Giters

influxdata / influxdata-docker

Official docker images for the influxdata stack

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[InfluxDBv2] Admin Token via `DOCKER_INFLUXDB_INIT_ADMIN_TOKEN_FILE` env var is not set in the container causing authorization errors

shantanoo-desai opened this issue · comments

commented

Description

For a configuration that loads the init values via files as mentioned below:

services:
  influxdbv2:
    image: docker.io/influxdb:2.6-alpine
    container_name: influxdbv2
    environment:
      - DOCKER_INFLUXDB_INIT_MODE=setup
      - DOCKER_INFLUXDB_INIT_ORG=${DOCKER_INFLUXDB_INIT_ORG}
      - DOCKER_INFLUXDB_INIT_BUCKET=${DOCKER_INFLUXDB_INIT_BUCKET}
      - DOCKER_INFLUXDB_INIT_RETENTION=${DOCKER_INFLUXDB_INIT_RETENTION}
      - DOCKER_INFLUXDB_INIT_USERNAME_FILE=/run/secrets/influxdbv2_admin_username
      - DOCKER_INFLUXDB_INIT_PASSWORD_FILE=/run/secrets/influxdbv2_admin_password
      - DOCKER_INFLUXDB_INIT_ADMIN_TOKEN_FILE=/run/secrets/influxdbv2_admin_token
      - INFLUXD_LOG_LEVEL=debug
    secrets:
      - source: influxdbv2_admin_username
        mode: 0444
      - source: influxdbv2_admin_password
        mode: 0444
      - source: influxdbv2_admin_token
        mode: 0444
    security_opt:
      - "no-new-privileges=true"
    volumes:
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro

secrets:
  influxdbv2_admin_username:
    environment: INFLUXDBV2_ADMIN_USERNAME
  influxdbv2_admin_password:
    environment: INFLUXDBV2_ADMIN_PASSWORD
  influxdbv2_admin_token:
    environment: INFLUXDBV2_ADMIN_TOKEN

And the respective .env file:

# InfluxDBv2 Admin Credentials
INFLUXDBV2_ADMIN_USERNAME=admin
INFLUXDBV2_ADMIN_PASSWORD=testInfluxDB
INFLUXDBV2_ADMIN_TOKEN=testtoken
DOCKER_INFLUXDB_INIT_ORG=komponistorg
DOCKER_INFLUXDB_INIT_BUCKET=komponistdb
DOCKER_INFLUXDB_INIT_RETENTION=7d

It is rather strange that when the container is brought up and one accesses the shell using:

docker compose exec -it influxdbv2 sh

The output of the DOCKER_INFLUXDB_INIT_ADMIN_TOKEN is empty. Assuming the value is unset after the entrypoint.sh is executed I perform some other checks:

  1. Check whether the /run/secrets/influxdbv2_admin_token has the token value, which it has

  2. Use this Admin token within the container to query the auth lists using:

    curl -XGET "http://localhost:8086/api/v2/authorizations" \ 
      --header "Authorization: Token testtoken" \
      --header "Content-type: application/json"

  {"code":"unauthorized","message":"unauthorized access"}

Tests with Telegraf

I pass the admin token to the Output Plugin for InfluxDBv2 to try writing to the init bucket and I get authorization errors even though the ADMIN_TOKEN is the exact same.

Inference

I am almost certain that the ADMIN_TOKEN_FILE is unable to set the user-specified token because when I replace the DOCKER_INFLUXDB_INIT_ADMIN_TOKEN_FILE with DOCKER_INFLUXDB_INIT_ADMIN_TOKEN and set the value directly I can query the auth list query via curl and my Telegraf plugin is able to insert the values into the init bucket with any errors.

Please let me know if you need more reproduction proof.

(cc @powersj This can be the reason for users complaining about Authorization Errors)

commented

Reproduction

This GitHub Gist can be used to reproduce the error: https://gist.github.com/shantanoo-desai/291052ae8c118add9b5784a8c793e281

(you can also clone the Gist via git)

Logs

influxdbv2_admin_token_error