Documentation

Kapacitor

v1.6

Set up authentication and authorization

Enable and require user-based authentication when using the Kapacitor HTTP API. Kapacitor can either store user roles and permissions locally or use InfluxDB Enterprise authorizations to authenticate requests.

If you are already using the InfluxDB Enterprise user authorization and authentication service to manage users, we recommend using the same for Kapacitor.

Set up internal Kapacitor authorizations

Use user-based authorizations stored and managed in Kapacitor to authenticate requests to the Kapacitor HTTP API.

Set up InfluxDB Enterprise authorizations

Use user-based authorizations stored and managed in InfluxDB Enterprise to authenticate requests to the Kapacitor HTTP API.

Kapacitor authentication configuration options

The following authentication-related configuration options are available in the kapacitor.conf and can also be set with environment variables:

* Required only when using InfluxDB Enterprise authentication
  • [http]
    • auth-enabled: Enable and enforce basic authentication on the Kapacitor HTTP API.
  • [auth]
    • enabled: Enable the Kapacitor authentication service.
    • cache-expiration: How long a consumer service can hold a credential document in its cache.
    • bcrypt-cost: The number of iterations used when hashing the password using the bcrypt algorithm. Higher values generate hashes more resilient to brute force cracking attempts, but lead to marginally longer resolution times.
    • * meta-addr: The address of the InfluxDB Enterprise meta node to connect to for accessing the user and permission store.
    • * meta-use-tls: Use TLS when communicating with the InfluxDB Enterprise meta node.
    • * meta-ca: Path to the certificate authority file for the InfluxDB Enterprise meta node.
    • * meta-cert: Path to the PEM encoded certificate file.
    • * meta-key: Path to the PEM encoded certificate private key.
    • * meta-insecure-skip-verify: Skip chain and host verification when connecting via TLS. Set to true when using a self-signed TLS certificate.
Example authentication settings in the kapacitor.conf
[http]
  # ...
  auth-enabled = true
  # ...

[auth]
  # Enable authentication for Kapacitor.
  enabled = false
  # User permissions cache expiration time.
  cache-expiration = "10m"
  # Cost to compute bcrypt password hashes.
  # bcrypt rounds = 2^cost
  bcrypt-cost = 10
  # Address of an InfluxDB Enterprise meta server.
  # If empty, InfluxDB Enterprise meta nodes are not used as a user store.
  # host:port
  meta-addr = "172.17.0.2:8091"
  meta-use-tls = false
  # Absolute path to PEM encoded Certificate Authority (CA) file.
  # A CA can be provided without a key/certificate pair.
  meta-ca = "/etc/kapacitor/ca.pem"
  # Absolute paths to PEM encoded private key and server certificate files.
  meta-cert = "/etc/kapacitor/cert.pem"
  meta-key = "/etc/kapacitor/key.pem"
  meta-insecure-skip-verify = false

Was this page helpful?

Thank you for your feedback!

© 2023 InfluxData, Inc.

Where are you running InfluxDB?

Select your InfluxDB Cloud region and cluster or your InfluxDB OSS URL and we’ll customize code examples for you. Identify your InfluxDB Cloud cluster.

  • InfluxDB Cloud
  • InfluxDB OSS or Enterprise
AWS

  • US West (Oregon)

GCP
Azure
Default
Custom

For more information, see InfluxDB Cloud regions or InfluxDB OSS URLs.

Thank you for your feedback!

Let us know what we can do better:

Thank you!

No thanks

Linux Package Signing Key Rotation

All signed InfluxData Linux packages have been resigned with an updated key. If using Linux, you may need to update your package configuration to continue to download and verify InfluxData software packages.

For more information, see the Linux Package Signing Key Rotation blog post.

InfluxDB Cloud backed by InfluxDB IOx

All InfluxDB Cloud organizations created on or after January 31, 2023 are backed by the new InfluxDB IOx storage engine. Check the right column of your InfluxDB Cloud organization homepage to see which InfluxDB storage engine you’re using.

If powered by IOx, this is the correct documentation.

If powered by TSM, see the TSM-based InfluxDB Cloud documentation.

InfluxDB Cloud backed by InfluxDB TSM

All InfluxDB Cloud organizations created on or after January 31, 2023 are backed by the new InfluxDB IOx storage engine which enables nearly unlimited series cardinality and SQL query support. Check the right column of your InfluxDB Cloud organization homepage to see which InfluxDB storage engine you’re using.

If powered by TSM, this is the correct documentation.

If powered by IOx, see the IOx-based InfluxDB Cloud documentation.

State of the InfluxDB Cloud (IOx) documentation

The new documentation for InfluxDB Cloud backed by InfluxDB IOx is a work in progress. We are adding new information and content almost daily. Thank you for your patience!

If there is specific information you’re looking for, please submit a documentation issue.