upgrade influx

salt/common/tools/sbin/so-influxdb-user

@@ -0,0 +1,95 @@
+#!/bin/bash
+
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+. /usr/sbin/so-common
+
+usage() {
+    echo "Usage: $0 <add|delete|enable|disable|password> <new-user-email>"
+    echo ""
+    echo "Supported Operations:"
+    echo "  add        Adds a new user"
+    echo "  delete     Removes an existing user"
+    echo "  enable     Enables a user"
+    echo "  disable    Disables a user"
+    echo "  password   Updates a user's password"
+    echo ""
+    echo "If required, the password will be read from STDIN."
+    exit 1
+}
+
+if [ $# -ne 2 ]; then
+  usage
+fi
+
+KIND=InfluxDB
+OP=$1
+USER_EMAIL=$2
+TOKEN=$(lookup_pillar_secret influx_token)
+
+log() {
+  echo -e "$@"
+}
+
+read_password() {
+  # Read password for new user from stdin
+  test -t 0
+  if [[ $? == 0 ]]; then
+    echo "Enter new password:"
+  fi
+  read -rs USER_PASS
+
+  check_password_and_exit "$USER_PASS"
+}
+
+check_response() {
+  response=$1
+  if [[ "$response" =~ "\"code\":" ]]; then
+    log "Failed. Check the response for more details.\n$response"
+  fi
+}
+
+set -eo pipefail
+
+if [[ "$OP" == "add" ]]; then
+  log "Creating new $KIND user"
+  response=$(curl -sk https://localhost:8086/api/v2/users -X POST -d "{\"name\":\"$USER_EMAIL\"}" -H "Authorization: Token $TOKEN")
+  check_response "$response"
+  OP=password
+fi
+
+response=$(curl -sk https://localhost:8086/api/v2/users?limit=100 -H "Authorization: Token $TOKEN")
+check_response "$response"
+USER_ID=$(echo "$response" | jq -r ".users[] | select(.name == \"$USER_EMAIL\").id")
+if [[ -z "$USER_ID" ]]; then
+  log "$KIND user not found"
+  exit 1
+fi
+
+if [[ "$OP" == "password" ]]; then
+  read_password
+  log "Updating $KIND user password"
+  response=$(curl -sk https://localhost:8086/api/v2/users/$USER_ID/password -X POST -d "{\"password\":\"$USER_PASS\"}" -H "Authorization: Token $TOKEN")
+  check_response "$response"
+fi
+
+if [[ "$OP" == "delete" ]]; then
+  log "Deleting $KIND user"
+  response=$(curl -sk https://localhost:8086/api/v2/users/$USER_ID -X DELETE -H "Authorization: Token $TOKEN")
+  check_response "$response"
+fi
+
+if [[ "$OP" == "enable" ]]; then
+  log "Enabling $KIND user"
+  response=$(curl -sk https://localhost:8086/api/v2/users/$USER_ID -X PATCH -d "{\"name\":\"$USER_EMAIL\",\"status\":\"active\"}" -H "Authorization: Token $TOKEN")
+  check_response "$response"
+fi
+
+if [[ "$OP" == "disable" ]]; then
+  log "Disabling $KIND user"
+  response=$(curl -sk https://localhost:8086/api/v2/users/$USER_ID -X PATCH -d "{\"name\":\"$USER_EMAIL\",\"status\":\"inactive\"}" -H "Authorization: Token $TOKEN")
+  check_response "$response"
+fi

salt/common/tools/sbin/so-user

@@ -588,6 +588,7 @@ case "${operation}" in
     syncAll
     echo "Successfully added new user to SOC"
     check_container fleet && echo "$password" | so-fleet-user-add "$email"
+    echo "$password" | so-influxdb-user add "$email"
     ;;
 
   "list")
@@ -628,6 +629,7 @@ case "${operation}" in
     updateUserPassword "$email"
     syncAll
     echo "Successfully updated user password"
+    echo "$password" | so-influxdb-user password "$email"
     ;;
 
   "profile")
@@ -648,6 +650,7 @@ case "${operation}" in
     syncAll
     echo "Successfully enabled user"
     echo "Fleet user will need to be recreated manually with so-fleet-user-add"
+    so-influxdb-user enable "$email"
     ;;
 
   "disable")
@@ -659,6 +662,7 @@ case "${operation}" in
     syncAll
     echo "Successfully disabled user"
     check_container fleet && so-fleet-user-delete "$email"   
+    so-influxdb-user disable "$email"
     ;;    
 
   "delete")
@@ -670,6 +674,7 @@ case "${operation}" in
     syncAll
     echo "Successfully deleted user"
     check_container fleet && so-fleet-user-delete "$email"
+    so-influxdb-user delete "$email"
     ;;
 
   "sync")

salt/nginx/etc/nginx.conf

@@ -185,11 +185,11 @@ http {
 		
 		location /influxdb/ {
 			auth_request          /auth/sessions/whoami;
+			rewrite               /influxdb/api/(.*) /api/$1 break;
 			proxy_pass            https://{{ GLOBALS.manager_ip }}:8086/;
-			proxy_read_timeout    90;
+			proxy_read_timeout    300;
 			proxy_connect_timeout 90;
 			proxy_set_header      Host $host;
-			proxy_set_header      Authorization "Basic {{ influxauth }}";
 			proxy_set_header      X-Real-IP $remote_addr;
 			proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
 			proxy_set_header      Proxy "";

salt/telegraf/etc/telegraf.conf

@@ -2,6 +2,7 @@
 {%- set INFLUXDBHOST = GLOBALS.influxdb_host %}
 {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
+{%- set TOKEN = salt['pillar.get']('secrets:influx_token', '') %}
 {%- set NODEIP = GLOBALS.node_ip %}
 {%- set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %}
 {%- set ZEEK_ENABLED = salt['pillar.get']('zeek:enabled', True) %}
@@ -71,8 +72,11 @@
 ###############################################################################
 
 # Configuration for sending metrics to InfluxDB
-[[outputs.influxdb]]
+[[outputs.influxdb_v2]]
   urls = ["https://{{ INFLUXDBHOST }}:8086"]
+  token = "$TOKEN"
+  organization = "Security Onion"
+  bucket = "telegraf/so_short_term"
 
   ## Optional TLS Config for use on HTTP connections.
    tls_ca = "/etc/telegraf/ca.crt"