Documentation

Set up authentication and authorization

Enable and require user-based authentication when using the Kapacitor HTTP API. Kapacitor can either store user roles and permissions locally or use InfluxDB Enterprise authorizations to authenticate requests.

If you are already using the InfluxDB Enterprise user authorization and authentication service to manage users, we recommend using the same for Kapacitor.


Kapacitor authentication configuration options

The following authentication-related configuration options are available in the kapacitor.conf and can also be set with environment variables:

* Required only when using InfluxDB Enterprise authentication
  • [http]
    • auth-enabled: Enable and enforce basic authentication on the Kapacitor HTTP API.
  • [auth]
    • enabled: Enable the Kapacitor authentication service.
    • cache-expiration: How long a consumer service can hold a credential document in its cache.
    • bcrypt-cost: The number of iterations used when hashing the password using the bcrypt algorithm. Higher values generate hashes more resilient to brute force cracking attempts, but lead to marginally longer resolution times.
    • * meta-addr: The address of the InfluxDB Enterprise meta node to connect to for accessing the user and permission store.
    • * meta-use-tls: Use TLS when communicating with the InfluxDB Enterprise meta node.
    • * meta-ca: Path to the certificate authority file for the InfluxDB Enterprise meta node.
    • * meta-cert: Path to the PEM encoded certificate file.
    • * meta-key: Path to the PEM encoded certificate private key.
    • * meta-insecure-skip-verify: Skip chain and host verification when connecting via TLS. Set to true when using a self-signed TLS certificate.
Example authentication settings in the kapacitor.conf
[http]
  # ...
  auth-enabled = true
  # ...

[auth]
  # Enable authentication for Kapacitor.
  enabled = false
  # User permissions cache expiration time.
  cache-expiration = "10m"
  # Cost to compute bcrypt password hashes.
  # bcrypt rounds = 2^cost
  bcrypt-cost = 10
  # Address of an InfluxDB Enterprise meta server.
  # If empty, InfluxDB Enterprise meta nodes are not used as a user store.
  # host:port
  meta-addr = "172.17.0.2:8091"
  meta-use-tls = false
  # Absolute path to PEM encoded Certificate Authority (CA) file.
  # A CA can be provided without a key/certificate pair.
  meta-ca = "/etc/kapacitor/ca.pem"
  # Absolute paths to PEM encoded private key and server certificate files.
  meta-cert = "/etc/kapacitor/cert.pem"
  meta-key = "/etc/kapacitor/key.pem"
  meta-insecure-skip-verify = false

Was this page helpful?

Thank you for your feedback!


Introducing InfluxDB Clustered

A highly available InfluxDB 3.0 cluster on your own infrastructure.

InfluxDB Clustered is a highly available InfluxDB 3.0 cluster built for high write and query workloads on your own infrastructure.

InfluxDB Clustered is currently in limited availability and is only available to a limited group of InfluxData customers. If interested in being part of the limited access group, please contact the InfluxData Sales team.

Learn more
Contact InfluxData Sales

The future of Flux

Flux is going into maintenance mode. You can continue using it as you currently are without any changes to your code.

Flux is going into maintenance mode and will not be supported in InfluxDB 3.0. This was a decision based on the broad demand for SQL and the continued growth and adoption of InfluxQL. We are continuing to support Flux for users in 1.x and 2.x so you can continue using it with no changes to your code. If you are interested in transitioning to InfluxDB 3.0 and want to future-proof your code, we suggest using InfluxQL.

For information about the future of Flux, see the following: