When you first install InfluxDB, if you head over to the API Tokens tab under “Load Data”, you’ll find an API token called something like “admin’s token”.
This key is known as an Operator Token, it grants full read and write access to all resources across all organisations in InfluxDB. An Operator Token is effectively a Linux Root equivalent, and has higher privileges than an “All-Access” token.
All-Access tokens can only make modifications to a specific organisation. An Operator token can do the same, but for everything.
Now, let’s say you’re like me and have unknowingly deleted this token (I thought it wasn’t required, but turns out you need it to make extra users). Let’s go about recovering that.
Starting from Scratch
You may be in a case where your influx-cli is unconfigured, which will make things difficult for searching up ID’s for users and orgs later on in this post. Let’s just quickly nail that one now.
Head on over to the Web GUI of your InfluxDB server, navigate to the “Load Data” page and select “API Tokens”.
Here, let’s create generate an “All Access Token”. Click that plus (+) icon at the top right of the page and give the token a name, like admin-cli. Once that’s done, we can add it to our influx-cli config. Open the
~/.influxdbv2/configs file in your preferred editor.
[influx-server_admin-cli] url = "http://influx.localdomain:8086" token = "[...]oXT5j[...]" org = "my-organisation" active = true
From here, if we type influx config list, we should see this new config.
[email protected]:~$ influx config list Active Name URL Org * influx-server_admin-cli http://influx.localdomain:8086 my-organisation
Gathering our Information
Recovering this Operator Token is relatively straight forward, only caveat is that you need to stop the InfluxD server, which means you will stop collecting events. Though realistically you’ll only need to stop it for a minute or two anyway to execute the commands.
You should at least have one user, commonly known as “Admin”. We’re going to create an Operator Token for this user. Let’s prepare our command.
First, we need locate our InfluxD bolt file. By default this is
~/.influxdbv2/influx.bolt but depending on who you run this command as, it may not execute as you’d expect. Let’s look for our bolt files.
[email protected]:~$ sudo updatedb [email protected]:~$ locate influxd.bolt /var/lib/influxdb/influxd.bolt
That looks like it, your results may vary. We’ll note that one down.
[email protected]:~$ export INFLUXD_BOLT=/var/lib/influxdb/influxd.bolt
Let’s double check which user we’re going to use to create an Operator Token. This user needs to exist, InfluxD reccovery will not create one for you.
[email protected]:~$ influx user list ID Name 09076321bc352000 admin [email protected]:~$ export INFLUXD_USER=admin
I’ve only got Admin here, so I’m going to use that. We also need to specify our organisation, so let’s list those and select one.
[email protected]:~$ influx org list ID Name a9b9db8ee3e984aa rajchert.net [email protected]:~$ export INFLUXD_ORG=rajchert.net
That’s it! Let’s create an Operator Token
Creating an Operator Token
Using the information we collected above, we’re going to:
- Stop the InfluxD service
- Create the Operator Token
- Start the InfluxD service
[email protected]:~$ sudo systemctl stop influxd.service [email protected]:~$ sudo influxd recovery auth create-operator \ --bolt-path $INFLUXD_BOLT \ --org $INFLUXD_ORG --username $INFLUXD_USER [email protected]:~$ sudo systemctl start influxd.service
And with that, in no time at all you should have a new Operator Token called “$INFLUXD_USER’s Recovery Token”. Feel free to change the name of this.
Saving Config to Influx-CLI
When you execute commands using influx-cli, you must authenticate against the Influx server. Let’s add the token we’ve just generated to our config.
Config is stored at
~/.influxdbv2/configs by default. If you have a look at this file you’ll see some commented out examples. Lets add ours:
# [us-west] # url = "https://us-west-2-1.aws.cloud2.influxdata.com" # token = "XXX" # org = "" [influx-server] url = "http://my-influx-server.localdomain:8086" token = "[...]xDd76aKb[...]" org = "my-organisation" active = true
Once saved, if you list your configs it should appear and be active!
[email protected]:~$ influx config list Active Name URL Org * influx-server http://my-influx-server.localdomain:8086 my-organisation
Using our new Operator Token
Let’s create a new user. This can be done with
[email protected]:~$ influx user create \ --name joebloggs \ --password ExAmPl3PA55W0rD \ --org myOrganisation
Once this is executed, a new user should be created instantly!
More about Influx-CLI
You can learn more about the Influx Command Line Interface by reading the reference manual here.