Is there a way of creating an user in InfluxDB with authentication enabled? Disclaimer: I am a novice to InfluxDB.
I created a Docker container running InfluxDB with authentication enabled by setting auth-enabled = true in http section of the influxdb.conf file.
[http]
...
# Determines whether user authentication is enabled over HTTP/HTTPS.
auth-enabled = true
...
As there are no users, I tried to create one using the following command:
docker exec influxdb influx -execute "create user admin with password 'blabla' with all privileges"
However, this fails with
"stdout": "ERR: error authorizing query: no user provided
So it is kind of a chicken-and-egg problem. You cannot create a user, because this requires logging in as a user in the first place.
It works when authentication is disabled. So I can do the following:
Create config with authentication disabled.
Start InfluxDB
Create users
Change config so authentication is now enabled.
Restart InfluxDB
but in that case I have to store the config in a specific Docker volume and it still leaves a window when anybody could log in without authentication. So it can be automated, but it is not an elegant solution.
Is there an elegant solution for this problem?
Most DB images provide a way to configure an admin-user and admin-passwort via environment variables. InfluxDB does this too:
https://hub.docker.com/_/influxdb/
Set the environment variables INFLUXDB_ADMIN_USER and INFLUXDB_ADMIN_PASSWORD in your container to create the admin user with the given password. You can also enable auth by an environment variable INFLUXDB_HTTP_AUTH_ENABLED
2021 update: apparently there might be some caveats/edge cases as it comes to automatic admin/user creation in InfluxDB in Docker - see here: https://github.com/influxdata/influxdata-docker/issues/232
If you stamp on the following message: "create admin user first or disable authentication" even if you set envs as suggested by #adebasi then the above link might help you tackle the problem.
I've just checked the latest official InfluxDB docker and it works, however, as stated in the above link, if meta directory is present (even if empty) under /var/lib/influxdb then user won't be created.
There's also another case - while using unofficial InfluxDB docker suitable for RaspberryPi Zero (https://hub.docker.com/r/mendhak/arm32v6-influxdb) this functionality of creating users is not present there or at least didn't work for me (I've checked docker image and I saw no code to create users).
Related
after some time of trying, I managed to get InfluxDB and Grafana to play together in my Docker environment, and then I had a look into my InfluxDB bucket. By all the things I can see it doesn’t look that HA is actually writing anything to that bucket.
Going through the UI of InfluxDB I see there are buckets and sources, etc. and I wonder if I have to somehow add HA there as a source.
On the other side I have my configuration.yaml in my HA and there it looks like this
influxdb:
host: 192.168.1.110
port: !secret influx_port
database: home_assistant
username: !secret influx_username
password: !secret influx_password
Any way on how I can figure out if HA is actually writing to the bucket, or can you already tell that I do not write anything because I am missing an essential part?
In the standard HomeAssistant installation there is an entity called Sun, with an entity id sun.sun. I would expect this entity to be logged in the database, but I cant find it there.
The HomeAssistant logs show the following error:
InfluxDB database is not accessible due to '401: {"code":"unauthorized","message":"Unauthorized"}'. Please check that the database, username and password are correct and that the specified user has the correct permissions set.
The name of the database is correct, the username and password are the one I use to login to InfluxDB
When I look for directory rights on the influxdb docker container, then they belong to a DSM user, who is in the user group.
Changing the information in my secrets.yaml for the credentials of the DSM user leads to the same error message I received before.
I am running
Home Assistant 2023.1.7
Frontend 20230110.0 - latest
and
InfluxDB v2.6.1
Alright, for those interested... I managed.
SInce I do not have any certificates (yet), the connection is running on HTTP, and version 2 of InfluxDB is by default pointing at HTTPS. Hence, I added a simple
ssl: false
to the configuration file.
Then I got an error message basically saying the bucket "Home Assistant" was not found. No wonder, that's not the name of the bucket... So, in v2, you do not specify a database(name) in the configuration, but a bucket. Initially I was expecting the token to clarify that, but that's not the case, and I added the line
bucket: !secret influx_bucket
to my configuration and defined the name of the bucket in the secrets file.
Checked the configuration file, restarted HA, and Bob is your uncle...
I'm running Grafana from the docker image on docker hub here (v6.7.4). I would like to add a notification to Microsoft Teams and have the links direct back to the domain I am hosting Grafana on.
I have added the MSTeams webhook to Grafana, and it successfully sends notifications. Now, when I click on "view rule" in the notification, it opens localhost:3000 since that is the default domain for Grafana.
In trying to configure this to point to grafana.my.domain, I have followed this configuration of the Grafana Docker image as well as looked at the configuration file settings, specifically the domain and root_url settings.
Based on the docker configuration, I have tried passing GF_SERVER_DOMAIN=grafana.my.domain, as well as settings for GF_SERVER_SERVER_FORM_SUB_PATH, GF_SERVER_ROOT_URL, and most combinations of those. I have also attempted to alter a sample.ini file that is shipped with the docker container to include the block:
[server]
domain = grafana.my.domain
I then mounted the .ini file as /grafana/config.ini:/etc/grafana/grafana.ini (based on this) in my docker-compose file, but it did not pick up on it.
Still, when the notification is clicked on within Teams, I get directed to localhost:3000. Am I missing something with the configuration here? It seems passing the environment variable is all that should be needed based on the documentation.
I'm running a docker private registry inside a kubernetes cluster using the standard registry:2 image. The image has basic functionality to provide user authentication using the Apache htpasswd utility.
In my case multiple users need to access the repository and therefore need to setup username passwords for multiple different users. What would be the best approach to implement this.
I got the single user htpsswd based authentication working, but does not seem to find a way to enable auth for multiple users i.e. having proper access control.
The registry is SSL enabled.(TLS at the ingress level)
There are multiple ways this could be done. First of all its possible to have multiple users in the htpasswd file. It was not working with docker becasue docker required the passwords to be hashed using bcrypt algorithm.
Use the -B flag while creating the htpasswd file.
sudo htpasswd -c -B /etc/apache2/.htpasswd <username1>
Another way this could be done, is using nginx authentication annotations.
nginx.ingress.kubernetes.io/auth-url: "url to auth service"
If the service return 200, nginx forwards the request or else returns authentication error response. With this you could have a lot of custom logic as you create and manage the authentication server.
I'm brand new to containers and am trying to set up a MediaWiki on a Synology NAS. The Synology comes with a package for MediaWiki but it is at 1.30 and they haven't updated in a year. I need a newer version so i can use LDAP with latest extensions.
So, i found this step-by-step guide on how to install the containers with docker. I'm trying it with MediaWiki 1.34.0 and it works fine up to the point that we test connection to the mysql database - 5) Input your MySQL container name and its root password.
When i click Continue i get this error: Cannot access the database: :real_connect(): (HY000/2054): The server requested authentication method unknown to the client. Check the host, username and password and try again. If using "localhost" as the database host, try using "127.0.0.1" instead (or vice versa).
It seems to be that the mediawiki container and the mediawiki-mysql containers aren't networked. I'm looking under network and it shows the following, so they should be able to communicate. I can ping a 172.26.0.2 and 172.26.0.3 address but can't figure how to get past step 5) in that go-by.
I've tried everything i can think of. Using older versions of MediaWiki (e.g. 1.31) and mysql but this connection problem is the sticking point each time. I've reached limit of my capabilities here.
It seems to be that the mediawiki container and the mediawiki-mysql containers aren't networked
Would be interesting where this assumption is coming from. From what I read from the error message, your containers can perfectly fine communicate to each other (they should, as they seem to be on the same network, given that the mediawiki-mysql container is also on a bridged network and in the same subnet).
Let's take a look at the interesting part of the error message:
The server requested authentication method unknown to the client
That looks, to me, as a misconfiguration of mysql. I assume you're using the latest version of the mysql docker container, which should be some version of mysql 8. If you now google for this, you'll find plenty of posts even on stackoverflow, like:
https://stackoverflow.com/a/53881212/3394281
php mysqli_connect: authentication method unknown to the client [caching_sha2_password]
To fix this with your current dataset, you could change the authentication plugin from socket to password:
Log in as root to mysql
Run this sql command:
ALTER USER 'root'#'localhost' IDENTIFIED WITH mysql_native_password
BY 'password';
Replace 'password' with your root password. In case your application does not log in to your database with the root user, replace the 'root' user in the above command with the user that your application uses.
Or, if you're using docker-compose or can change the executed command somehow else, you could follow this answer:
Add the following line to the command:
--default-authentication-plugin=mysql_native_password
Florian's answer put me on the right trail even though it didn't work as he initially suggested (I'm marking his as correct answer). I changed the root plugin (his item 2. above) but still did not work. So, I did the same on all of the users shown with the SELECT user, authentication_string,plugin,host FROM mysql.user;.
After, that i ran a FLUSH PRIVILEGES; and then was able to complete the MediaWiki 1.34.0 installation (via http://xxx.xxx.xxx.xxx:8080).
I suspect that all i really needed to do was run that ALTER USER on the two root accounts (root#localhost and root#%) but it is working now so i'm leaving it as-is. Here is a good link that will help with these commands.
I have seen similar questions, but nothing helped.
Like here:
SSH login with no authentication
SSH session without ANY authentication
My problem is as the question states. I want to setup ssh to work without any password prompt or any keys. Means, doing
ssh computer#IP_address
should give me access to the remote machine.
Question ends here^^^^^^^^^^^. Details of what I'm trying to achieve:
I have a docker image of Ubuntu in which I'm trying to install ssh. This has 2 reasons: easy file transfer using scp and the other is, that I sometimes, by mistake I close docker without committing and end up losing all my progress/data. So I want to make it such that I run the docker container in the background and only access it using ssh. Also, I am working in a team and I'll need to some other outside people(who download my docker image) to be able to work with it easily as well, which is why I want it to be ssh-accessible without a login.
You should look at setting PermitEmptyPasswords to yes in your sshd_config file and restard sshd service.
PermitEmptyPasswords
When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. The default is ''no''.