Telegraf: Telegraf user requires ALL PRIVILEGES else it gets "not authorized to execute statement CREATE DATABASE"

Created on 6 Mar 2017  路  8Comments  路  Source: influxdata/telegraf

Bug report

Telegraf (master @ 10744646dbdd52dea349dd7773bcd7115e4a838d) using a user with only WRITE privileges on an already-existing "telegraf" database cannot add data due to this error:

2017-03-06T05:10:22Z E! Database creation failed: Response Error: Status Code [403], expected [200], [error authorizing query: telegraf_filesrv not authorized to execute statement 'CREATE DATABASE telegraf', requires admin privilege]

This worked back in July 2016 when I last setup InfluxDB+Telegraf but since then it appears CREATE DATABASE is run every time by Telegraf. The only way to let Telegraf write to my database is to GRANT ALL TO telegraf_filesrv.

Perhaps https://github.com/influxdata/telegraf/issues/2231 ran into this but failed to include any details? I wouldn't mind having such a configuration option in Telegraf.

Relevant telegraf.conf:

[[outputs.influxdb]]
  urls = ["https://filesrv.rob86.net:8086"] # required
  database = "telegraf" # required
  retention_policy = ""
  write_consistency = "any"
  timeout = "5s"
  username = "telegraf_filesrv"
  password = "REPLACE_ME"
  ssl_ca = "/etc/filesrv.rob86.net.cert.pem"

System info:

Telegraf vdev-72-g1074464 (git: master 1074464)
Connected to https://localhost:8086 version 1.2.0
Linux filesrv.rob86.net 4.9.10-200.fc25.x86_64 #1 SMP Wed Feb 15 23:28:59 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Fedora release 25 (Twenty Five)

Steps to reproduce:

CREATE DATABASE telegraf
CREATE USER telegraf_filesrv WITH PASSWORD 'REPLACE_ME'
GRANT WRITE ON telegraf TO telegraf_filesrv

Expected behavior:

Telegraf is able to add metrics to the database with only WRITE privileges if the "telegraf" database has already been created.

Actual behavior:

Telegraf fails to execute query to add data due to no permission to run "CREATE DATABASE telegraf"

Feature Request

Add option to prevent Telegraf from trying to execute "CREATE DATABASE" and just write data.

Use case:

Allows Telegraf users to be locked down to just WRITE vs ALL PRIVILEGES.

areinfluxdb bug
Source
picture Robpol86
👍2

Most helpful comment

You can now use skip_database_creation = true in the influxdb output.

picture danielnelson on 28 Mar 2018
👍12

All 8 comments

sure, seems reasonable

sparrc picture sparrc on 6 Mar 2017

This seems perhaps also related to #1655

I haven't found that further writes are broken if the database already exists despite the CREATE failure, but it does create a log entry each time Telegraf starts.

WaterByWind picture WaterByWind on 7 Mar 2017

Hello, is this being actively worked on? I would be happy to implement this as it is a blocker to some work I am doing.

sjohnson540 picture sjohnson540 on 5 Mar 2018

@sjohnson540 My understanding of the current state of this issue is that Telegraf always tries to create a database on startup, but if it fails then it will continue and write successfully. I would still like to add an option to not create the database but it shouldn't affect operation.

danielnelson picture danielnelson on 5 Mar 2018

@danielnelson oh interesting, I see that now, sorry for the confusion.

sjohnson540 picture sjohnson540 on 5 Mar 2018

@danielnelson Are you going to do the work for this one? I have a interest. :)

image

JeffAshton picture JeffAshton on 21 Mar 2018

Yes, should be ready in the next few days.

danielnelson picture danielnelson on 21 Mar 2018
👍2

You can now use skip_database_creation = true in the influxdb output.

danielnelson picture danielnelson on 28 Mar 2018
👍12
Was this page helpful?
0 / 5 - 0 ratings

Related issues

chench00 picture chench00  路  3Comments
nsteinmetz picture nsteinmetz  路  3Comments
hluaces picture hluaces  路  3Comments
aihysp picture aihysp  路  3Comments
corentingi picture corentingi  路  3Comments