diff --git a/assets/styles/layouts/_syntax-highlighting.scss b/assets/styles/layouts/_syntax-highlighting.scss index 6e1e49e06..0e43f6b13 100644 --- a/assets/styles/layouts/_syntax-highlighting.scss +++ b/assets/styles/layouts/_syntax-highlighting.scss @@ -114,6 +114,9 @@ pre[class*="language-"] { .nl, /* Name.Label */ .si /* Literal.String.Interpol */ { color: $article-code-accent4 } + + .gd /* Generic.Deleted strike-through*/ + { text-decoration: line-through; } .m, /* Literal.Number */ .ni, /* Name.Entity */ diff --git a/content/influxdb/clustered/admin/custom-partitions/_index.md b/content/influxdb/clustered/admin/custom-partitions/_index.md index 70c4e14fb..2a39ba30b 100644 --- a/content/influxdb/clustered/admin/custom-partitions/_index.md +++ b/content/influxdb/clustered/admin/custom-partitions/_index.md @@ -7,7 +7,7 @@ description: > menu: influxdb_clustered: parent: Administer InfluxDB Clustered -weight: 103 +weight: 104 influxdb/clustered/tags: [storage] related: - /influxdb/clustered/reference/internals/storage-engine/ diff --git a/content/influxdb/clustered/admin/databases/_index.md b/content/influxdb/clustered/admin/databases/_index.md index 1dbb4a19a..31c6f0a1e 100644 --- a/content/influxdb/clustered/admin/databases/_index.md +++ b/content/influxdb/clustered/admin/databases/_index.md @@ -9,7 +9,7 @@ description: > menu: influxdb_clustered: parent: Administer InfluxDB Clustered -weight: 102 +weight: 103 influxdb/clustered/tags: [databases] --- diff --git a/content/influxdb/clustered/admin/tables/_index.md b/content/influxdb/clustered/admin/tables/_index.md index 991704d89..17c6d9416 100644 --- a/content/influxdb/clustered/admin/tables/_index.md +++ b/content/influxdb/clustered/admin/tables/_index.md @@ -8,7 +8,7 @@ description: > menu: influxdb_clustered: parent: Administer InfluxDB Clustered -weight: 102 +weight: 103 influxdb/clustered/tags: [tables] --- diff --git a/content/influxdb/clustered/admin/tokens/_index.md b/content/influxdb/clustered/admin/tokens/_index.md index 26823dfe9..5cd83a97f 100644 --- a/content/influxdb/clustered/admin/tokens/_index.md +++ b/content/influxdb/clustered/admin/tokens/_index.md @@ -8,13 +8,13 @@ description: > menu: influxdb_clustered: parent: Administer InfluxDB Clustered -weight: 102 +weight: 103 influxdb/clustered/tags: [tokens] --- InfluxDB uses token authentication to authorize access to data in your {{< product-name omit=" Clustered" >}} cluster. -There are two types of tokens: +With {{< product-name >}}, there are two types of tokens: - [Database tokens](#database-tokens) - [Management tokens](#management-tokens) diff --git a/content/influxdb/clustered/admin/users/_index.md b/content/influxdb/clustered/admin/users/_index.md index e2e9a2dc7..f08e5ae98 100644 --- a/content/influxdb/clustered/admin/users/_index.md +++ b/content/influxdb/clustered/admin/users/_index.md @@ -1,18 +1,32 @@ --- -title: Manage InfluxDB Clustered users +title: Manage users in your InfluxDB cluster description: > - Add or remove users by updating your `myinfluxdb.yml` file and re-applying the configuration. + Manage users with administrative access to your InfluxDB cluster through your + identity provider and your InfluxDB `AppInstance` resource. menu: influxdb_clustered: name: Manage users parent: Administer InfluxDB Clustered -weight: 101 -draft: true +weight: 102 +cascade: + related: + - /influxdb/clustered/install/auth/ + - /influxdb/clustered/install/configure-cluster/ --- -To add or remove users, update the users list in the `myinfluxdb.yml` file. -The users list is found at `spec.package.spec.admin.users`. -After updating the list, re-apply `myinfluxdb.yml`. -To learn how to apply `myinfluxdb.yml`, see [Deploy an InfluxDB cluster](/influxdb/clustered/install/deploy). -After `myinfluxdb.yml` has been applied, updates take a couple of minutes to complete. -When the updates are finished, new users will have been added, and removed users will have been deleted. +Manage users with administrative access to your InfluxDB cluster through your +[identity provider](/influxdb/clustered/install/auth/) and your InfluxDB +`AppInstance` resource. Administrative access lets users perform actions like +creating databases and tokens. + +{{% note %}} +#### Users versus database tokens + +All _users_ have administrative access to your cluster and can perform +administrative actions in your InfluxDB cluster. +_Database tokens_ authorize read and write access to databases in your InfluxDB +cluster. A person or client doesn't need to be a user to read and write data in your cluster, +but they must have a database token. +{{% /note %}} + +{{< children >}} diff --git a/content/influxdb/clustered/admin/users/add.md b/content/influxdb/clustered/admin/users/add.md new file mode 100644 index 000000000..e4ed4859c --- /dev/null +++ b/content/influxdb/clustered/admin/users/add.md @@ -0,0 +1,347 @@ +--- +title: Add a user to your InfluxDB cluster +list_title: Add a user +description: > + Add a user with administrative access to your InfluxDB cluster through your + identity provider and your InfluxDB `AppInstance` resource. +menu: + influxdb_clustered: + name: Add a user + parent: Manage users +weight: 201 +--- + +Add a user with administrative access to your InfluxDB cluster through your +[identity provider](/influxdb/clustered/install/auth/) and your InfluxDB +`AppInstance` resource: + +1. Use your identity provider to create an OAuth2 account for the user that + needs administrative access to your InfluxDB cluster. + + **Refer to your identity provider's documentation for information about + adding users:** + + - [Keycloak: Creating users {{% icon "export" %}}](https://www.keycloak.org/docs/latest/server_admin/#proc-creating-user_server_administration_guide) + - [Microsoft Entra ID: How to create, invite, and delete users {{% icon "export" %}}](https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/add-users) + - [Auth0: Team member management {{% icon "export" %}}](https://auth0.com/docs/get-started/auth0-teams/team-member-management) + +2. Add the user to your InfluxDB `AppInstance` resource. + You can edit your `AppInstance` resource directly in your `myinfluxdb.yml`, + or, if you're using the + [InfluxDB Clustered Helm chart](https://github.com/influxdata/helm-charts/tree/master/charts/influxdb3-clustered), + you can add users to your `values.yaml` to modify your `AppInstance` + resource. Required credentials depend on your identity provider. + + {{< tabs-wrapper >}} +{{% tabs %}} +[AppInstance](#) +[Helm](#) +{{% /tabs %}} + +{{% tab-content %}} + + +If editing your `AppInstance` resource directly, provide values for the +following fields in your `myinfluxdb.yml` configuration file: + +- `spec.package.spec.admin` + - `identityProvider`: Identity provider name. + _If using Microsoft Entra ID (formerly Azure Active Directory), set the name + to `azure`_. + - `jwksEndpoint`: JWKS endpoint provide by your identity provider. + - `users`: List of OAuth2 users to grant administrative access to your + InfluxDB cluster. IDs are provided by your identity provider. + +Below are examples for **Keycloak**, **Auth0**, and **Microsoft Entra ID**, but +other OAuth2 providers should work as well: + +{{< code-tabs-wrapper >}} +{{% code-tabs %}} +[Keycloak](#) +[Auth0](#) +[Microsoft Entra ID](#) +{{% /code-tabs %}} +{{% code-tab-content %}} + +{{% code-callout "keycloak" "green" %}} +{{% code-placeholders "KEYCLOAK_(HOST|REALM|USER_ID)" %}} + +```yaml +apiVersion: kubecfg.dev/v1alpha1 +kind: AppInstance +# ... +spec: + package: + spec: + admin: + identityProvider: keycloak + jwksEndpoint: |- + https://KEYCLOAK_HOST/auth/realms/KEYCLOAK_REALM/protocol/openid-connect/certs + users: + # All fields are required but `firstName`, `lastName`, and `email` can be + # arbitrary values. However, `id` must match the user ID provided by Keycloak. + - id: KEYCLOAK_USER_ID + firstName: Marty + lastName: McFly + email: mcfly@influxdata.com +``` + +{{% /code-placeholders %}} +{{% /code-callout %}} + +Replace the following: + +- {{% code-placeholder-key %}}`KEYCLOAK_HOST`{{% /code-placeholder-key %}}: + Host and port of your Keycloak server +- {{% code-placeholder-key %}}`KEYCLOAK_REALM`{{% /code-placeholder-key %}}: + Keycloak realm +- {{% code-placeholder-key %}}`KEYCLOAK_USER_ID`{{% /code-placeholder-key %}}: + Keycloak user ID to grant InfluxDB administrative access to + _(See [Find user IDs with Keycloak](/influxdb/clustered/install/auth/#find-user-ids-with-keycloak))_ + +--- + +{{% /code-tab-content %}} +{{% code-tab-content %}} + +{{% code-callout "auth0" "green" %}} +{{% code-placeholders "AUTH0_(HOST|USER_ID)" %}} + +```yaml +apiVersion: kubecfg.dev/v1alpha1 +kind: AppInstance +# ... +spec: + package: + spec: + admin: + identityProvider: auth0 + jwksEndpoint: |- + https://AUTH0_HOST/.well-known/openid-configuration + users: + - AUTH0_USER_ID +``` + +{{% /code-placeholders %}} +{{% /code-callout %}} + +Replace the following: + +- {{% code-placeholder-key %}}`AUTH0_HOST`{{% /code-placeholder-key %}}: + Host and port of your Auth0 server +- {{% code-placeholder-key %}}`AUTH0_USER_ID`{{% /code-placeholder-key %}}: + Auth0 user ID to grant InfluxDB administrative access to + +--- + +{{% /code-tab-content %}} +{{% code-tab-content %}} + +{{% code-callout "azure" "green" %}} +{{% code-placeholders "AZURE_(USER|TENANT)_ID" %}} + +```yaml +apiVersion: kubecfg.dev/v1alpha1 +kind: AppInstance +# ... +spec: + package: + spec: + admin: + identityProvider: azure + jwksEndpoint: |- + https://login.microsoftonline.com/AZURE_TENANT_ID/discovery/v2.0/keys + users: + - AZURE_USER_ID +``` + +{{% /code-placeholders %}} +{{% /code-callout %}} + +Replace the following: + +- {{% code-placeholder-key %}}`AZURE_TENANT_ID`{{% /code-placeholder-key %}}: + Microsoft Entra tenant ID +- {{% code-placeholder-key %}}`AZURE_USER_ID`{{% /code-placeholder-key %}}: + Microsoft Entra user ID to grant InfluxDB administrative access to + _(See [Find user IDs with Microsoft Entra ID](/influxdb/clustered/install/auth/?t=Microsoft+Entra+ID#find-user-ids-with-microsoft-entra-id))_ + +--- + +{{% /code-tab-content %}} +{{< /code-tabs-wrapper >}} + + +{{% /tab-content %}} +{{% tab-content %}} + + +If using the InfluxDB Clustered Helm chart, provide values for the following +fields in your `values.yaml`: + +- `admin` + - `identityProvider`: Identity provider name. + _If using Microsoft Entra ID (formerly Azure Active Directory), set the name + to `azure`_. + - `jwksEndpoint`: JWKS endpoint provide by your identity provider. + - `users`: List of OAuth2 users to grant administrative access to your + InfluxDB cluster. IDs are provided by your identity provider. + +Below are examples for **Keycloak**, **Auth0**, and **Microsoft Entra ID**, but +other OAuth2 providers should work as well: + +{{< code-tabs-wrapper >}} +{{% code-tabs %}} +[Keycloak](#) +[Auth0](#) +[Microsoft Entra ID](#) +{{% /code-tabs %}} +{{% code-tab-content %}} + +{{% code-callout "keycloak" "green" %}} +{{% code-placeholders "KEYCLOAK_(HOST|REALM|USER_ID)" %}} + +```yaml +admin: + # The identity provider to be used (such as "keycloak", "auth0", or "azure") + # Note, use "azure" for Azure Active Directory + identityProvider: keycloak + # The JWKS endpoint provided by the Identity Provider + jwksEndpoint: |- + https://KEYCLOAK_HOST/auth/realms/KEYCLOAK_REALM/protocol/openid-connect/certs + # The list of users to grant access to Clustered via influxctl + users: + # All fields are required but `firstName`, `lastName`, and `email` can be + # arbitrary values. However, `id` must match the user ID provided by Keycloak. + - id: KEYCLOAK_USER_ID + firstName: Marty + lastName: McFly + email: mcfly@influxdata.com +``` + +{{% /code-placeholders %}} +{{% /code-callout %}} + +Replace the following: + +- {{% code-placeholder-key %}}`KEYCLOAK_HOST`{{% /code-placeholder-key %}}: + Host and port of your Keycloak server +- {{% code-placeholder-key %}}`KEYCLOAK_REALM`{{% /code-placeholder-key %}}: + Keycloak realm +- {{% code-placeholder-key %}}`KEYCLOAK_USER_ID`{{% /code-placeholder-key %}}: + Keycloak user ID to grant InfluxDB administrative access to + +--- + +{{% /code-tab-content %}} +{{% code-tab-content %}} + +{{% code-callout "auth0" "green" %}} +{{% code-placeholders "AUTH0_(HOST|USER_ID)" %}} + +```yaml +admin: + # The identity provider to be used e.g. "keycloak", "auth0", "azure", etc + # Note, use "azure" for Azure Active Directory. + identityProvider: auth0 + # The JWKS endpoint provided by the Identity Provider + jwksEndpoint: |- + https://AUTH0_HOST/.well-known/openid-configuration + # The list of users to grant access to Clustered via influxctl + users: + - AUTH0_USER_ID +``` + +{{% /code-placeholders %}} +{{% /code-callout %}} + +Replace the following: + +- {{% code-placeholder-key %}}`AUTH0_HOST`{{% /code-placeholder-key %}}: + Host and port of your Auth0 server +- {{% code-placeholder-key %}}`AUTH0_USER_ID`{{% /code-placeholder-key %}}: + Auth0 user ID to grant InfluxDB administrative access to + +--- + +{{% /code-tab-content %}} +{{% code-tab-content %}} + +{{% code-callout "azure" "green" %}} +{{% code-placeholders "AZURE_(USER|TENANT)_ID" %}} + +```yaml +admin: + # The identity provider to be used e.g. "keycloak", "auth0", "azure", etc + # Note, use "azure" for Azure Active Directory. + identityProvider: azure + # The JWKS endpoint provided by the Identity Provider + jwksEndpoint: |- + https://login.microsoftonline.com/AZURE_TENANT_ID/discovery/v2.0/keys + # The list of users to grant access to Clustered via influxctl + users: + - AZURE_USER_ID +``` + +{{% /code-placeholders %}} +{{% /code-callout %}} + +Replace the following: + +- {{% code-placeholder-key %}}`AZURE_TENANT_ID`{{% /code-placeholder-key %}}: + Microsoft Entra tenant ID +- {{% code-placeholder-key %}}`AZURE_USER_ID`{{% /code-placeholder-key %}}: + Microsoft Entra user ID to grant InfluxDB administrative access to + _(See [Find user IDs with Microsoft Entra ID](/influxdb/clustered/install/auth/?t=Microsoft+Entra+ID#find-user-ids-with-microsoft-entra-id))_ + +--- + +{{% /code-tab-content %}} +{{< /code-tabs-wrapper >}} + + +{{% /tab-content %}} + {{< /tabs-wrapper >}} + +3. Apply the change to your InfluxDB cluster. + + - If updating the `AppInstance` resource directly, use `kubectl` to apply + the change. + - If using the InfluxDB Clustered Helm chart, use `helm` to apply the change. + + {{< code-tabs-wrapper >}} +{{% code-tabs %}} +[kubectl](#) +[Helm](#) +{{% /code-tabs %}} +{{% code-tab-content %}} + + + +```bash +kubectl apply \ + --filename myinfluxdb.yml \ + --namespace influxdb +``` + +{{% /code-tab-content %}} +{{% code-tab-content %}} + + + +```bash +helm upgrade \ + influxdb \ + influxdata/influxdb3-clustered \ + -f ./values.yaml \ + --namespace influxdb +``` + +{{% /code-tab-content %}} + {{< /code-tabs-wrapper >}} + +Once applied, the added user is granted administrative access to your InfluxDB +cluster and can use `influxctl` to perform administrative actions. +See [Set up Authorization--Configure influxctl](/influxdb/clustered/install/auth/#configure-influxctl) +for information about configuring the new user's `influxctl` client to communicate +and authenticate with your InfluxDB cluster's identity provider. diff --git a/content/influxdb/clustered/admin/users/remove.md b/content/influxdb/clustered/admin/users/remove.md new file mode 100644 index 000000000..2c36ceb61 --- /dev/null +++ b/content/influxdb/clustered/admin/users/remove.md @@ -0,0 +1,131 @@ +--- +title: Remove a user from your InfluxDB cluster +list_title: Remove a user +description: > + Remove a user with administrative access from your InfluxDB cluster. +menu: + influxdb_clustered: + name: Remove a user + parent: Manage users +weight: 201 +--- + +Remove a user with administrative access from your InfluxDB cluster: + +1. Remove or deactivate the user in your identity provider. + + **Refer to your identity provider's documentation for information about + removing users:** + + - [Keycloak: Deleting a user {{% icon "export" %}}](https://www.keycloak.org/docs/latest/server_admin/#proc-deleting-user_server_administration_guide) + - [Microsoft Entra ID: How to create, invite, and delete users {{% icon "export" %}}](https://learn.microsoft.com/en-us/entra/fundamentals/how-to-create-delete-users#delete-a-user) + - [Auth0: Team member management {{% icon "export" %}}](https://auth0.com/docs/get-started/auth0-teams/team-member-management#delete-an-existing-team-member) + +2. Remove the user from your InfluxDB `AppInstance` resource. + You can edit your `AppInstance` resource directly in your `myinfluxdb.yml`, + or, if you're using the + [InfluxDB Clustered Helm chart](https://github.com/influxdata/helm-charts/tree/master/charts/influxdb3-clustered), + you can remove users from your `values.yaml` to modify your `AppInstance` + resource. + + {{< tabs-wrapper >}} +{{% tabs %}} +[AppInstance](#) +[Helm](#) +{{% /tabs %}} + +{{% tab-content %}} + + +If editing your `AppInstance` resource directly, remove the user from the list +of users in the `spec.package.spec.admin.users` field in your `myinfluxdb.yml` +configuration file--for example: + +```diff +apiVersion: kubecfg.dev/v1alpha1 +kind: AppInstance +# ... +spec: + package: + spec: + admin: + # ... + users: + - id: XXooXoXXooXXXoo1 + firstName: Marty + lastName: McFly + email: mcfly@influxdata.com +- - id: XXooXoXXooXXXoo2 +- firstName: John +- lastName: Doe +- email: j.doe@influxdata.com +``` + + +{{% /tab-content %}} +{{% tab-content %}} + + +If using the InfluxDB Clustered Helm chart, remove the user from the list of +users in the `admin.users` field in your in your `values.yaml`--for example: + +```diff +admin: + # ... + users: + - id: XXooXoXXooXXXoo1 + firstName: Marty + lastName: McFly + email: mcfly@influxdata.com +- - id: XXooXoXXooXXXoo2 +- firstName: John +- lastName: Doe +- email: j.doe@influxdata.com +``` + + +{{% /tab-content %}} + {{< /tabs-wrapper >}} + +3. Apply the change to your InfluxDB cluster. + + - If updating the `AppInstance` resource directly, use `kubectl` to apply + the change. + - If using the InfluxDB Clustered Helm chart, use `helm` to apply the change. + + {{< code-tabs-wrapper >}} +{{% code-tabs %}} +[kubectl](#) +[Helm](#) +{{% /code-tabs %}} +{{% code-tab-content %}} + + + +```bash +kubectl apply \ + --filename myinfluxdb.yml \ + --namespace influxdb +``` + +{{% /code-tab-content %}} +{{% code-tab-content %}} + + + +```bash +helm upgrade \ + influxdb \ + influxdata/influxdb3-clustered \ + -f ./values.yaml \ + --namespace influxdb +``` + +{{% /code-tab-content %}} + {{< /code-tabs-wrapper >}} + +{{% note %}} +After you complete step 1 above, the removed user no longer has administrative +access to your InfluxDB cluster. +However, you should still remove them from your `AppInstance` resource. +{{% /note %}} diff --git a/content/influxdb/clustered/install/configure-cluster/directly.md b/content/influxdb/clustered/install/configure-cluster/directly.md index 1b8f622aa..fca4952d4 100644 --- a/content/influxdb/clustered/install/configure-cluster/directly.md +++ b/content/influxdb/clustered/install/configure-cluster/directly.md @@ -751,11 +751,9 @@ Replace the following: ##### Add users -Finally, to give users access to use `influxctl`, add the list of users to the `spec.package.spec.admin.users` field. - - +Finally, to give users access to use `influxctl`, add the list of users to the +`spec.package.spec.admin.users` field. +See [Manage users](/influxdb/clustered/admin/users/) for more details. #### Configure the size of your cluster diff --git a/content/influxdb/clustered/install/configure-cluster/use-helm.md b/content/influxdb/clustered/install/configure-cluster/use-helm.md index a4717ca15..e85c4acb3 100644 --- a/content/influxdb/clustered/install/configure-cluster/use-helm.md +++ b/content/influxdb/clustered/install/configure-cluster/use-helm.md @@ -7,6 +7,8 @@ menu: name: Use Helm parent: Configure your cluster weight: 230 +related: + - /influxdb/clustered/admin/users/ --- Manage your InfluxDB Clustered deployments using Kubernetes and apply configuration settings using a YAML configuration file. @@ -816,11 +818,11 @@ Replace the following: {{% /code-tab-content %}} {{< /code-tabs-wrapper >}} -##### Adding users +##### Add users -Finally, add all the users you wish to have access to use `influxctl`. -Update the `admin.users` field with a list of these users. - +Finally, add the users you wish to have access to use `influxctl`. +Update the `admin.users` field with a list of the users. +See [Manage users](/influxdb/clustered/admin/users/) for more details. #### Configure the size of your cluster