database even though it already exists, hence you’ll get an error message

Database creation forbidden

Change the skip_database_creation option in the Telegraf [[outputs.influxdb]] section to true and restart Telegraf, and you should be fine

Configure Grafana to use authentication

Now, let’s update our Grafana datasource to use authentication for InfluxDB so that our dashboards works.

Note that I’m now using the Read user

Configured the Grafana datasource with InfluxDB authentication

Summary

This post was all about how to get https on our InfluxDB server and how to set up InfluxDB authentication. We saw how to specify different authorization levels on InfluxDB users and then how we configured Telegraf and Grafana to use those users when connecting to Influx.

Thanks for reading, and as always, feel free to reach out if you have any questions or comments

This page was modified on August 26, 2020: Fixed text on password