Documentation

chronograf CLI

The chronograf command line interface (CLI) includes options to manage Chronograf security.

Usage

chronograf [flags]

Chronograf service flags

FlagDescriptionEnv. Variable
--hostIP the Chronograf service listens on. By default, 0.0.0.0$HOST
--portPort the Chronograf service listens on for insecure connections. By default, 8888$PORT
-b,--bolt-pathFile path to the BoltDB file. By default, ./chronograf-v1.db$BOLT_PATH
-c,--canned-pathFile path to the directory of canned dashboard files. By default, /usr/share/chronograf/canned$CANNED_PATH
--resources-pathPath to directory of canned dashboards, sources, Kapacitor connections, and organizations. By default, /usr/share/chronograf/resources$RESOURCES_PATH
-b, --basepathURL path prefix under which all Chronograf routes will be mounted.$BASE_PATH
--status-feed-urlURL of JSON feed to display as a news feed on the client status page. By default, https://www.influxdata.com/feed/json$STATUS_FEED_URL
-v, --versionDisplays the version of the Chronograf service
-h, --host-page-disabledDisables the hosts page$HOST_PAGE_DISABLED

InfluxDB connection flags

FlagDescriptionEnv. Variable
--influxdb-urlLocation of your InfluxDB instance, including http://, IP address, and port$INFLUXDB_URL
--influxdb-usernameUsername for your InfluxDB instance$INFLUXDB_USERNAME
--influxdb-passwordPassword for your InfluxDB instance$INFLUXDB_PASSWORD

Kapacitor connection flags

FlagDescriptionEnv. Variable
--kapacitor-urlLocation of your Kapacitor instance, including http://, IP address, and port$KAPACITOR_URL
--kapacitor-usernameUsername for your Kapacitor instance$KAPACITOR_USERNAME
--kapacitor-passwordPassword for your Kapacitor instance$KAPACITOR_PASSWORD

TLS (Transport Layer Security) flags

FlagDescriptionEnv. Variable
--certFile path to PEM-encoded public key certificate$TLS_CERTIFICATE
--keyFile path to private key associated with given certificate$TLS_PRIVATE_KEY

Other service option flags

FlagDescriptionEnv. Variable
--custom-link :Custom link added to Chronograf user menu options. Useful for providing links to internal company resources for your Chronograf users. Can be used when any OAuth 2.0 authentication is enabled. To add another custom link, repeat the custom link option.
-r, --reporting-disabledDisables reporting of usage statistics. Usage statistics reported once every 24 hours include: OS, arch, version, cluster_id, and uptime.$REPORTING_DISABLED
-l, --log-levelSets the logging level. Valid values include info (default), debug, and error.$LOG_LEVEL
-d, --developRuns the Chronograf service in developer mode
-h, --helpDisplays command line help for Chronograf

Authentication option flags

General authentication flags

FlagDescriptionEnv. Variable
-t, --token-secretSecret for signing tokens$TOKEN_SECRET
--auth-durationTotal duration, in hours, of cookie life for authentication. Default value is 720h.$AUTH_DURATION
--public-urlPublic URL required to access Chronograf using a web browser. For example, if you access Chronograf using the default URL, the public URL value would be http://localhost:8888. Required for Google OAuth 2.0 authentication. Used for Auth0 and some generic OAuth 2.0 authentication providers.$PUBLIC_URL

GitHub-specific OAuth 2.0 authentication flags

FlagDescriptionEnv. Variable
-i, --github-client-idGitHub client ID value for OAuth 2.0 support$GH_CLIENT_ID
-s, --github-client-secretGitHub client secret value for OAuth 2.0 support$GH_CLIENT_SECRET
-o, --github-organizationSpecify a GitHub organization membership required for a user. Optional.$GH_ORGS

Google-specific OAuth 2.0 authentication flags

FlagDescriptionEnv. Variable
--google-client-idGoogle client ID value for OAuth 2.0 support$GOOGLE_CLIENT_ID
--google-client-secretGoogle client secret value for OAuth 2.0 support$GOOGLE_CLIENT_SECRET
--google-domainsRestricts authorization to users from specified Google email domains. Optional.$GOOGLE_DOMAINS

Auth0-specific OAuth 2.0 authentication flags

FlagDescriptionEnv. Variable
--auth0-domainSubdomain of your Auth0 client. Available on the configuration page for your Auth0 client.$AUTH0_DOMAIN
--auth0-client-idAuth0 client ID value for OAuth 2.0 support$AUTH0_CLIENT_ID
--auth0-client-secretAuth0 client secret value for OAuth 2.0 support$AUTH0_CLIENT_SECRET
--auth0-organizationsAuth0 organization membership required to access Chronograf. Organizations are set using an organization key in the user’s app_metadata. Lists are comma-separated and are only available when using environment variables.$AUTH0_ORGS

Heroku-specific OAuth 2.0 authentication flags

FlagDescriptionEnv. Variable
--heroku-client-idHeroku client ID value for OAuth 2.0 support$HEROKU_CLIENT_ID
--heroku-secretHeroku secret for OAuth 2.0 support$HEROKU_SECRET
--heroku-organizationHeroku organization membership required to access Chronograf. Lists are comma-separated.$HEROKU_ORGS

Generic OAuth 2.0 authentication flags

FlagDescriptionEnv. Variable
--generic-nameGeneric OAuth 2.0 name presented on the login page$GENERIC_NAME
--generic-client-idGeneric OAuth 2.0 client ID value. Can be used for a custom OAuth 2.0 service.$GENERIC_CLIENT_ID
--generic-client-secretGeneric OAuth 2.0 client secret value$GENERIC_CLIENT_SECRET
--generic-scopesScopes requested by provider of web client$GENERIC_SCOPES
--generic-domainsEmail domain required for user email addresses$GENERIC_DOMAINS
--generic-auth-urlAuthorization endpoint URL for the OAuth 2.0 provider$GENERIC_AUTH_URL
--generic-token-urlToken endpoint URL for the OAuth 2.0 provider$GENERIC_TOKEN_URL
--generic-api-urlURL that returns OpenID UserInfo-compatible information$GENERIC_API_URL

New! Cloud or OSS?