InfluxDB 3 Enterprise authentication and authorization
InfluxDB 3 Enterprise uses an Attribute-Based Access Control (ABAC) model to manage permissions and supports multiple token types for different authentication scenarios.
This model allows for fine-grained control over access to resources and actions within an InfluxDB 3 Enterprise instance.
The ABAC model includes the following components:
Authentication (authn): The process through which a user verifies their identity. In InfluxDB 3 Enterprise, this occurs when a token is validated. Users may be human or machine (for example, through automation). InfluxDB 3 Enterprise tokens represent previously verified authenticated users that facilitate automation.
Authorization (authz): The process that determines if an authenticated user can perform a requested action. In InfluxDB 3 Enterprise, authorization evaluates whether a token has permissions to perform actions on specific resources.
Context: The system may use contextual information, such as location or time, when evaluating permissions.
Subject: The identity requesting access to the system. In InfluxDB 3 Enterprise, the subject is a token (similar to an “API key” in other systems). Tokens include attributes such as identifier, name, description, and expiration date.
Action: The operations (for example, CRUD) that subjects may perform on resources.
Permissions: The set of actions that a specific subject can perform on a specific resource. Authorization compares the incoming request against the permissions set to decide if the request is allowed or not.
In InfluxDB 3 Enterprise, admin tokens have all permissions, while resource tokens have specific permissions. Resource tokens have fine-grained permissions for specific resources of a specific type. For example, a database token can have permissions to read from a specific database but not write to it.
Resource: The objects that can be accessed or manipulated. Resources have attributes such as identifier and name. In InfluxDB 3 Enterprise, resources include databases and system information endpoints.
- Database tokens provide access to specific databases for actions like writing and querying data.
- System tokens provide access to system-level resources, such as API endpoints for server runtime statistics and health. Access controls for system information API endpoints help prevent information leaks and attacks (such as DoS).
Was this page helpful?
Thank you for your feedback!
Support and feedback
Thank you for being part of our community! We welcome and encourage your feedback and bug reports for InfluxDB 3 Enterprise and this documentation. To find support, use the following resources:
Customers with an annual or support contract can contact InfluxData Support.