Add support for collectd security policy

There are 2 new keys in the configuration file. - security-level: "none", "sign", or "encrypt". - auth-file: The location of the user/password file. Please see the collectd network doc for more details.
influxdata · Nov 8, 2016 · 7d277d0 · 7d277d0
1 parent 0260dfb
commit 7d277d0
Show file tree

Hide file tree

Showing 5 changed files with 57 additions and 3 deletions.
diff --git a/cmd/influxd/run/config.go b/cmd/influxd/run/config.go
@@ -159,12 +159,18 @@ func (c *Config) Validate() error {
 		return err
 	}
 
-	for _, g := range c.GraphiteInputs {
-		if err := g.Validate(); err != nil {
+	for _, graphite := range c.GraphiteInputs {
+		if err := graphite.Validate(); err != nil {
 			return fmt.Errorf("invalid graphite config: %v", err)
 		}
 	}
 
+	for _, collectd := range c.CollectdInputs {
+		if err := collectd.Validate(); err != nil {
+			return fmt.Errorf("invalid collectd config: %v", err)
+		}
+	}
+
 	return nil
 }
 

diff --git a/etc/config.sample.toml b/etc/config.sample.toml
@@ -340,6 +340,8 @@
   # database = "collectd"
   # retention-policy = ""
   # typesdb = "/usr/share/collectd/types.db"
+  # security-level = "none"
+  # auth-file = "/etc/collectd/auth_file"
 
   # These next lines control how batching works. You should have this enabled
   # otherwise you could get dropped metrics or poor performance. Batching

diff --git a/services/collectd/README.md b/services/collectd/README.md
@@ -32,4 +32,6 @@ Please note that UDP packets larger than the standard size of 1452 are dropped a
   batch-timeout = "10s"
   read-buffer = 0 # UDP read buffer size, 0 means to use OS default
   typesdb = "/usr/share/collectd/types.db"
+  security-level = "none" # "none", "sign", or "encrypt"
+  auth-file = "/etc/collectd/auth_file"
 ```
diff --git a/services/collectd/config.go b/services/collectd/config.go
@@ -1,6 +1,7 @@
 package collectd
 
 import (
+	"errors"
 	"time"
 
 	"github.com/influxdata/influxdb/toml"
@@ -40,6 +41,12 @@ const (
 	//     Linux:      sudo sysctl -w net.core.rmem_max=<read-buffer>
 	//     BSD/Darwin: sudo sysctl -w kern.ipc.maxsockbuf=<read-buffer>
 	DefaultReadBuffer = 0
+
+	// DefaultSecurityLevel is the default security level.
+	DefaultSecurityLevel = "none"
+
+	// DefaultAuthFile is the default location of the user/password file.
+	DefaultAuthFile = "/etc/collectd/auth_file"
 )
 
 // Config represents a configuration for the collectd service.
@@ -53,6 +60,8 @@ type Config struct {
 	BatchDuration   toml.Duration `toml:"batch-timeout"`
 	ReadBuffer      int           `toml:"read-buffer"`
 	TypesDB         string        `toml:"typesdb"`
+	SecurityLevel   string        `toml:"security-level"`
+	AuthFile        string        `toml:"auth-file"`
 }
 
 // NewConfig returns a new instance of Config with defaults.
@@ -66,6 +75,8 @@ func NewConfig() Config {
 		BatchPending:    DefaultBatchPending,
 		BatchDuration:   DefaultBatchDuration,
 		TypesDB:         DefaultTypesDB,
+		SecurityLevel:   DefaultSecurityLevel,
+		AuthFile:        DefaultAuthFile,
 	}
 }
 
@@ -97,6 +108,22 @@ func (c *Config) WithDefaults() *Config {
 	if d.TypesDB == "" {
 		d.TypesDB = DefaultTypesDB
 	}
+	if d.SecurityLevel == "" {
+		d.SecurityLevel = DefaultSecurityLevel
+	}
+	if d.AuthFile == "" {
+		d.AuthFile = DefaultAuthFile
+	}
 
 	return &d
 }
+
+func (c *Config) Validate() error {
+	switch c.SecurityLevel {
+	case "none", "sign", "encrypt":
+	default:
+		return errors.New("Invalid security level")
+	}
+
+	return nil
+}
diff --git a/services/collectd/service.go b/services/collectd/service.go
@@ -151,6 +151,23 @@ func (s *Service) Open() error {
 			s.popts.TypesDB = types
 		}
 	}
+
+	// Sets the security level according to the config.
+	// Default not necessary because we validate the config.
+	switch s.Config.SecurityLevel {
+	case "none":
+		s.popts.SecurityLevel = network.None
+	case "sign":
+		s.popts.SecurityLevel = network.Sign
+	case "encrypt":
+		s.popts.SecurityLevel = network.Encrypt
+	}
+
+	// Sets the auth file according to the config.
+	if s.popts.PasswordLookup == nil {
+		s.popts.PasswordLookup = network.NewAuthFile(s.Config.AuthFile)
+	}
+
 	// Resolve our address.
 	addr, err := net.ResolveUDPAddr("udp", s.Config.BindAddress)
 	if err != nil {
@@ -334,7 +351,7 @@ func (s *Service) handleMessage(buffer []byte) {
 		return
 	}
 	for _, valueList := range valueLists {
-		points := s.UnmarshalValueList(&valueList)
+		points := s.UnmarshalValueList(valueList)
 		for _, p := range points {
 			s.batcher.In() <- p
 		}