Documentation

Set up administrative authentication

Limited availability

InfluxDB Clustered is currently only available to a limited group of InfluxData customers. If interested in being part of the limited access group, please contact the InfluxData Sales team.

Administrative access to your InfluxDB cluster is managed through your identity provider. Use your identity provider to create OAuth2 accounts for all users who need administrative access to your InfluxDB cluster. Administrative access lets user perform actions like creating databases and tokens.

Identity providers can be deployed with your InfluxDB cluster or run externally. If you choose to deploy your provider with your InfluxDB cluster, the process outlined below should be done after your initial InfluxDB cluster deployment.

InfluxDB Clustered requires that your OAuth2 identity provider supports Device Authorization Flow. InfluxData has tested with the following identity providers:

Keycloak

To use Keycloak as your identity provider:

  1. Create a Keycloak realm
  2. Create a Keycloak client with device flow enabled
  3. Create users that need administrative access to your InfluxDB cluster
  4. Configure InfluxDB Clustered to use Keycloak

Create a Keycloak realm

See Creating a realm in the Keycloak documentation.

Create a Keycloak client with device flow enabled

  1. In the Keycloak Admin Console, navigate to Clients and then click Create Client.

  2. In the General Settings configuration step:

    1. Set the Client type to OpenID Connect.
    2. Enter a Client ID, Save your client ID to be used later.
    3. Optional: Enter a Name and Description for the client.
    4. Click Next.
  3. In the Capability configuration step, enable the OAuth 2.0 Device Authorization Grant authentication flow, and then click Next.

  4. In the Login settings step, you don’t need to change anything. Click Save.

Create users

See Creating users in the Keycloak documentation.

Find user IDs with Keycloak

To find the user IDs with Keycloak, use the Keycloak Admin Console or the Keycloak REST API.

Keycloak Admin Console
  1. In the Keycloak Admin Console, navigate to your realm
  2. Select Users in the left naviation.
  3. Select the user you want to find the ID for.
  4. Select the Details tab. The user ID is listed here.
Keycloak REST API

With the Keycloak REST API, send a GET request to the /users endpoint to fetch the ID of a specific user. Provide the following:

  • Query parameters
    • username: Username to retrieve information about
curl https://
KEYCLOAK_HOST
/auth/admin/realms/
KEYCLOAK_REALM
/users?username=
KEYCLOAK_USERNAME

Replace the following:

  • KEYCLOAK_HOST: Keycloak host and port (host:port)
  • KEYCLOAK_REALM: Keycloak realm
  • KEYCLOAK_USERNAME: Keycloak username to retrieve

Configure InfluxDB Clustered to use Keycloak

Use the following command to return a JSON object with the OpenID configuration of your Keycloak realm:

curl https://
KEYCLOAK_HOST
/realms/
KEYCLOAK_REALM
/.well-known/openid-configuration

View example response body

The following are important fields in the JSON object that are necessary to connect your InfluxDB cluster and administrative tools to Keycloak:

Auth0

Auth0 instructions are coming soon.

Microsoft Entra ID

To use Microsoft Entra ID as your identity provider:

  1. Create a new tenant in Microsoft Entra ID
  2. Add users that need administrative access to your InfluxDB cluster
  3. Register a new application with device code flow enabled
  4. Configure InfluxDB Clustered to use Microsoft Entra ID

Create a new tenant in Microsoft Entra ID

See Create a new tenant in Microsoft Entra ID in the Microsoft Azure documentation. Copy and store your Microsoft Entra Tenant ID.

Add users that need administrative access to your InfluxDB cluster

See Add or delete users in the Microsoft Azure documentation.

Find user IDs with Microsoft Entra ID

For Microsoft Entra ID, the unique user ID is the Microsoft ObjectId (OID). To download a list of user OIDs:

  1. In the Microsoft Azure Portal, select Users in the left-navigation.
  2. Select users you want OIDs for.
  3. Click the Download Users
  4. Open the downloaded CSV file. User OIDs are in the id column.

Register a new application with device code flow enabled

  1. In the Microsoft Azure Portal, select App Registrations in the left-navigation.
  2. Click New Registration and enter a name for a new application to handle authentication requests.
  3. Click Register Application. Copy and store your Application (Client) ID.
  4. In your registered application, click the Authentication in the left-navigation.
  5. Under Advanced Settings, set Allow public client flows to Yes. This enables the use of the device code flow for logging in to your InfluxDB cluster.

Configure InfluxDB Clustered to use Microsoft Entra ID

Use the following command to return a JSON object with the OpenID configuration of your Microsoft Entra tenant:

curl https://login.microsoftonline.com/
AZURE_TENANT_ID
/v2.0/.well-known/openid-configuration

Replace AZURE_TENANT_ID with your Microsoft Entra tenant ID.

View example response body

The following are important fields in the JSON object that are necessary to connect your InfluxDB cluster and administrative tools to Keycloak:

Configure influxctl

The influxctl CLI is used to perform administrative actions such as creating databases or database tokens. All influxctl commands are first authorized using your identity provider. Update your influxctl configuration file to connect to your identity provider. Below are example configurations:

[[profile]]
    name = "default"
    product = "clustered"
    host = "cluster-host.com" # InfluxDB cluster host
    port = "8086" # InfluxDB cluster port

    [profile.auth.oauth2]
        client_id = "
KEYCLOAK_CLIENT_ID
"
device_url = "https://KEYCLOAK_HOST/realms/
KEYCLOAK_REALM
/protocol/openid-connect/auth/device"
token_url = "https://KEYCLOAK_HOST/realms/
KEYCLOAK_REALM
/protocol/openid-connect/token"
[[profile]]
    name = "default"
    product = "clustered"
    host = "cluster-host.com" # InfluxDB cluster host
    port = "8086" # InfluxDB cluster port

    [profile.auth.oauth2]
        client_id = "
AUTH0_CLIENT_ID
"
client_secret = "
AUTH0_CLIENT_SECRET
"
device_url = "https://
AUTH0_HOST
/oauth/device/code"
token_url = "https://
AUTH0_HOST
/oauth/token"
[[profile]]
    name = "default"
    product = "clustered"
    host = "cluster-host.com" # InfluxDB cluster host
    port = "8086" # InfluxDB cluster port

    [profile.auth.oauth2]
        client_id = "
AZURE_CLIENT_ID
"
scopes = ["
AZURE_CLIENT_ID
/.default"
]
device_url = "https://login.microsoftonline.com/
AZURE_TENANT_ID
/oauth2/v2.0/devicecode"
token_url = "https://login.microsoftonline.com/
AZURE_TENANT_ID
/oauth2/v2.0/token"

Was this page helpful?

Thank you for your feedback!


Introducing InfluxDB Clustered

A highly available InfluxDB 3.0 cluster on your own infrastructure.

InfluxDB Clustered is a highly available InfluxDB 3.0 cluster built for high write and query workloads on your own infrastructure.

InfluxDB Clustered is currently in limited availability and is only available to a limited group of InfluxData customers. If interested in being part of the limited access group, please contact the InfluxData Sales team.

Learn more
Contact InfluxData Sales

The future of Flux

Flux is going into maintenance mode. You can continue using it as you currently are without any changes to your code.

Flux is going into maintenance mode and will not be supported in InfluxDB 3.0. This was a decision based on the broad demand for SQL and the continued growth and adoption of InfluxQL. We are continuing to support Flux for users in 1.x and 2.x so you can continue using it with no changes to your code. If you are interested in transitioning to InfluxDB 3.0 and want to future-proof your code, we suggest using InfluxQL.

For information about the future of Flux, see the following: