[InfluxDBv2] Admin Token via `DOCKER_INFLUXDB_INIT_ADMIN_TOKEN_FILE` env var is not set in the container causing authorization errors
shantanoo-desai opened this issue · comments
Description
For a configuration that loads the init values via files as mentioned below:
services:
influxdbv2:
image: docker.io/influxdb:2.6-alpine
container_name: influxdbv2
environment:
- DOCKER_INFLUXDB_INIT_MODE=setup
- DOCKER_INFLUXDB_INIT_ORG=${DOCKER_INFLUXDB_INIT_ORG}
- DOCKER_INFLUXDB_INIT_BUCKET=${DOCKER_INFLUXDB_INIT_BUCKET}
- DOCKER_INFLUXDB_INIT_RETENTION=${DOCKER_INFLUXDB_INIT_RETENTION}
- DOCKER_INFLUXDB_INIT_USERNAME_FILE=/run/secrets/influxdbv2_admin_username
- DOCKER_INFLUXDB_INIT_PASSWORD_FILE=/run/secrets/influxdbv2_admin_password
- DOCKER_INFLUXDB_INIT_ADMIN_TOKEN_FILE=/run/secrets/influxdbv2_admin_token
- INFLUXD_LOG_LEVEL=debug
secrets:
- source: influxdbv2_admin_username
mode: 0444
- source: influxdbv2_admin_password
mode: 0444
- source: influxdbv2_admin_token
mode: 0444
security_opt:
- "no-new-privileges=true"
volumes:
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
secrets:
influxdbv2_admin_username:
environment: INFLUXDBV2_ADMIN_USERNAME
influxdbv2_admin_password:
environment: INFLUXDBV2_ADMIN_PASSWORD
influxdbv2_admin_token:
environment: INFLUXDBV2_ADMIN_TOKEN
And the respective .env
file:
# InfluxDBv2 Admin Credentials
INFLUXDBV2_ADMIN_USERNAME=admin
INFLUXDBV2_ADMIN_PASSWORD=testInfluxDB
INFLUXDBV2_ADMIN_TOKEN=testtoken
DOCKER_INFLUXDB_INIT_ORG=komponistorg
DOCKER_INFLUXDB_INIT_BUCKET=komponistdb
DOCKER_INFLUXDB_INIT_RETENTION=7d
It is rather strange that when the container is brought up and one accesses the shell using:
docker compose exec -it influxdbv2 sh
The output of the DOCKER_INFLUXDB_INIT_ADMIN_TOKEN
is empty. Assuming the value is unset after the entrypoint.sh
is executed I perform some other checks:
-
Check whether the
/run/secrets/influxdbv2_admin_token
has the token value, which it has -
Use this Admin token within the container to query the auth lists using:
curl -XGET "http://localhost:8086/api/v2/authorizations" \ --header "Authorization: Token testtoken" \ --header "Content-type: application/json" {"code":"unauthorized","message":"unauthorized access"}
Tests with Telegraf
I pass the admin token to the Output Plugin for InfluxDBv2 to try writing to the init bucket and I get authorization errors even though the ADMIN_TOKEN is the exact same.
Inference
I am almost certain that the ADMIN_TOKEN_FILE
is unable to set the user-specified token because when I replace the DOCKER_INFLUXDB_INIT_ADMIN_TOKEN_FILE
with DOCKER_INFLUXDB_INIT_ADMIN_TOKEN
and set the value directly I can query the auth list query via curl and my Telegraf plugin is able to insert the values into the init bucket with any errors.
Please let me know if you need more reproduction proof.
(cc @powersj This can be the reason for users complaining about Authorization Errors)
Reproduction
This GitHub Gist can be used to reproduce the error: https://gist.github.com/shantanoo-desai/291052ae8c118add9b5784a8c793e281
(you can also clone the Gist via git)