Documentation

chronograf CLI

The chronograf command line interface (CLI) includes options to manage Chronograf security.

Usage

chronograf [flags]

Chronograf service flags

FlagDescriptionEnv. Variable
--hostIP the Chronograf service listens on. By default, 0.0.0.0$HOST
--portPort the Chronograf service listens on for insecure connections. By default, 8888$PORT
-b,--bolt-pathFile path to the BoltDB file. By default, ./chronograf-v1.db$BOLT_PATH
-c,--canned-pathFile path to the directory of canned dashboard files. By default, /usr/share/chronograf/canned$CANNED_PATH
--resources-pathPath to directory of canned dashboards, sources, Kapacitor connections, and organizations. By default, /usr/share/chronograf/resources$RESOURCES_PATH
-p, --basepathURL path prefix under which all Chronograf routes will be mounted.$BASE_PATH
--status-feed-urlURL of JSON feed to display as a news feed on the client status page. By default, https://www.influxdata.com/feed/json$STATUS_FEED_URL
-v, --versionDisplays the version of the Chronograf service
-h, --host-page-disabledDisables the hosts page$HOST_PAGE_DISABLED

InfluxDB connection flags

FlagDescriptionEnv. Variable
--influxdb-urlInfluxDB URL, including the protocol, IP address, and port$INFLUXDB_URL
--influxdb-usernameInfluxDB username$INFLUXDB_USERNAME
--influxdb-passwordInfluxDB password$INFLUXDB_PASSWORD
--influxdb-orgInfluxDB 2.x or InfluxDB Cloud organization name$INFLUXDB_ORG
--influxdb-tokenInfluxDB 2.x or InfluxDB Cloud authentication token$INFLUXDB_TOKEN

Kapacitor connection flags

FlagDescriptionEnv. Variable
--kapacitor-urlLocation of your Kapacitor instance, including http://, IP address, and port$KAPACITOR_URL
--kapacitor-usernameUsername for your Kapacitor instance$KAPACITOR_USERNAME
--kapacitor-passwordPassword for your Kapacitor instance$KAPACITOR_PASSWORD

TLS (Transport Layer Security) flags

FlagDescriptionEnv. Variable
--certFile path to PEM-encoded public key certificate$TLS_CERTIFICATE
--keyFile path to private key associated with given certificate$TLS_PRIVATE_KEY
--tls-ciphersComma-separated list of supported cipher suites. Use help to print available ciphers.$TLS_CIPHERS
--tls-min-versionMinimum version of the TLS protocol that will be negotiated. (default: 1.2)$TLS_MIN_VERSION
--tls-max-versionMaximum version of the TLS protocol that will be negotiated.$TLS_MAX_VERSION

Other service option flags

FlagDescriptionEnv. Variable
--custom-auto-refreshAdd custom auto-refresh options using semicolon separated list of label=milliseconds pairs`$CUSTOM-AUTO-REFRESH
--custom-linkAdd a custom link to Chronograf user menu options using <display_name>:<link_address> syntax. For multiple custom links, include multiple flags.
-d, --developRun the Chronograf service in developer mode
-h, --helpDisplay command line help for Chronograf
-l, --log-levelSet the logging level. Valid values include info (default), debug, and error$LOG_LEVEL
-r, --reporting-disabledDisable reporting of usage statistics. Usage statistics reported once every 24 hours include: OS, arch, version, cluster_id, and uptime.$REPORTING_DISABLED

Authentication option flags

General authentication flags

FlagDescriptionEnv. Variable
-t, --token-secretSecret for signing tokens$TOKEN_SECRET
--auth-durationTotal duration, in hours, of cookie life for authentication. Default value is 720h.$AUTH_DURATION
--public-urlPublic URL required to access Chronograf using a web browser. For example, if you access Chronograf using the default URL, the public URL value would be http://localhost:8888. Required for Google OAuth 2.0 authentication. Used for Auth0 and some generic OAuth 2.0 authentication providers.$PUBLIC_URL
—-htpasswdPath to password file for use with HTTP basic authentication. See NGINX documentation for more on password files.$HTPASSWD

GitHub-specific OAuth 2.0 authentication flags

FlagDescriptionEnv. Variable
--github-urlGithub base URL. Default is https://github.com. Required if using Github Enterprise$GH_URL
-i, --github-client-idGitHub client ID value for OAuth 2.0 support$GH_CLIENT_ID
-s, --github-client-secretGitHub client secret value for OAuth 2.0 support$GH_CLIENT_SECRET
-o, --github-organizationRestricts authorization to users from specified Github organizations. To add more than one organization, add multiple flags. Optional.$GH_ORGS

Google-specific OAuth 2.0 authentication flags

FlagDescriptionEnv. Variable
--google-client-idGoogle client ID value for OAuth 2.0 support$GOOGLE_CLIENT_ID
--google-client-secretGoogle client secret value for OAuth 2.0 support$GOOGLE_CLIENT_SECRET
--google-domainsRestricts authorization to users from specified Google email domain. To add more than one domain, add multiple flags. Optional.$GOOGLE_DOMAINS

Auth0-specific OAuth 2.0 authentication flags

FlagDescriptionEnv. Variable
--auth0-domainSubdomain of your Auth0 client. Available on the configuration page for your Auth0 client.$AUTH0_DOMAIN
--auth0-client-idAuth0 client ID value for OAuth 2.0 support$AUTH0_CLIENT_ID
--auth0-client-secretAuth0 client secret value for OAuth 2.0 support$AUTH0_CLIENT_SECRET
--auth0-organizationsRestricts authorization to users specified Auth0 organization. To add more than one organization, add multiple flags. Optional. Organizations are set using an organization key in the user’s app_metadata.$AUTH0_ORGS

Heroku-specific OAuth 2.0 authentication flags

FlagDescriptionEnv. Variable
--heroku-client-idHeroku client ID value for OAuth 2.0 support$HEROKU_CLIENT_ID
--heroku-secretHeroku secret for OAuth 2.0 support$HEROKU_SECRET
--heroku-organizationRestricts authorization to users from specified Heroku organization. To add more than one organization, add multiple flags. Optional.$HEROKU_ORGS

Generic OAuth 2.0 authentication flags

FlagDescriptionEnv. Variable
--generic-nameGeneric OAuth 2.0 name presented on the login page$GENERIC_NAME
--generic-client-idGeneric OAuth 2.0 client ID value. Can be used for a custom OAuth 2.0 service.$GENERIC_CLIENT_ID
--generic-client-secretGeneric OAuth 2.0 client secret value$GENERIC_CLIENT_SECRET
--generic-scopesScopes requested by provider of web client$GENERIC_SCOPES
--generic-domainsEmail domain required for user email addresses$GENERIC_DOMAINS
--generic-auth-urlAuthorization endpoint URL for the OAuth 2.0 provider$GENERIC_AUTH_URL
--generic-token-urlToken endpoint URL for the OAuth 2.0 provider$GENERIC_TOKEN_URL
--generic-api-urlURL that returns OpenID UserInfo-compatible information$GENERIC_API_URL
--oauth-no-pkceDisable OAuth PKCE$OAUTH_NO_PKCE

etcd flags

FlagDescriptionEnv. Variable
-e, --etcd-endpointsetcd endpoint URL (include multiple flags for multiple endpoints)$ETCD_ENDPOINTS
--etcd-usernameetcd username$ETCD_USERNAME
--etcd-passwordetcd password$ETCD_PASSWORD
--etcd-dial-timeoutTotal time to wait before timing out while connecting to etcd endpoints (0 means no timeout, default: -1s)$ETCD_DIAL_TIMEOUT
--etcd-request-timeoutTotal time to wait before timing out the etcd view or update (0 means no timeout, default: -1s)$ETCD_REQUEST_TIMEOUT
--etcd-certPath to PEM encoded TLS public key certificate for use with TLS$ETCD_CERTIFICATE
--etcd-keyPath to private key associated with given certificate for use with TLS$ETCD_PRIVATE_KEY
--etcd-root-caPath to root CA certificate for TLS verification`$ETCD-ROOT-CA

Upgrade to InfluxDB Cloud or InfluxDB 2.0!

InfluxDB Cloud and InfluxDB OSS 2.0 ready for production.