ContextQMD
Back to Influxdb

Authenticate requests to InfluxDB Enterprise v1

content/enterprise_influxdb/v1/guides/authenticate.md

latest6.2 KB
Original Source

To require valid credentials for cluster access, see "Enable authentication".

Authenticate requests

Authenticate with the InfluxDB API

Authenticate with the InfluxDB API using one of the following options:

If you authenticate with both basic authentication and the URL query parameters, the user credentials specified in the query parameters take precedence. The following examples demonstrate queries with admin user permissions. To learn about different users types, permissions, and how to manage users, see authorization.

{{% note %}} InfluxDB Enterprise redacts passwords in log output when you enable authentication. {{% /note %}}

Authenticate with basic authentication

bash
curl -G http://localhost:8086/query \
  -u todd:password4todd \
  --data-urlencode "q=SHOW DATABASES"

Authenticate with query parameters in the URL or request body

Set u as the username and p as the password.

Credentials as query parameters
bash
curl -G "http://localhost:8086/query?u=todd&p=password4todd" \
  --data-urlencode "q=SHOW DATABASES"
Credentials in the request body
bash
curl -G http://localhost:8086/query \
  --data-urlencode "u=todd" \
  --data-urlencode "p=password4todd" \
  --data-urlencode "q=SHOW DATABASES"

Authenticate with the CLI

There are three options for authenticating with the CLI:

Authenticate with environment variables

Use the INFLUX_USERNAME and INFLUX_PASSWORD environment variables to provide authentication credentials to the influx CLI.

bash
export INFLUX_USERNAME=todd
export INFLUX_PASSWORD=password4todd
echo $INFLUX_USERNAME $INFLUX_PASSWORD
todd password4todd

influx
Connected to http://localhost:8086 version {{< latest-patch >}}
InfluxDB shell {{< latest-patch >}}

Authenticate with CLI flags

Use the -username and -password flags to provide authentication credentials to the influx CLI.

bash
influx -username todd -password password4todd
Connected to http://localhost:8086 version {{< latest-patch >}}
InfluxDB shell {{< latest-patch >}}

Authenticate with credentials in the influx shell

Start the influx shell and run the auth command. Enter your username and password when prompted.

bash
$ influx
Connected to http://localhost:8086 version {{< latest-patch >}}
InfluxDB shell {{< latest-patch >}}
> auth
username: todd
password:
>

Authenticate using JWT tokens

For a more secure alternative to using passwords, include JWT tokens with requests to the InfluxDB API. This is currently only possible through the InfluxDB HTTP API.

  1. Add a shared secret in your InfluxDB Enterprise configuration file.

    InfluxDB Enterprise uses the shared secret to encode the JWT signature. By default, shared-secret is set to an empty string, in which case no JWT authentication takes place.

    <!-- TODO: meta, data, or both? -->

    Add a custom shared secret in your InfluxDB configuration file. The longer the secret string, the more secure it is:

    toml
    [http]
shared-secret = "my super secret pass phrase"

    Alternatively, to avoid keeping your secret phrase as plain text in your InfluxDB configuration file, set the value with the INFLUXDB_HTTP_SHARED_SECRET environment variable.

  2. Generate your JWT token.

    Use an authentication service to generate a secure token using your InfluxDB username, an expiration time, and your shared secret. There are online tools, such as https://jwt.io/, that will do this for you.

    The payload (or claims) of the token must be in the following format:

    json
    {
    "username": "myUserName",
    "exp": 1516239022
}
    • username - The name of your InfluxDB user.
    • exp - The expiration time of the token in UNIX epoch time. For increased security, keep token expiration periods short. For testing, you can manually generate UNIX timestamps using https://www.unixtimestamp.com/index.php.

    Encode the payload using your shared secret. You can do this with either a JWT library in your own authentication server or by hand at https://jwt.io/.

    The generated token follows this format: <header>.<payload>.<signature>

  3. Include the token in HTTP requests.

    Include your generated token as part of the Authorization header in HTTP requests:

    Authorization: Bearer <myToken>

    {{% note %}} Only unexpired tokens will successfully authenticate. Be sure your token has not expired. {{% /note %}}

Example query request with JWT authentication

bash
curl -G "http://localhost:8086/query?db=demodb" \
  --data-urlencode "q=SHOW DATABASES" \
  --header "Authorization: Bearer <header>.<payload>.<signature>"

Authenticate Telegraf requests to InfluxDB

Authenticating Telegraf requests to an InfluxDB instance with authentication enabled requires some additional steps. In the Telegraf configuration file (/etc/telegraf/telegraf.conf), uncomment and edit the username and password settings.

toml
###############################################################################
#                            OUTPUT PLUGINS                                   #
###############################################################################

# ...

[[outputs.influxdb]]
  # ...
  username = "example-username" # Provide your username
  password = "example-password" # Provide your password

# ...

Restart Telegraf and you're all set!