Unable to create operator token

Issue Summary
Current installation of InfluxDB2 does not have an operator token / root authorization token. Have tried the following command line option: influx auth create --operator and received the following message:

Error: could not write auth with provided arguments: 403 Forbidden: permission read:authorizations is not allowed: read:authorizations is unauthorized

Tried the recovery method using the following commands:

root@influxdb:/# influx config set --config-name default --active
Active  Name    URL                     Org
*       default http://localhost:8086   instantdreams
root@influxdb:/# influx org list
ID                      Name
b962535ddb0d5f55        instantdreams
root@influxdb:/# influx user list
ID                      Name
0aa65c66faa7d000        admin
root@influxdb:/# influxd recovery auth create-operator --username admin --org instantdreams --bolt-path /var/lib/influxdb2/influxdb.bolt
2024-12-09T18:17:36.514759Z     info    Resources opened        {"log_id": "0tNA5~~0000", "system": "bolt-kvstore", "path": "/var/lib/influxdb2/influxdb.bolt"}
Error: bucket "authorizationsv1": bucket not found

When searching for this issue there are a number of suggestions, all of which do not seem to resolve the problem.

Version Details

  • Host: Debian 6.1.112-1 (2024-09-30) x86_64 GNU/Linux
  • Docker: 27.3.1, build ce12230
  • Docker Compose: v2.29.7
  • InfluxDB: InfluxDB v2.7.11 (git: fbf5d4ab5e) build_date: 2024-12-02T17:48:15Z
  • InfluxDB2 CLI: Influx CLI dev (git: a79a2a1b82[…] build_date: 2024-04-16T14:34:32Z

Configuration Details
compose.yaml content:

services:
  influxdb:
    image: influxdb:latest
    container_name: influxdb
    ports:
      - 8086:8086 # web ui
    env_file:
      - .env
    volumes:
      - /srv/influxdb/data:/var/lib/influxdb2
      - /srv/influxdb/config:/etc/influxdb2
      - /srv/influxdb/backup:/var/lib/backup
      - /etc/localtime:/etc/localtime:ro
    restart: unless-stopped

.env content:

DOCKER_INFLUXDB_INIT_MODE=setup
DOCKER_INFLUXDB_INIT_USERNAME=[username]
DOCKER_INFLUXDB_INIT_PASSWORD=[password]
DOCKER_INFLUXDB_INIT_ADMIN_TOKEN=[token]
DOCKER_INFLUXDB_INIT_ORG=[org]
DOCKER_INFLUXDB_INIT_BUCKET=[bucket]

Note that the [token] provided is the same as the admin token for the default org, instantdreams, and is not an operator token.

Configuration details:

root@influxdb:/# influx config list
Active  Name            URL                     Org
*       default         http://localhost:8086   instantdreams
        homeassistant   http://localhost:8086   homeassistant
        scrutiny        http://localhost:8086   scrutiny

Org instantdreams auth details:

root@influxdb:/# influx auth list
ID                      Description     Token                                                                                           User Name       User ID                     Permissions
0acbf650a257e000        instantdreams   [redacted]        admin           0aa65c66faa7d000    [read:orgs/b962535ddb0d5f55/annotations write:orgs/b962535ddb0d5f55/annotations read:orgs/b962535ddb0d5f55/authorizations write:orgs/b962535ddb0d5f55/authorizations read:orgs/b962535ddb0d5f55/buckets write:orgs/b962535ddb0d5f55/buckets read:orgs/b962535ddb0d5f55/checks write:orgs/b962535ddb0d5f55/checks read:orgs/b962535ddb0d5f55/dashboards write:orgs/b962535ddb0d5f55/dashboards read:orgs/b962535ddb0d5f55/dbrp write:orgs/b962535ddb0d5f55/dbrp read:orgs/b962535ddb0d5f55/documents write:orgs/b962535ddb0d5f55/documents read:orgs/b962535ddb0d5f55/labels write:orgs/b962535ddb0d5f55/labels read:orgs/b962535ddb0d5f55/notebooks write:orgs/b962535ddb0d5f55/notebooks read:orgs/b962535ddb0d5f55/notificationEndpoints write:orgs/b962535ddb0d5f55/notificationEndpoints read:orgs/b962535ddb0d5f55/notificationRules write:orgs/b962535ddb0d5f55/notificationRules read:/orgs/b962535ddb0d5f55 read:orgs/b962535ddb0d5f55/remotes write:orgs/b962535ddb0d5f55/remotes read:orgs/b962535ddb0d5f55/replications write:orgs/b962535ddb0d5f55/replications read:orgs/b962535ddb0d5f55/scrapers write:orgs/b962535ddb0d5f55/scrapers read:orgs/b962535ddb0d5f55/secrets write:orgs/b962535ddb0d5f55/secrets read:orgs/b962535ddb0d5f55/sources write:orgs/b962535ddb0d5f55/sources read:orgs/b962535ddb0d5f55/tasks write:orgs/b962535ddb0d5f55/tasks read:orgs/b962535ddb0d5f55/telegrafs write:orgs/b962535ddb0d5f55/telegrafs read:/users/0aa65c66faa7d000 write:/users/0aa65c66faa7d000 read:orgs/b962535ddb0d5f55/variables write:orgs/b962535ddb0d5f55/variables read:orgs/b962535ddb0d5f55/views write:orgs/b962535ddb0d5f55/views]

Org homeassistant auth details:

root@influxdb:/# influx config set --config-name homeassistant --active
Active  Name            URL                     Org
*       homeassistant   http://localhost:8086   homeassistant
root@influxdb:/# influx auth list
ID                      Description     Token                                                                                           User Name       User ID                     Permissions
0c395d1b25697000        Home Assistant  [redacted]        admin           0aa65c66faa7d000    [read:orgs/31766a4bc0dce764/annotations write:orgs/31766a4bc0dce764/annotations read:orgs/31766a4bc0dce764/authorizations write:orgs/31766a4bc0dce764/authorizations read:orgs/31766a4bc0dce764/buckets write:orgs/31766a4bc0dce764/buckets read:orgs/31766a4bc0dce764/checks write:orgs/31766a4bc0dce764/checks read:orgs/31766a4bc0dce764/dashboards write:orgs/31766a4bc0dce764/dashboards read:orgs/31766a4bc0dce764/dbrp write:orgs/31766a4bc0dce764/dbrp read:orgs/31766a4bc0dce764/documents write:orgs/31766a4bc0dce764/documents read:orgs/31766a4bc0dce764/labels write:orgs/31766a4bc0dce764/labels read:orgs/31766a4bc0dce764/notebooks write:orgs/31766a4bc0dce764/notebooks read:orgs/31766a4bc0dce764/notificationEndpoints write:orgs/31766a4bc0dce764/notificationEndpoints read:orgs/31766a4bc0dce764/notificationRules write:orgs/31766a4bc0dce764/notificationRules read:/orgs/31766a4bc0dce764 read:orgs/31766a4bc0dce764/remotes write:orgs/31766a4bc0dce764/remotes read:orgs/31766a4bc0dce764/replications write:orgs/31766a4bc0dce764/replications read:orgs/31766a4bc0dce764/scrapers write:orgs/31766a4bc0dce764/scrapers read:orgs/31766a4bc0dce764/secrets write:orgs/31766a4bc0dce764/secrets read:orgs/31766a4bc0dce764/sources write:orgs/31766a4bc0dce764/sources read:orgs/31766a4bc0dce764/tasks write:orgs/31766a4bc0dce764/tasks read:orgs/31766a4bc0dce764/telegrafs write:orgs/31766a4bc0dce764/telegrafs read:/users/0aa65c66faa7d000 write:/users/0aa65c66faa7d000 read:orgs/31766a4bc0dce764/variables write:orgs/31766a4bc0dce764/variables read:orgs/31766a4bc0dce764/views write:orgs/31766a4bc0dce764/views]

Org scrutiny auth details:

root@influxdb:/# influx config set --config-name scrutiny --active
Active  Name            URL                     Org
*       scrutiny        http://localhost:8086   scrutiny
root@influxdb:/# influx auth list
ID                      Description     Token                                                                                           User Name       User ID                     Permissions
0acbf131b397e000        Scrutiny        [redacted]        admin           0aa65c66faa7d000    [read:orgs/36b6c4934c44d5be/annotations write:orgs/36b6c4934c44d5be/annotations read:orgs/36b6c4934c44d5be/authorizations write:orgs/36b6c4934c44d5be/authorizations read:orgs/36b6c4934c44d5be/buckets write:orgs/36b6c4934c44d5be/buckets read:orgs/36b6c4934c44d5be/checks write:orgs/36b6c4934c44d5be/checks read:orgs/36b6c4934c44d5be/dashboards write:orgs/36b6c4934c44d5be/dashboards read:orgs/36b6c4934c44d5be/dbrp write:orgs/36b6c4934c44d5be/dbrp read:orgs/36b6c4934c44d5be/documents write:orgs/36b6c4934c44d5be/documents read:orgs/36b6c4934c44d5be/labels write:orgs/36b6c4934c44d5be/labels read:orgs/36b6c4934c44d5be/notebooks write:orgs/36b6c4934c44d5be/notebooks read:orgs/36b6c4934c44d5be/notificationEndpoints write:orgs/36b6c4934c44d5be/notificationEndpoints read:orgs/36b6c4934c44d5be/notificationRules write:orgs/36b6c4934c44d5be/notificationRules read:/orgs/36b6c4934c44d5be read:orgs/36b6c4934c44d5be/remotes write:orgs/36b6c4934c44d5be/remotes read:orgs/36b6c4934c44d5be/replications write:orgs/36b6c4934c44d5be/replications read:orgs/36b6c4934c44d5be/scrapers write:orgs/36b6c4934c44d5be/scrapers read:orgs/36b6c4934c44d5be/secrets write:orgs/36b6c4934c44d5be/secrets read:orgs/36b6c4934c44d5be/sources write:orgs/36b6c4934c44d5be/sources read:orgs/36b6c4934c44d5be/tasks write:orgs/36b6c4934c44d5be/tasks read:orgs/36b6c4934c44d5be/telegrafs write:orgs/36b6c4934c44d5be/telegrafs read:/users/0aa65c66faa7d000 write:/users/0aa65c66faa7d000 read:orgs/36b6c4934c44d5be/variables write:orgs/36b6c4934c44d5be/variables read:orgs/36b6c4934c44d5be/views write:orgs/36b6c4934c44d5be/views]

Resources Used

Additional Steps

  1. Install boltbrowser binary:
    wget https://github.com/br0xen/boltbrowser/releases/download/2.2/boltbrowser.linux64
    chmod +x boltbrowser.linux64
    
  2. Create a copy of influxdb.bolt and edit with boltbrowser:
    cp data/influxd.bolt influxd.bolt
    ./boltbrowser.linux64 influxd.bolt
    
  3. Edit according to russorat’s instructions on GitHub but no operator entry found to add the details

Help Request
At this point I’m stuck - I think I’ve explored all the usual options but cannot connect the dots to the last bit I need to generate an operator token in a configuration that lacks an authorizationsv1 entry for Admin’s token.

What am I missing here?

Hello @instantdreams,
Thanks for providing so much detail and for trying various options.
I’m asking around, thanks for your patience.

1 Like

@instantdreams
I know you used influxd recovery auth create-operator, but I’m wondering if you are able to try the following please:

  1. Stop influxd
  2. Run influxd recovery auth create-operator --org example-org --username example-user to generate a new operator token. If he’s using a non-default installation of InfluxDB, he’ll also need to provide the filepath of his boltdb using the --bolt-path flag.
  3. Store the newly generated operator token securely.
  4. Restart influxd
  5. Attempt to authorize with InfluxDB using the new operator token.

Thanks!!

This might relate to Best practice of stopping InfluxDB inside a docker container without stopping the container. I would be happy to try this. I’ve installed InfluxDB2 using the standard docker compose instructions.

I access my container shell using docker exec -it influxdb bash. What command would I run inside the container to stop influxd? I’ve tried the following:

$ docker exec -it influxdb bash
root@influxdb:/# sudo service influxd stop
bash: sudo: command not found
root@influxdb:/# service influxd stop
influxd: unrecognized service
root@influxdb:/# systemctl stop influxdb
bash: systemctl: command not found
root@influxdb:/# influxd stop
Error: unknown command "stop" for "influxd"
See 'influxd -h' for help

I’ll absolutely try to run this if I can just stop influxd in the docker container.

I tried the following, just in case:

$ docker compose down
[+] Running 1/1
 ✔ Container influxdb  Removed                                                                                                                         0.4s
$ docker exec influxdb influxd recovery auth create-operator --org instantdreams --username admin
Error response from daemon: No such container: influxdb
$ docker compose up --detach
[+] Running 1/1
 ✔ Container influxdb  Started 

I feel the answer will likely involve something like docker run --rm --entrypoint /bin/bash influxdb:latest influxd recovery auth create-operator --org instantdreams --username but I hope you and the team can assist me.

Just following up to see if there is any update on this issue - how do I stop influxd within my docker container?

Now that the winter break is over, any chance this could be reviewed?

Checking to see if there is any direction from the team on how to stop influxdb from within a running docker container.

@instantdreams You should be able to exec into the container and kill the process from inside:

# open a shell session inside of your docker container
docker exec -it <container-id> sh

# From inside your Docker container, find the influxd process
ps aux | grep [i]nfluxd

# Use the influxd process ID (PID) and kill the influxd process
kill <influxd-PID>

You should then be able to run the recovery commands while you’re still in the container.

Unfortunately it looks like ps isn’t part of the base image for influx:

$ docker exec -it influxdb bash
root@influxdb:/# ps aux | grep [i]nfluxd
bash: ps: command not found
root@influxdb:/#

I tried a few alterative commands:

root@influxdb:/# ps
bash: ps: command not found
root@influxdb:/# top
bash: top: command not found
root@influxdb:/# htop
bash: htop: command not found
root@influxdb:/# procs
bash: procs: command not found

None were included in the image, and I couldn’t install them:

root@influxdb:/# apt install ps
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package ps
root@influxdb:/# apt install top
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package top
root@influxdb:/# apt install htop
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package htop
root@influxdb:/# apt install procs
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package procs
root@influxdb:/# 

…which is good, because we want the image to restrict people adding things. Any idea how I could get around this?

@scott @Anaisdg Just checking in to see if there is any more progress with being able to stop the influxdb process inside a running docker container. I just retried using shell rather than bash with the same result:

$ docker exec -it influxdb sh
# ps
sh: 1: ps: not found
# ps aux
sh: 2: ps: not found
# top
sh: 3: top: not found
# htop
sh: 4: htop: not found
# procs
sh: 5: procs: not found
# proc
sh: 6: proc: not found
# apt install ps
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package ps
#

Any direction is most welcome!