User Management
Chronograf’s Admin
page includes a complete interface for database user management. The Admin
page supports both OSS InfluxDB users and InfluxEnterprise users.
This page covers user management specific to OSS InfluxDB and InfluxEnterprise clusters. See Security Best Practices for more information about Chronograf’s authentication and user management features.
Content
Enable Authentication
Follow the steps below to enable authentication. The steps are the same for OSS InfluxDB instances and InfluxEnterprise clusters. Note that if you’re working with an InfluxEnterprise cluster, you will need to repeat steps one through three for each data node in the cluster.
Step 1: Enable authentication
Enable authentication in InfluxDB’s configuration file. For most installations, the configuration file is located in /etc/influxdb/influxdb.conf
.
In the [http]
section, uncomment the auth-enabled
option and set it to true
:
[http] # Determines whether HTTP endpoint is enabled. # enabled = true # The bind address used by the HTTP service. # bind-address = ":8086" # Determines whether HTTP authentication is enabled. auth-enabled = true #????
Step 2: Restart the process
Next, restart the InfluxDB process for your configuration changes to take effect:
~# sudo systemctl restart influxdb
Step 3: Create an admin user
Because you enabled authentication, you must create an admin user before you can do anything else in the database. Run the command below to create an admin user, replacing:
-
localhost
with the IP or hostname of your OSS InfluxDB instance or one of your InfluxEnterprise data nodes -
chronothan
with your own username -
supersecret
with your own password (note that the password requires single quotes)
~# curl -XPOST "http://localhost:8086/query" --data-urlencode "q=CREATE USER chronothan WITH PASSWORD 'supersecret' WITH ALL PRIVILEGES"
A successful CREATE USER
query returns a blank result:
{"results":[{"statement_id":0}]} <--- Success!
Step 4: Edit the database source in Chronograf
If you’ve already connected your database to Chronograf, update the connection configuration in Chronograf with your new username and password. Edit existing database sources by navigating to the Chronograf’s configuration page and clicking on the name of the source.
OSS InfluxDB User Management
On the Admin
page:
- View, create, and delete admin and non-admin users
- Change user passwords
- Assign admin and remove admin permissions to or from a user
InfluxDB users are either admin users or non-admin users. See InfluxDB’s authentication and authorization documentation for more information about those user types.
Note that currently, Chronograf does not support assigning database READ
or WRITE
access to non-admin users. This is a known issue. As a workaround, grant READ
, WRITE
, or ALL
(READ
and WRITE
) permissions to non-admin users with the following curl commands, replacing anything inside < >
with your own values:
Grant READ
permission:
~# curl -XPOST "http://<InfluxDB-IP>:8086/query?u=<username>&p=<password>" --data-urlencode "q=GRANT READ ON <database-name> TO <non-admin-username>"
Grant WRITE
permission:
~# curl -XPOST "http://<InfluxDB-IP>:8086/query?u=<username>&p=<password>" --data-urlencode "q=GRANT WRITE ON <database-name> TO <non-admin-username>"
Grant ALL
permission:
~# curl -XPOST "http://<InfluxDB-IP>:8086/query?u=<username>&p=<password>" --data-urlencode "q=GRANT ALL ON <database-name> TO <non-admin-username>"
In all cases, a successful GRANT
query returns a blank result:
{"results":[{"statement_id":0}]} <--- Success!
Remove READ
, WRITE
, or ALL
permissions from non-admin users by replacing GRANT
with REVOKE
in the curl commands above.
InfluxEnterprise User Management
On the Admin
page:
- View, create, and delete users
- Change user passwords
- Assign and remove permissions to or from a user
- Create, edit, and delete roles
- Assign and remove roles to or from a user
User Types
The admin user that you created when you enabled authentication, has the following permissions by default:
- CreateDatabase
- CreateUserAndRole
- DropData
- DropDatabase
- ManageContinuousQuery
- ManageQuery
- ManageShard
- ManageSubscription
- Monitor
- ReadData
- ViewAdmin
- ViewChronograf
- WriteData
Non-admin users have no permissions by default. Assign permissions and roles to both admin and non-admin users.
Permissions
AddRemoveNode
Permission to add or remove nodes from a cluster.
Relevant influxd-ctl
arguments: add-data
, add-meta
, join
, remove-data
, remove-meta
, and leave
Pages in Chronograf that require this permission: NA
CopyShard
Permission to copy shards.
Relevant influxd-ctl
arguments: copy-shard
Pages in Chronograf that require this permission: NA
CreateDatabase
Permission to create databases, create retention policies, alter retention policies, and view retention policies.
Relevant InfluxQL queries: CREATE DATABASE
, CREATE RETENTION POLICY
, ALTER RETENTION POLICY
, and SHOW RETENTION POLICIES
Pages in Chronograf that require this permission: Dashboards, Data Explorer, and Databases on the Admin page
CreateUserAndRole
Permission to manage users and roles; create users, drop users, grant admin status to users, grant permissions to users, revoke admin status from users, revoke permissions from users, change user’s passwords, view user permissions, and view users and their admin status.
Relevant InfluxQL queries: CREATE USER
, DROP USER
, GRANT ALL PRIVILEGES
, GRANT [READ,WRITE,ALL]
, REVOKE ALL PRIVILEGES
, REVOKE [READ,WRITE,ALL]
, SET PASSWORD
, SHOW GRANTS
, and SHOW USERS
Pages in Chronograf that require this permission: Data Explorer, Dashboards, Users and Roles on the Admin page
DropData
Permission to drop data, in particular series and measurements.
Relevant InfluxQL queries: DROP SERIES
, DELETE
, and DROP MEASUREMENT
Pages in Chronograf that require this permission: NA
DropDatabase
Permission to drop databases and retention policies.
Relevant InfluxQL queries: DROP DATABASE
and DROP RETENTION POLICY
Pages in Chronograf that require this permission: Data Explorer, Dashboards, Databases on the Admin page
KapacitorAPI
Permission to access the API for InfluxEnterprise Kapacitor. This does not include configuration-related API calls.
Pages in Chronograf that require this permission: NA
KapacitorConfigAPI
Permission to access the configuration-related API calls for InfluxEnterprise Kapacitor.
Pages in Chronograf that require this permission: NA
ManageContinuousQuery
Permission to create, drop, and view continuous queries.
Relevant InfluxQL queries: CreateContinuousQueryStatement
, [DropContinuousQueryStatement
](), and ShowContinuousQueriesStatement
Pages in Chronograf that require this permission: Data Explorer, Dashboards
ManageQuery
Permission to view and kill queries.
Relevant InfluxQL queries: SHOW QUERIES
and KILL QUERY
Pages in Chronograf that require this permission: Queries on the Admin page
ManageShard
Permission to copy, delete, and view shards.
Relevant InfluxQL queries: DropShardStatement
, ShowShardGroupsStatement
, and ShowShardsStatement
Pages in Chronograf that require this permission: NA
ManageSubscription
Permission to create, drop, and view subscriptions.
Relevant InfluxQL queries: CREATE SUBSCRIPTION
, DROP SUBSCRIPTION
, and SHOW SUBSCRIPTIONS
Pages in Chronograf that require this permission: Alerting
Monitor
Permission to run to view cluster statistics and diagnostics.
Relevant InfluxQL queries: SHOW DIAGNOSTICS
and SHOW STATS
Pages in Chronograf that require this permission: Data Explorer, Dashboards
NoPermissions
This permission is deprecated.
ReadData
Permission to read data.
Relevant InfluxQL queries: SHOW FIELD KEYS
, SHOW MEASUREMENTS
, SHOW SERIES
, SHOW TAG KEYS
, and SHOW TAG VALUES
Pages in Chronograf that require this permission: Admin, Alerting, Dashboards, Data Explorer, Host List
Rebalance
This permission is deprecated.
ViewAdmin
This permission is deprecated and will be removed in a future release.
ViewChronograf
This permission is deprecated and will be removed in a future release.
WriteData
Permission to write data.
Relevant InfluxQL queries: NA
Pages in Chronograf that require this permission: NA
Roles
Roles are groups of permissions. Assign roles to one user or to more than one user.
For example, the image below contains three roles: CREATOR
, DESTROYER
, and POWERLESS
. CREATOR
includes two permissions (CreateDatbase
and CreateUserAndRole
) and is assigned to one user (chrononut
). DESTROYER
also includes two permissions (DropDatabase
and DropData
) and is assigned to two users (chrononut
and chronelda
).
© 2015 InfluxData, Inc.
Licensed under the MIT license.
https://docs.influxdata.com/chronograf/v1.3/administration/user-management/