Manage authorization with the InfluxDB Enterprise Meta API
Important
Authentication must be enabled before authorization can be managed.
If authentication is not enabled, permissions will not be enforced.
See “Enable authentication”.
Use the InfluxDB Enterprise Meta API to manage authorization for a cluster.
The API can be used to manage both cluster-wide and database-specific permissions. Chronograf can only manage cluster-wide permissions. To manage permissions at the database level, use the API.
For more information, see Enterprise users and permissions.
Example API requests
Many of the examples below use the jq utility to format JSON output for readability.
Install jq to process JSON output.
If you don’t have access to jq, remove the | jq shown in the example.
Users:
- List users
- Create a user against a follower node
- Create a user against the lead node
- Retrieve a user details document
- Grant permissions to a user for all databases
- Grant permissions to a user for a specific database
- Verify user permissions
- Remove permissions from a user
- Remove a user
- Verify user removal
- Change a user’s password
Roles:
- List roles
- Create a role
- Verify roles
- Retrieve a role document
- Add permissions to a role for all databases
- Add permissions to a role for a specific database
- Verify role permissions
- Add a user to a role
- Verify user in role
- Remove a user from a role
- Remove a permission from a role
- Delete a role
- Verify role deletion
Users
Use the /user endpoint of the InfluxDB Enterprise Meta API to manage users.
List users
View a list of existing users.
curl --location-trusted -u "admin:changeit" -s https://cluster_node_1:8091/user | jq{
"users": [
{
"hash": "$2a$10$NelNfrWdxubN0/TnP7DwquKB9/UmJnyZ7gy0i69MPldK73m.2WfCu",
"name": "admin",
"permissions": {
"": [
"ViewAdmin",
"ViewChronograf",
"CreateDatabase",
"CreateUserAndRole",
"AddRemoveNode",
"DropDatabase",
"DropData",
"ReadData",
"WriteData",
"Rebalance",
"ManageShard",
"ManageContinuousQuery",
"ManageQuery",
"ManageSubscription",
"Monitor",
"CopyShard",
"KapacitorAPI",
"KapacitorConfigAPI"
]
}
}
]
}Create a user against a follower node
Transactions that modify the user store must be sent to the lead meta node using POST.
If the node returns a 307 redirect message,
try resending the request to the lead node as indicated by the Location field in the HTTP response header.
curl --location-trusted -u "admin:changeit" -s -v \
-d '{"action":"create","user":{"name":"phantom2","password":"changeit"}}' \
https://cluster_node_2:8091/userCreate a user against the lead node
curl --location-trusted -u "admin:changeit" -s -v \
-d '{"action":"create","user":{"name":"phantom","password":"changeit"}}' \
https://cluster_node_1:8091/userRetrieve a user details document
curl --location-trusted --negotiate -u "admin:changeit" -s https://cluster_node_1:8091/user?name=phantom | jq{
"users": [
{
"hash": "$2a$10$hR.Ih6DpIHUaynA.uqFhpOiNUgrADlwg3rquueHDuw58AEd7zk5hC",
"name": "phantom"
}
]
}Grant permissions to a user for all databases
To grant a list of permissions for all databases in a cluster,
use the "" key in the permissions object, as shown in the example below.
curl --location-trusted --negotiate -u "admin:changeit" -s -v \
-d '{"action":"add-permissions","user":{"name":"phantom","permissions":{"":["ReadData", "WriteData"]}}}' \
https://cluster_node_1:8091/userGrant permissions to a user for a specific database
Grant ReadData and WriteData permissions to the user named phantom for MyDatabase.
curl --location-trusted --negotiate -u "admin:changeit" -s -v \
-d '{"action":"add-permissions","user":{"name":"phantom","permissions":{"MyDatabase":["ReadData","WriteData"]}}}' \
https://cluster_node_1:8091/userVerify user permissions
curl --location-trusted --negotiate -u "admin:changeit" -s https://cluster_node_1:8091/user?name=phantom | jq{
"users": [
{
"hash": "$2a$10$hR.Ih6DpIHUaynA.uqFhpOiNUgrADlwg3rquueHDuw58AEd7zk5hC",
"name": "phantom",
"permissions": {
"MyDatabase": [
"ReadData",
"WriteData"
]
}
}
]
}Remove permissions from a user
curl --location-trusted --negotiate -u "admin:changeit" -s -v \
-d '{"action":"remove-permissions","user":{"name":"phantom","permissions":{"":["KapacitorConfigAPI"]}}}' \
https://cluster_node_1:8091/userRemove a user
curl --location-trusted --negotiate -u "admin:changeit" -s -v \
-d '{"action":"delete","user":{"name":"phantom2"}}' \
https://cluster_node_1:8091/userVerify user removal
curl --location-trusted --negotiate -u "admin:changeit" -s https://cluster_node_1:8091/user?name=phantom{
"error": "user not found"
}Change a user’s password
curl --location-trusted -u "admin:changeit" -H "Content-Type: application/json" \
-d '{"action": "change-password", "user": {"name": "<username>", "password": "newpassword"}}' \
localhost:8091/userRoles
The Influxd-Meta API provides an endpoint /role for managing roles.
List roles
curl --location-trusted --negotiate -u "admin:changeit" -s https://cluster_node_1:8091/role | jq{}In a fresh installation no roles will have been created yet. As when creating a user the lead node must be used.
Create a role
curl --location-trusted --negotiate -u "admin:changeit" -v \
-d '{"action":"create","role":{"name":"spectre"}}' \
https://cluster_node_1:8091/roleVerify roles
Verify the role has been created.
curl --location-trusted --negotiate -u "admin:changeit" -s https://cluster_node_1:8091/role | jq{
"roles": [
{
"name": "djinn",
},
{
"name": "spectre"
},
]
}Retrieve a role document
Retrieve a record for a single node.
curl --location-trusted --negotiate -u "admin:changeit" -s https://cluster_node_1:8091/role?name=spectre | jq{
"roles": [
{
"name": "spectre"
}
]
}Add permissions to a role for all databases
To grant a list of permissions to a role for all databases in a cluster,
use the "" key in the permissions object, as shown in the example below.
curl --location-trusted --negotiate -u "admin:changeit" -s -v \
-d '{"action":"add-permissions","role":{"name":"spectre","permissions":{"":["ReadData","WriteData"]}}}' \
https://cluster_node_1:8091/roleAdd permissions to a role for a specific database
Grant ReadData and WriteData permissions to the role named spectre for MyDatabase.
curl --location-trusted --negotiate -u "admin:changeit" -s -v \
-d '{"action":"add-permissions","role":{"name":"spectre","permissions":{"MyDatabase":["ReadData","WriteData"]}}}' \
https://cluster_node_1:8091/roleVerify role permissions
Verify permissions have been added.
curl --location-trusted --negotiate -u "admin:changeit" -s https://cluster_node_1:8091/role?name=spectre | jq{
"roles": [
{
"name": "spectre",
"permissions": {
"MyDatabase": [
"ReadData",
"WriteData"
]
}
}
]
}Add a user to a role
curl --location-trusted --negotiate -u "admin:changeit" -s -v \
-d '{"action":"add-users","role":{"name":"spectre","users":["phantom"]}}' \
https://cluster_node_1:8091/roleVerify user in role
Verify user has been added to role.
curl --location-trusted --negotiate -u "admin:changeit" -s https://cluster_node_1:8091/role?name=spectre | jq{
"roles": [
{
"name": "spectre",
"permissions": {
"": [
"KapacitorAPI",
"KapacitorConfigAPI"
]
},
"users": [
"phantom"
]
}
]
}Remove a user from a role
curl --location-trusted --negotiate -u "admin:changeit" -s -v \
-d '{"action":"remove-users","role":{"name":"spectre","users":["phantom"]}}' \
https://admin:changeit@cluster_node_1:8091/roleRemove a permission from a role
curl --location-trusted --negotiate -u "admin:changeit" -s -v \
-d '{"action":"remove-permissions","role":{"name":"spectre","permissions":{"":["KapacitorConfigAPI"]}}}' \
https://cluster_node_1:8091/roleDelete a role
curl --location-trusted --negotiate -u "admin:changeit" -s -v \
-d '{"action":"delete","role":{"name":"spectre"}}' \
https://cluster_node_1:8091/roleVerify role deletion
curl --location-trusted --negotiate -u "admin:changeit" -s https://cluster_node_1:8091/role?name=spectre | jq{
"error": "role not found"
}Was this page helpful?
Thank you for your feedback!
Support and feedback
Thank you for being part of our community! We welcome and encourage your feedback and bug reports for InfluxDB Enterprise and this documentation. To find support, use the following resources:
Customers with an annual or support contract can contact InfluxData Support.