Merge branch 'master' into fix-test-product-environments

pull/5556/head
Jason Stirnaman 2024-08-07 14:03:27 -05:00 committed by GitHub
commit 0df14666cc
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
10 changed files with 519 additions and 24 deletions

View File

@ -114,6 +114,9 @@ pre[class*="language-"] {
.nl, /* Name.Label */
.si /* Literal.String.Interpol */
{ color: $article-code-accent4 }
.gd /* Generic.Deleted strike-through*/
{ text-decoration: line-through; }
.m, /* Literal.Number */
.ni, /* Name.Entity */

View File

@ -7,7 +7,7 @@ description: >
menu:
influxdb_clustered:
parent: Administer InfluxDB Clustered
weight: 103
weight: 104
influxdb/clustered/tags: [storage]
related:
- /influxdb/clustered/reference/internals/storage-engine/

View File

@ -9,7 +9,7 @@ description: >
menu:
influxdb_clustered:
parent: Administer InfluxDB Clustered
weight: 102
weight: 103
influxdb/clustered/tags: [databases]
---

View File

@ -8,7 +8,7 @@ description: >
menu:
influxdb_clustered:
parent: Administer InfluxDB Clustered
weight: 102
weight: 103
influxdb/clustered/tags: [tables]
---

View File

@ -8,13 +8,13 @@ description: >
menu:
influxdb_clustered:
parent: Administer InfluxDB Clustered
weight: 102
weight: 103
influxdb/clustered/tags: [tokens]
---
InfluxDB uses token authentication to authorize access to data in your
{{< product-name omit=" Clustered" >}} cluster.
There are two types of tokens:
With {{< product-name >}}, there are two types of tokens:
- [Database tokens](#database-tokens)
- [Management tokens](#management-tokens)

View File

@ -1,18 +1,32 @@
---
title: Manage InfluxDB Clustered users
title: Manage users in your InfluxDB cluster
description: >
Add or remove users by updating your `myinfluxdb.yml` file and re-applying the configuration.
Manage users with administrative access to your InfluxDB cluster through your
identity provider and your InfluxDB `AppInstance` resource.
menu:
influxdb_clustered:
name: Manage users
parent: Administer InfluxDB Clustered
weight: 101
draft: true
weight: 102
cascade:
related:
- /influxdb/clustered/install/auth/
- /influxdb/clustered/install/configure-cluster/
---
To add or remove users, update the users list in the `myinfluxdb.yml` file.
The users list is found at `spec.package.spec.admin.users`.
After updating the list, re-apply `myinfluxdb.yml`.
To learn how to apply `myinfluxdb.yml`, see [Deploy an InfluxDB cluster](/influxdb/clustered/install/deploy).
After `myinfluxdb.yml` has been applied, updates take a couple of minutes to complete.
When the updates are finished, new users will have been added, and removed users will have been deleted.
Manage users with administrative access to your InfluxDB cluster through your
[identity provider](/influxdb/clustered/install/auth/) and your InfluxDB
`AppInstance` resource. Administrative access lets users perform actions like
creating databases and tokens.
{{% note %}}
#### Users versus database tokens
All _users_ have administrative access to your cluster and can perform
administrative actions in your InfluxDB cluster.
_Database tokens_ authorize read and write access to databases in your InfluxDB
cluster. A person or client doesn't need to be a user to read and write data in your cluster,
but they must have a database token.
{{% /note %}}
{{< children >}}

View File

@ -0,0 +1,347 @@
---
title: Add a user to your InfluxDB cluster
list_title: Add a user
description: >
Add a user with administrative access to your InfluxDB cluster through your
identity provider and your InfluxDB `AppInstance` resource.
menu:
influxdb_clustered:
name: Add a user
parent: Manage users
weight: 201
---
Add a user with administrative access to your InfluxDB cluster through your
[identity provider](/influxdb/clustered/install/auth/) and your InfluxDB
`AppInstance` resource:
1. Use your identity provider to create an OAuth2 account for the user that
needs administrative access to your InfluxDB cluster.
**Refer to your identity provider's documentation for information about
adding users:**
- [Keycloak: Creating users {{% icon "export" %}}](https://www.keycloak.org/docs/latest/server_admin/#proc-creating-user_server_administration_guide)
- [Microsoft Entra ID: How to create, invite, and delete users {{% icon "export" %}}](https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/add-users)
- [Auth0: Team member management {{% icon "export" %}}](https://auth0.com/docs/get-started/auth0-teams/team-member-management)
2. Add the user to your InfluxDB `AppInstance` resource.
You can edit your `AppInstance` resource directly in your `myinfluxdb.yml`,
or, if you're using the
[InfluxDB Clustered Helm chart](https://github.com/influxdata/helm-charts/tree/master/charts/influxdb3-clustered),
you can add users to your `values.yaml` to modify your `AppInstance`
resource. Required credentials depend on your identity provider.
{{< tabs-wrapper >}}
{{% tabs %}}
[AppInstance](#)
[Helm](#)
{{% /tabs %}}
{{% tab-content %}}
<!----------------------------- BEGIN AppInstance ----------------------------->
If editing your `AppInstance` resource directly, provide values for the
following fields in your `myinfluxdb.yml` configuration file:
- `spec.package.spec.admin`
- `identityProvider`: Identity provider name.
_If using Microsoft Entra ID (formerly Azure Active Directory), set the name
to `azure`_.
- `jwksEndpoint`: JWKS endpoint provide by your identity provider.
- `users`: List of OAuth2 users to grant administrative access to your
InfluxDB cluster. IDs are provided by your identity provider.
Below are examples for **Keycloak**, **Auth0**, and **Microsoft Entra ID**, but
other OAuth2 providers should work as well:
{{< code-tabs-wrapper >}}
{{% code-tabs %}}
[Keycloak](#)
[Auth0](#)
[Microsoft Entra ID](#)
{{% /code-tabs %}}
{{% code-tab-content %}}
{{% code-callout "keycloak" "green" %}}
{{% code-placeholders "KEYCLOAK_(HOST|REALM|USER_ID)" %}}
```yaml
apiVersion: kubecfg.dev/v1alpha1
kind: AppInstance
# ...
spec:
package:
spec:
admin:
identityProvider: keycloak
jwksEndpoint: |-
https://KEYCLOAK_HOST/auth/realms/KEYCLOAK_REALM/protocol/openid-connect/certs
users:
# All fields are required but `firstName`, `lastName`, and `email` can be
# arbitrary values. However, `id` must match the user ID provided by Keycloak.
- id: KEYCLOAK_USER_ID
firstName: Marty
lastName: McFly
email: mcfly@influxdata.com
```
{{% /code-placeholders %}}
{{% /code-callout %}}
Replace the following:
- {{% code-placeholder-key %}}`KEYCLOAK_HOST`{{% /code-placeholder-key %}}:
Host and port of your Keycloak server
- {{% code-placeholder-key %}}`KEYCLOAK_REALM`{{% /code-placeholder-key %}}:
Keycloak realm
- {{% code-placeholder-key %}}`KEYCLOAK_USER_ID`{{% /code-placeholder-key %}}:
Keycloak user ID to grant InfluxDB administrative access to
_(See [Find user IDs with Keycloak](/influxdb/clustered/install/auth/#find-user-ids-with-keycloak))_
---
{{% /code-tab-content %}}
{{% code-tab-content %}}
{{% code-callout "auth0" "green" %}}
{{% code-placeholders "AUTH0_(HOST|USER_ID)" %}}
```yaml
apiVersion: kubecfg.dev/v1alpha1
kind: AppInstance
# ...
spec:
package:
spec:
admin:
identityProvider: auth0
jwksEndpoint: |-
https://AUTH0_HOST/.well-known/openid-configuration
users:
- AUTH0_USER_ID
```
{{% /code-placeholders %}}
{{% /code-callout %}}
Replace the following:
- {{% code-placeholder-key %}}`AUTH0_HOST`{{% /code-placeholder-key %}}:
Host and port of your Auth0 server
- {{% code-placeholder-key %}}`AUTH0_USER_ID`{{% /code-placeholder-key %}}:
Auth0 user ID to grant InfluxDB administrative access to
---
{{% /code-tab-content %}}
{{% code-tab-content %}}
{{% code-callout "azure" "green" %}}
{{% code-placeholders "AZURE_(USER|TENANT)_ID" %}}
```yaml
apiVersion: kubecfg.dev/v1alpha1
kind: AppInstance
# ...
spec:
package:
spec:
admin:
identityProvider: azure
jwksEndpoint: |-
https://login.microsoftonline.com/AZURE_TENANT_ID/discovery/v2.0/keys
users:
- AZURE_USER_ID
```
{{% /code-placeholders %}}
{{% /code-callout %}}
Replace the following:
- {{% code-placeholder-key %}}`AZURE_TENANT_ID`{{% /code-placeholder-key %}}:
Microsoft Entra tenant ID
- {{% code-placeholder-key %}}`AZURE_USER_ID`{{% /code-placeholder-key %}}:
Microsoft Entra user ID to grant InfluxDB administrative access to
_(See [Find user IDs with Microsoft Entra ID](/influxdb/clustered/install/auth/?t=Microsoft+Entra+ID#find-user-ids-with-microsoft-entra-id))_
---
{{% /code-tab-content %}}
{{< /code-tabs-wrapper >}}
<!------------------------------ END AppInstance ------------------------------>
{{% /tab-content %}}
{{% tab-content %}}
<!--------------------------------- BEGIN Helm -------------------------------->
If using the InfluxDB Clustered Helm chart, provide values for the following
fields in your `values.yaml`:
- `admin`
- `identityProvider`: Identity provider name.
_If using Microsoft Entra ID (formerly Azure Active Directory), set the name
to `azure`_.
- `jwksEndpoint`: JWKS endpoint provide by your identity provider.
- `users`: List of OAuth2 users to grant administrative access to your
InfluxDB cluster. IDs are provided by your identity provider.
Below are examples for **Keycloak**, **Auth0**, and **Microsoft Entra ID**, but
other OAuth2 providers should work as well:
{{< code-tabs-wrapper >}}
{{% code-tabs %}}
[Keycloak](#)
[Auth0](#)
[Microsoft Entra ID](#)
{{% /code-tabs %}}
{{% code-tab-content %}}
{{% code-callout "keycloak" "green" %}}
{{% code-placeholders "KEYCLOAK_(HOST|REALM|USER_ID)" %}}
```yaml
admin:
# The identity provider to be used (such as "keycloak", "auth0", or "azure")
# Note, use "azure" for Azure Active Directory
identityProvider: keycloak
# The JWKS endpoint provided by the Identity Provider
jwksEndpoint: |-
https://KEYCLOAK_HOST/auth/realms/KEYCLOAK_REALM/protocol/openid-connect/certs
# The list of users to grant access to Clustered via influxctl
users:
# All fields are required but `firstName`, `lastName`, and `email` can be
# arbitrary values. However, `id` must match the user ID provided by Keycloak.
- id: KEYCLOAK_USER_ID
firstName: Marty
lastName: McFly
email: mcfly@influxdata.com
```
{{% /code-placeholders %}}
{{% /code-callout %}}
Replace the following:
- {{% code-placeholder-key %}}`KEYCLOAK_HOST`{{% /code-placeholder-key %}}:
Host and port of your Keycloak server
- {{% code-placeholder-key %}}`KEYCLOAK_REALM`{{% /code-placeholder-key %}}:
Keycloak realm
- {{% code-placeholder-key %}}`KEYCLOAK_USER_ID`{{% /code-placeholder-key %}}:
Keycloak user ID to grant InfluxDB administrative access to
---
{{% /code-tab-content %}}
{{% code-tab-content %}}
{{% code-callout "auth0" "green" %}}
{{% code-placeholders "AUTH0_(HOST|USER_ID)" %}}
```yaml
admin:
# The identity provider to be used e.g. "keycloak", "auth0", "azure", etc
# Note, use "azure" for Azure Active Directory.
identityProvider: auth0
# The JWKS endpoint provided by the Identity Provider
jwksEndpoint: |-
https://AUTH0_HOST/.well-known/openid-configuration
# The list of users to grant access to Clustered via influxctl
users:
- AUTH0_USER_ID
```
{{% /code-placeholders %}}
{{% /code-callout %}}
Replace the following:
- {{% code-placeholder-key %}}`AUTH0_HOST`{{% /code-placeholder-key %}}:
Host and port of your Auth0 server
- {{% code-placeholder-key %}}`AUTH0_USER_ID`{{% /code-placeholder-key %}}:
Auth0 user ID to grant InfluxDB administrative access to
---
{{% /code-tab-content %}}
{{% code-tab-content %}}
{{% code-callout "azure" "green" %}}
{{% code-placeholders "AZURE_(USER|TENANT)_ID" %}}
```yaml
admin:
# The identity provider to be used e.g. "keycloak", "auth0", "azure", etc
# Note, use "azure" for Azure Active Directory.
identityProvider: azure
# The JWKS endpoint provided by the Identity Provider
jwksEndpoint: |-
https://login.microsoftonline.com/AZURE_TENANT_ID/discovery/v2.0/keys
# The list of users to grant access to Clustered via influxctl
users:
- AZURE_USER_ID
```
{{% /code-placeholders %}}
{{% /code-callout %}}
Replace the following:
- {{% code-placeholder-key %}}`AZURE_TENANT_ID`{{% /code-placeholder-key %}}:
Microsoft Entra tenant ID
- {{% code-placeholder-key %}}`AZURE_USER_ID`{{% /code-placeholder-key %}}:
Microsoft Entra user ID to grant InfluxDB administrative access to
_(See [Find user IDs with Microsoft Entra ID](/influxdb/clustered/install/auth/?t=Microsoft+Entra+ID#find-user-ids-with-microsoft-entra-id))_
---
{{% /code-tab-content %}}
{{< /code-tabs-wrapper >}}
<!---------------------------------- END Helm --------------------------------->
{{% /tab-content %}}
{{< /tabs-wrapper >}}
3. Apply the change to your InfluxDB cluster.
- If updating the `AppInstance` resource directly, use `kubectl` to apply
the change.
- If using the InfluxDB Clustered Helm chart, use `helm` to apply the change.
{{< code-tabs-wrapper >}}
{{% code-tabs %}}
[kubectl](#)
[Helm](#)
{{% /code-tabs %}}
{{% code-tab-content %}}
<!--pytest.mark.skip-->
```bash
kubectl apply \
--filename myinfluxdb.yml \
--namespace influxdb
```
{{% /code-tab-content %}}
{{% code-tab-content %}}
<!--pytest.mark.skip-->
```bash
helm upgrade \
influxdb \
influxdata/influxdb3-clustered \
-f ./values.yaml \
--namespace influxdb
```
{{% /code-tab-content %}}
{{< /code-tabs-wrapper >}}
Once applied, the added user is granted administrative access to your InfluxDB
cluster and can use `influxctl` to perform administrative actions.
See [Set up Authorization--Configure influxctl](/influxdb/clustered/install/auth/#configure-influxctl)
for information about configuring the new user's `influxctl` client to communicate
and authenticate with your InfluxDB cluster's identity provider.

View File

@ -0,0 +1,131 @@
---
title: Remove a user from your InfluxDB cluster
list_title: Remove a user
description: >
Remove a user with administrative access from your InfluxDB cluster.
menu:
influxdb_clustered:
name: Remove a user
parent: Manage users
weight: 201
---
Remove a user with administrative access from your InfluxDB cluster:
1. Remove or deactivate the user in your identity provider.
**Refer to your identity provider's documentation for information about
removing users:**
- [Keycloak: Deleting a user {{% icon "export" %}}](https://www.keycloak.org/docs/latest/server_admin/#proc-deleting-user_server_administration_guide)
- [Microsoft Entra ID: How to create, invite, and delete users {{% icon "export" %}}](https://learn.microsoft.com/en-us/entra/fundamentals/how-to-create-delete-users#delete-a-user)
- [Auth0: Team member management {{% icon "export" %}}](https://auth0.com/docs/get-started/auth0-teams/team-member-management#delete-an-existing-team-member)
2. Remove the user from your InfluxDB `AppInstance` resource.
You can edit your `AppInstance` resource directly in your `myinfluxdb.yml`,
or, if you're using the
[InfluxDB Clustered Helm chart](https://github.com/influxdata/helm-charts/tree/master/charts/influxdb3-clustered),
you can remove users from your `values.yaml` to modify your `AppInstance`
resource.
{{< tabs-wrapper >}}
{{% tabs %}}
[AppInstance](#)
[Helm](#)
{{% /tabs %}}
{{% tab-content %}}
<!----------------------------- BEGIN AppInstance ----------------------------->
If editing your `AppInstance` resource directly, remove the user from the list
of users in the `spec.package.spec.admin.users` field in your `myinfluxdb.yml`
configuration file--for example:
```diff
apiVersion: kubecfg.dev/v1alpha1
kind: AppInstance
# ...
spec:
package:
spec:
admin:
# ...
users:
- id: XXooXoXXooXXXoo1
firstName: Marty
lastName: McFly
email: mcfly@influxdata.com
- - id: XXooXoXXooXXXoo2
- firstName: John
- lastName: Doe
- email: j.doe@influxdata.com
```
<!------------------------------ END AppInstance ------------------------------>
{{% /tab-content %}}
{{% tab-content %}}
<!--------------------------------- BEGIN Helm -------------------------------->
If using the InfluxDB Clustered Helm chart, remove the user from the list of
users in the `admin.users` field in your in your `values.yaml`--for example:
```diff
admin:
# ...
users:
- id: XXooXoXXooXXXoo1
firstName: Marty
lastName: McFly
email: mcfly@influxdata.com
- - id: XXooXoXXooXXXoo2
- firstName: John
- lastName: Doe
- email: j.doe@influxdata.com
```
<!---------------------------------- END Helm --------------------------------->
{{% /tab-content %}}
{{< /tabs-wrapper >}}
3. Apply the change to your InfluxDB cluster.
- If updating the `AppInstance` resource directly, use `kubectl` to apply
the change.
- If using the InfluxDB Clustered Helm chart, use `helm` to apply the change.
{{< code-tabs-wrapper >}}
{{% code-tabs %}}
[kubectl](#)
[Helm](#)
{{% /code-tabs %}}
{{% code-tab-content %}}
<!--pytest.mark.skip-->
```bash
kubectl apply \
--filename myinfluxdb.yml \
--namespace influxdb
```
{{% /code-tab-content %}}
{{% code-tab-content %}}
<!--pytest.mark.skip-->
```bash
helm upgrade \
influxdb \
influxdata/influxdb3-clustered \
-f ./values.yaml \
--namespace influxdb
```
{{% /code-tab-content %}}
{{< /code-tabs-wrapper >}}
{{% note %}}
After you complete step 1 above, the removed user no longer has administrative
access to your InfluxDB cluster.
However, you should still remove them from your `AppInstance` resource.
{{% /note %}}

View File

@ -751,11 +751,9 @@ Replace the following:
##### Add users
Finally, to give users access to use `influxctl`, add the list of users to the `spec.package.spec.admin.users` field.
<!-- Pending /admin/users
See [Adding or removing users](/influxdb/clustered/admin/users/) for more details.
-->
Finally, to give users access to use `influxctl`, add the list of users to the
`spec.package.spec.admin.users` field.
See [Manage users](/influxdb/clustered/admin/users/) for more details.
#### Configure the size of your cluster

View File

@ -7,6 +7,8 @@ menu:
name: Use Helm
parent: Configure your cluster
weight: 230
related:
- /influxdb/clustered/admin/users/
---
Manage your InfluxDB Clustered deployments using Kubernetes and apply configuration settings using a YAML configuration file.
@ -816,11 +818,11 @@ Replace the following:
{{% /code-tab-content %}}
{{< /code-tabs-wrapper >}}
##### Adding users
##### Add users
Finally, add all the users you wish to have access to use `influxctl`.
Update the `admin.users` field with a list of these users.
<!-- See [Adding or removing users](/influxdb/clustered/admin/users/) for more details. -->
Finally, add the users you wish to have access to use `influxctl`.
Update the `admin.users` field with a list of the users.
See [Manage users](/influxdb/clustered/admin/users/) for more details.
#### Configure the size of your cluster