does telegraf have authentication

Question

I understand that I have to authenticate from telegraf to influxdb. But does telegraf itself have authentication, i.e. when I talk to telegraf do I have to authenticate? It is disabled by default? If it is then how do I enable it.

Answer 1

To answer your question, NO, telegraf doesn't authenticate to itself. Why would it need to!

Telegraf (being a collection agent) just runs on target nodes and feeds the data it collects (periodically) to some output data store (which could be all you can find here in this conf file:

https://raw.githubusercontent.com/influxdata/telegraf/master/etc/telegraf.conf).

Now, for connecting to one of the output plugins (as TICK stack's Telegraf is a plugin based), that output plugin's code would require you or have provided you some mechanism for authentication. i.e. how would telegraf authenticate for connecting to target outtput data store and feeding it's data via username/password or some token etc.
-- You have to mention in that conf file under [[outputs.xyzabc123]] about what's my output plugin is; and what (what mechanism) the output plugin (per that plugin's documentation) requires in telegraf.conf file for doing that particular output plugin's authentication.

The above conf file will help you understand, how you can authenticate when dealing with a given output plugins.

See Telegraf test input and output plugins error multiple conf files if you would want to setup more than one conf files where one conf contains input plugins and another conf file contains your output plugin.

Answer 2

For anybody else wondering how to secure these data streams ... see my comment on the question and also consider this:

Auth between Telegraf and the remote side being influxdb for instance can, for lack of a better word, be encapsulated in ssl. When so configured, you can issue certs for your clients (the telegraf agents) from your own CA and therewith only allow input from known certs/identities.

That as a whole protects sources end to end