Set up administrative authentication
Limited availability
InfluxDB Clustered is currently only available to a limited group of InfluxData customers. If interested in being part of the limited access group, please contact the InfluxData Sales team.
Administrative access to your InfluxDB cluster is managed through your identity provider. Use your identity provider to create OAuth2 accounts for all users who need administrative access to your InfluxDB cluster. Administrative access lets user perform actions like creating databases and tokens.
Identity providers can be deployed with your InfluxDB cluster or run externally. If you choose to deploy your provider with your InfluxDB cluster, the process outlined below should be done after your initial InfluxDB cluster deployment.
Bypass your identity provider for development and testing
If running in a development or testing environment and you do not want to authorize with an OAuth2 identity provider, InfluxDB Clustered provides an admin token in your cluster’s namespace that can be used to bypass your identity provider.
For more information, see Bypass your identity provider.
InfluxDB Clustered requires that your OAuth2 identity provider supports Device Authorization Flow. InfluxData has tested with the following identity providers:
Setup instructions are provided for the following:
Keycloak
To use Keycloak as your identity provider:
- Create a Keycloak realm
- Create a Keycloak client with device flow enabled
- Create users that need administrative access to your InfluxDB cluster
- Configure InfluxDB Clustered to use Keycloak
Create a Keycloak realm
See Creating a realm in the Keycloak documentation.
Create a Keycloak client with device flow enabled
-
In the Keycloak Admin Console, navigate to Clients and then click Create Client.
-
In the General Settings configuration step:
- Set the Client type to OpenID Connect.
- Enter a Client ID, Save your client ID to be used later.
- Optional: Enter a Name and Description for the client.
- Click Next.
-
In the Capability configuration step, enable the OAuth 2.0 Device Authorization Grant authentication flow, and then click Next.
-
In the Login settings step, you don’t need to change anything. Click Save.
Create users
See Creating users in the Keycloak documentation.
Find user IDs with Keycloak
To find the user IDs with Keycloak, use the Keycloak Admin Console or the Keycloak REST API.
Keycloak Admin Console
- In the Keycloak Admin Console, navigate to your realm
- Select Users in the left navigation.
- Select the user you want to find the ID for.
- Select the Details tab. The user ID is listed here.
Keycloak REST API
Send a GET request to the Keycloak REST API /users endpoint to fetch
the ID of a specific user. Provide the following:
- Query parameters
- username: Username to retrieve information about
curl https://KEYCLOAK_HOST/auth/admin/realms/KEYCLOAK_REALM/users?username=KEYCLOAK_USERNAME
Replace the following:
KEYCLOAK_HOST: the Keycloak host and port (host:port)KEYCLOAK_REALM: the Keycloak realmKEYCLOAK_USERNAME: the Keycloak username to retrieve
Configure InfluxDB Clustered to use Keycloak
Run the following command to retrieve a JSON object that contains the OpenID configuration of your Keycloak realm:
curl https://KEYCLOAK_HOST/realms/KEYCLOAK_REALM/.well-known/openid-configuration
The following are important fields in the JSON object that are necessary to connect your InfluxDB cluster and administrative tools to Keycloak:
- jwks_uri: Used in your InfluxDB cluster configuration file. See Configure your cluster–Configure your OAuth2 provider.
- device_authorization_endpoint: Used in your
influxctlconfiguration file (profile.auth.oauth2.device_url) - token_endpoint: Used in your
influxctlconfiguration file (profile.auth.oauth2.token_url)
Microsoft Entra ID
To use Microsoft Entra ID as your identity provider:
- Create a new tenant in Microsoft Entra ID
- Add users that need administrative access to your InfluxDB cluster
- Register a new application with device code flow enabled
- Configure InfluxDB Clustered to use Microsoft Entra ID
Create a new tenant in Microsoft Entra ID
See Create a new tenant in Microsoft Entra ID in the Microsoft Azure documentation. Copy and store your Microsoft Entra Tenant ID.
Add users that need administrative access to your InfluxDB cluster
See Add or delete users in the Microsoft Azure documentation.
Find user IDs with Microsoft Entra ID
For Microsoft Entra ID, the unique user ID is the Microsoft ObjectId (OID). To download a list of user OIDs:
- In the Microsoft Azure Portal, select Users in the left navigation.
- Select users you want OIDs for and click Download Users.
In the downloaded CSV file, user OIDs are provided in the id column.
Register a new application with device code flow enabled
- In the Microsoft Azure Portal, select App Registrations in the left navigation.
- Click New Registration and enter a name for a new application to handle authentication requests.
- Click Register Application. Copy and store your Application (Client) ID.
- In your registered application, click Authentication in the left navigation.
- Under Advanced Settings, set Allow public client flows to Yes. This enables the use of the device code flow for logging in to your InfluxDB cluster.
Configure InfluxDB Clustered to use Microsoft Entra ID
Use the following command to retrieve a JSON object that contains the OpenID configuration of your Microsoft Entra tenant:
curl https://login.microsoftonline.com/AZURE_TENANT_ID/v2.0/.well-known/openid-configuration
Replace AZURE_TENANT_ID
with your Microsoft Entra tenant ID.
The following are important fields in the JSON object that are necessary to connect your InfluxDB cluster and administrative tools to Keycloak:
- jwks_uri: Used in your InfluxDB cluster configuration file. See Configure your cluster–Configure your OAuth2 provider.
- device_authorization_endpoint: Used in your
influxctlconfiguration file (profile.auth.oauth2.device_url) - token_endpoint: Used in your
influxctlconfiguration file (profile.auth.oauth2.token_url)
Configure influxctl
The influxctl CLI is used to
perform administrative actions such as creating databases or database tokens.
All influxctl commands are first authorized using your identity provider.
Update your influxctl configuration file
to connect to your identity provider.
The following examples show how to configure influxctl for various identity providers:
[[profile]]
name = "default"
product = "clustered"
host = "cluster-host.com" # InfluxDB cluster host
port = "8086" # InfluxDB cluster port
[profile.auth.oauth2]
client_id = "KEYCLOAK_CLIENT_ID"
device_url = "https://KEYCLOAK_HOST/realms/KEYCLOAK_REALM/protocol/openid-connect/auth/device"
token_url = "https://KEYCLOAK_HOST/realms/KEYCLOAK_REALM/protocol/openid-connect/token"
[[profile]]
name = "default"
product = "clustered"
host = "cluster-host.com" # InfluxDB cluster host
port = "8086" # InfluxDB cluster port
[profile.auth.oauth2]
client_id = "AUTH0_CLIENT_ID"
client_secret = "AUTH0_CLIENT_SECRET"
device_url = "https://AUTH0_HOST/oauth/device/code"
token_url = "https://AUTH0_HOST/oauth/token"
[[profile]]
name = "default"
product = "clustered"
host = "cluster-host.com" # InfluxDB cluster host
port = "8086" # InfluxDB cluster port
[profile.auth.oauth2]
client_id = "AZURE_CLIENT_ID"
scopes = ["AZURE_CLIENT_ID/.default"]
device_url = "https://login.microsoftonline.com/AZURE_TENANT_ID/oauth2/v2.0/devicecode"
token_url = "https://login.microsoftonline.com/AZURE_TENANT_ID/oauth2/v2.0/token"
Was this page helpful?
Thank you for your feedback!
Support and feedback
Thank you for being part of our community! We welcome and encourage your feedback and bug reports for InfluxDB and this documentation. To find support, use the following resources:
Customers with an annual or support contract can contact InfluxData Support.