Configure authentication
To configure authentication, do one of the following:
Enable authentication
Authentication is disabled by default in InfluxDB and InfluxDB Enterprise. After installing the data nodes, enable authentication to control access to your cluster.
To enable authentication in a cluster, do the following:
-
Create an admin user (if you haven’t already). Using the
influx
CLI, run the following command:CREATE USER <admin_user> WITH PASSWORD '<admin_password>' WITH ALL PRIVILEGES
Replace the following:
<admin_user>
: Admin username<admin_password>
: Admin password
-
Set
auth-enabled
totrue
in the[http]
section of the configuration files for all data nodes:[http] # ... auth-enabled = true
-
Restart all InfluxDB Enterprise meta and data nodes to apply the updated configuration. Once restarted, InfluxDB Enterprise checks user credentials on every request and only processes requests with valid credentials.
Configure authentication using JWT tokens
For a more secure alternative to using passwords, include JWT tokens in requests to the InfluxDB API.
-
Add a shared secret in your InfluxDB Enterprise configuration file.
InfluxDB Enterprise uses the shared secret to encode the JWT signature. By default,
shared-secret
is set to an empty string (no JWT authentication). Add a custom shared secret in your InfluxDB configuration file for each meta and data node. Longer strings are more secure:[http] shared-secret = "my super secret pass phrase"
Alternatively, to avoid keeping your secret phrase as plain text in your InfluxDB configuration file, set the value with the
INFLUXDB_HTTP_SHARED_SECRET
environment variable (for example, in Linux:export INFLUXDB_HTTP_SHARED_SECRET=MYSUPERSECRETPASSPHRASE
). -
Generate your JWT token.
Use an authentication service (such as, https://jwt.io/) to generate a secure token using your InfluxDB username, an expiration time, and your shared secret.
The payload (or claims) of the token must be in the following format:
{ "username": "myUserName", "exp": 1516239022 }
- username - InfluxDB username.
- exp - Token expiration in UNIX epoch time. For increased security, keep token expiration periods short. For testing, you can manually generate UNIX timestamps using https://www.unixtimestamp.com/index.php.
To encode the payload using your shared secret, use a JWT library in your own authentication server or encode by hand at https://jwt.io/.
-
Include the token in HTTP requests.
Include your generated token as part of the
Authorization
header in HTTP requests:Authorization: Bearer <myToken>
Only unexpired tokens will successfully authenticate. Verify your token has not expired.
Example query request with JWT authentication
curl -G "http://localhost:8086/query?db=demodb" \
--data-urlencode "q=SHOW DATABASES" \
--header "Authorization: Bearer <header>.<payload>.<signature>"
Authentication and authorization HTTP errors
Requests with no authentication credentials or incorrect credentials yield the HTTP 401 Unauthorized
response.
Requests by unauthorized users yield the HTTP 403 Forbidden
response.
Next steps
After configuring authentication, you can manage users and permissions as necessary.
Important
Authentication must be enabled before authorization can be managed.
If authentication is not enabled, permissions will not be enforced.
Was this page helpful?
Thank you for your feedback!
Support and feedback
Thank you for being part of our community! We welcome and encourage your feedback and bug reports for InfluxDB and this documentation. To find support, use the following resources:
Customers with an annual or support contract can contact InfluxData Support.