Documentation

Manage InfluxDB users in Chronograf

The Chronograf Admin provides InfluxDB user management for InfluxDB OSS and InfluxDB Enterprise users.

Note: For details on Chronograf user authentication and management, see Managing security.

Disabled administrative features

If connected to InfluxDB OSS v2.x or InfluxDB Cloud, all InfluxDB administrative features are disabled in Chronograf. Use the InfluxDB OSS v2.x or InfluxDB Cloud user interfaces, CLIs, or APIs to complete administrative tasks.

On this page:

Enable authentication

Follow the steps below to enable authentication. The steps are the same for InfluxDB OSS instances and InfluxDB Enterprise clusters.

InfluxDB Enterprise clusters: Repeat the first three steps for each data node in a cluster.

Step 1: Enable authentication.

Enable authentication in the InfluxDB configuration file. For most Linux installations, the configuration file is located in /etc/influxdb/influxdb.conf.

In the [http] section of the InfluxDB configuration file (influxdb.conf), uncomment the auth-enabled option and set it to true, as shown here:

[http]
  # Determines whether HTTP endpoint is enabled.
  # enabled = true

  # The bind address used by the HTTP service.
  # bind-address = ":8086"

  # Determines whether HTTP authentication is enabled.
  auth-enabled = true #

Step 2: Restart the InfluxDB service.

Restart the InfluxDB service for your configuration changes to take effect:

~# sudo systemctl restart influxdb

Step 3: Create an admin user.

Because authentication is enabled, you need to create an admin user before you can do anything else in the database. Run the curl command below to create an admin user, replacing:

  • localhost with the IP or hostname of your InfluxDB OSS instance or one of your InfluxDB Enterprise data nodes
  • chronothan with your own username
  • supersecret with your own password (note that the password requires single quotes)
~# curl -XPOST "http://localhost:8086/query" --data-urlencode "q=CREATE USER chronothan WITH PASSWORD 'supersecret' WITH ALL PRIVILEGES"

A successful CREATE USER query returns a blank result:

{"results":[{"statement_id":0}]}   <--- Success!

Step 4: Edit the InfluxDB source in Chronograf.

If you’ve already connected your database to Chronograf, update the connection configuration in Chronograf with your new username and password. Edit existing InfluxDB database sources by navigating to the Chronograf configuration page and clicking on the name of the source.

InfluxDB OSS User Management

On the Chronograf Admin page:

  • View, create, and delete admin and non-admin users
  • Change user passwords
  • Assign admin and remove admin permissions to or from a user

InfluxDB OSS user management

InfluxDB users are either admin users or non-admin users. See InfluxDB’s authentication and authorization documentation for more information about those user types.

Chronograf currently does not support assigning InfluxDB database READor WRITE access to non-admin users.

As a workaround, grant READ, WRITE, or ALL (READ and WRITE) permissions to non-admin users with the following curl commands, replacing anything inside < > with your own values:

Grant READ permission:

curl --request POST "http://<InfluxDB-IP>:8086/query?u=<username>&p=<password>" \
  --data-urlencode "q=GRANT READ ON <database-name> TO <non-admin-username>"

Grant WRITE permission:

curl --request POST "http://<InfluxDB-IP>:8086/query?u=<username>&p=<password>" \
  --data-urlencode "q=GRANT WRITE ON <database-name> TO <non-admin-username>"

Grant ALL permission:

curl --request POST "http://<InfluxDB-IP>:8086/query?u=<username>&p=<password>" \
  --data-urlencode "q=GRANT ALL ON <database-name> TO <non-admin-username>"

In all cases, a successful GRANT query returns a blank result:

{"results":[{"statement_id":0}]}  # <--- Success!

Remove READ, WRITE, or ALL permissions from non-admin users by replacing GRANT with REVOKE in the curl commands above.

InfluxDB Enterprise user management using the UI

To create, manage, and delete users, click Admin in the left navigation bar.

To create a user do the following:

  1. Select the Users tab.
  2. Click + Create User.
  3. Add a user name.
  4. Add a password.
  5. Click Create.
  6. Assign a role to the user in the Roles section. To create a role see Roles.
  7. Click Apply Changes.

To make changes to a user simply click on the username, make any changes and click Apply Changes. To delete a user click Delete User.

User types

Admin users have the following permissions by default:

Non-admin users have no permissions by default. Assign permissions and roles to both admin and non-admin users.

Permissions

AddRemoveNode

Permission to add or remove nodes from a cluster.

Relevant influxd-ctl arguments: add-data, add-meta, join, remove-data, remove-meta, and leave

Pages in Chronograf that require this permission: NA

CopyShard

Permission to copy shards.

Relevant influxd-ctl arguments: copy-shard

Pages in Chronograf that require this permission: NA

CreateDatabase

Permission to create databases, create retention policies, alter retention policies, and view retention policies.

Relevant InfluxQL queries: CREATE DATABASE, CREATE RETENTION POLICY, ALTER RETENTION POLICY, and SHOW RETENTION POLICIES

Pages in Chronograf that require this permission: Dashboards, Data Explorer, and Databases on the Admin page

CreateUserAndRole

Permission to manage users and roles; create users, drop users, grant admin status to users, grant permissions to users, revoke admin status from users, revoke permissions from users, change user passwords, view user permissions, and view users and their admin status.

Relevant InfluxQL queries: CREATE USER, DROP USER, GRANT ALL PRIVILEGES, GRANT [READ,WRITE,ALL], REVOKE ALL PRIVILEGES, REVOKE [READ,WRITE,ALL], SET PASSWORD, SHOW GRANTS, and SHOW USERS

Pages in Chronograf that require this permission: Data Explorer, Dashboards, Users and Roles on the Admin page

DropData

Permission to drop data, in particular series and measurements.

Relevant InfluxQL queries: DROP SERIES, DELETE, and DROP MEASUREMENT

Pages in Chronograf that require this permission: NA

DropDatabase

Permission to drop databases and retention policies.

Relevant InfluxQL queries: DROP DATABASE and DROP RETENTION POLICY

Pages in Chronograf that require this permission: Data Explorer, Dashboards, Databases on the Admin page

KapacitorAPI

Permission to access the API for InfluxKapacitor Enterprise. This does not include configuration-related API calls.

Pages in Chronograf that require this permission: NA

KapacitorConfigAPI

Permission to access the configuration-related API calls for InfluxKapacitor Enterprise.

Pages in Chronograf that require this permission: NA

ManageContinuousQuery

Permission to create, drop, and view continuous queries.

Relevant InfluxQL queries: CreateContinuousQueryStatement, DropContinuousQueryStatement, and ShowContinuousQueriesStatement

Pages in Chronograf that require this permission: Data Explorer, Dashboards

ManageQuery

Permission to view and kill queries.

Relevant InfluxQL queries: SHOW QUERIES and KILL QUERY

Pages in Chronograf that require this permission: Queries on the Admin page

ManageShard

Permission to copy, delete, and view shards.

Relevant InfluxQL queries: DropShardStatement, ShowShardGroupsStatement, and ShowShardsStatement

Pages in Chronograf that require this permission: NA

ManageSubscription

Permission to create, drop, and view subscriptions.

Relevant InfluxQL queries: CREATE SUBSCRIPTION, DROP SUBSCRIPTION, and SHOW SUBSCRIPTIONS

Pages in Chronograf that require this permission: Alerting

Monitor

Permission to view cluster statistics and diagnostics.

Relevant InfluxQL queries: SHOW DIAGNOSTICS and SHOW STATS

Pages in Chronograf that require this permission: Data Explorer, Dashboards

ReadData

Permission to read data.

Relevant InfluxQL queries: SHOW FIELD KEYS, SHOW MEASUREMENTS, SHOW SERIES, SHOW TAG KEYS, SHOW TAG VALUES, and SHOW RETENTION POLICIES

Pages in Chronograf that require this permission: Admin, Alerting, Dashboards, Data Explorer, Host List

WriteData

Permission to write data.

Relevant InfluxQL queries: NA

Pages in Chronograf that require this permission: NA

Roles

Roles are groups of permissions. Assign roles to one or more users.

To create a role, do the following:

  1. Click Admin in the left navigation bar. You will be taken to the InfluxDB Admin page.
  2. Select the Roles tab.
  3. Click + Create Role.
  4. Give the role a name.
  5. Click Create.
  6. Assign users to the role in the Users section
  7. Add permissions to the role in the Permissions section. You will see a list of databases and all permissions for that database. Select the permissions you want for the role.
  8. Click Apply Changes.

The role with all permissions will appear in the list.


Was this page helpful?

Thank you for your feedback!


The future of Flux

Flux is going into maintenance mode. You can continue using it as you currently are without any changes to your code.

Read more

InfluxDB v3 enhancements and InfluxDB Clustered is now generally available

New capabilities, including faster query performance and management tooling advance the InfluxDB v3 product line. InfluxDB Clustered is now generally available.

InfluxDB v3 performance and features

The InfluxDB v3 product line has seen significant enhancements in query performance and has made new management tooling available. These enhancements include an operational dashboard to monitor the health of your InfluxDB cluster, single sign-on (SSO) support in InfluxDB Cloud Dedicated, and new management APIs for tokens and databases.

Learn about the new v3 enhancements


InfluxDB Clustered general availability

InfluxDB Clustered is now generally available and gives you the power of InfluxDB v3 in your self-managed stack.

Talk to us about InfluxDB Clustered