QueryFluxNode unauthorized access error

I’m trying to use the QueryFluxNode (QueryFluxNode | Kapacitor 1.6 Documentation) in a tick script, however, i’m getting the following in the kapacitor log: ts=2023-03-18T22:24:16.236-05:00 lvl=error msg="error executing query" service=kapacitor task_master=main task=flux-test node=queryFlux1 err="unauthorized access"

i developed the flux script through chronograf and then copied and pasted into the batch, so i don’t think there is a problem with the script.

where do i need to setup access so these queries can work? I am able to use influxql via batch queries, just not the flux ones (i went through and setup access to get my influxql queries to work as described here: How to configure kapacitor v.1.5 to influxdb 2.0 with token ? · Issue #2476 · influxdata/kapacitor · GitHub)


Hello @izenn,
Have you followed

Also may I ask, why are you using kapacitor with Flux for tasks? Can you upgrade? It honestly might be easier.

Yes, i did go through that and still got the unauthorized access error when trying to use those instructions in a tick script and it does not look like a flux task through kapacitor can email either (did i miss something?)
in the batch query i tried:
token: v1mapped/password
token: v2user/password
token: v2user/token
token: v2token only

I believe that I need to do a tickscript batch that calls the QueryFluxNode that uses the flux i built so i can customize the email that is sent. (please correct me if i am wrong and am able to customize the email that will be sent in the fluxtask)

basically what i need is:
query using flux
check to see if warning/critical
send email with custom body (basically using variables setup in the beginning of the script and from the data pulled via the query)
keep track of if the severity changes

i’d love to upgrade, however influxdb alerts do not support smtp and using a http mail relay is not possible since this monitoring is happening in an air gapped environment.

i guess absolute worst case scenario would be to put the flux query into an influx task and then use kapacitor to do an influxql query, get the output from that and then email, but i would really prefer to have everything in one spot. especially since according to the documentation, it looks like the functionality should be there (or was that just for the 1.x version of influxdb?)


Hello @izenn,
You can use kapacitor witn 2.x:

I understand you can use kapacitor with influxdb 2.x and have tested that kapacitor works by doing influxql batch queries, what i am trying to do is use the tick node QueryFluxNode so that i can do batch queries using flux directly from my tick scripts in kapacitor.

when i go through the documentation there is nothing on what needs to be done to configure kapacitor to be able to use QueryFluxNode. there is documentation for influxql (the v1 api mappings) and flux tasks (the config section in kapacitor.conf) but that seems to be it.

I didn’t think you had to configure aything in kapacitor just make sure you have the correct version. 1.6+ I believe

yes, what you just linked is exactly what i linked in my original post. If there is no additional configuration needed, then why am i getting access denied? I am going through localhost (so no firewall) and i have been able to prove that kapacitor can communicate with the influxdb without issues when executing an influxql command. Something is missing, i just can’t figure out what/where.

i’ve narrowed the issue down to how kapacitor is trying to authenticate when trying to do the batch flux query. from the CLI i am able to do the flux query, but i have to use the v2 token otherwise i get the same error that i get through kapacitor. is it possible that the kapacitor queryfluxnode is incompatible???

here’s some more info. Using tcpdump and wireshark, i was able to see that the node was trying to talk to influxdb using an http request pointing to http://localhost:8086/api/v2/query?orgID=xxxxxxxx

i have been able to replicate the “unauthorized access” via the command line like this:
curl --get "http://localhost:8086/api/v2/signin" --user "admin" (it prompts for password – i used the same one i use to log in to the influxdb admin page). Just in case, i did use influx user password to set a new password for that user, but that did do anything.

looking back, it looks like there used to be a config stanza for influxdb:

  enabled = true
  bind-address = ":8086"
  auth-enabled = true

however, when i look at influx server-config auth-enabled (which looks like it would have been renamed to http-auth-enabled) does not seem to exist

SUCCESS! it turns out that /etc/kapacitor/kapacitor.conf does not comment every option that is available.

after going through the source code for kapacitor, i noticed that there should be a way to get tokens to work for v2, but i did not see anything in the config file. i ended up finding the documentation for the kapacitor config file here: Configure Kapacitor | Kapacitor 1.6 Documentation which had this in the influxdb config section:

  # To connect to InfluxDB OSS 2.x or InfluxDB Cloud, 
  # use the following configuration:
  enabled = true
  default = true
  name = "localhost"
  urls = ["http://localhost:8086"]
  token = ""
  timeout = 0 

the only difference between the 1.x and 2.x is that username/password are commented out and token is put in. Once i made that change and restarted kapacitor, the batch queries using flux started working no problem.