[InfluxDBv2] Admin Token via DOCKER_INFLUXDB_INIT_ADMIN_TOKEN_FILE env var is not set in the container causing authorization errors

[shantanoo-desai]

Description

For a configuration that loads the init values via files as mentioned below:

services:
  influxdbv2:
    image: docker.io/influxdb:2.6-alpine
    container_name: influxdbv2
    environment:
      - DOCKER_INFLUXDB_INIT_MODE=setup
      - DOCKER_INFLUXDB_INIT_ORG=${DOCKER_INFLUXDB_INIT_ORG}
      - DOCKER_INFLUXDB_INIT_BUCKET=${DOCKER_INFLUXDB_INIT_BUCKET}
      - DOCKER_INFLUXDB_INIT_RETENTION=${DOCKER_INFLUXDB_INIT_RETENTION}
      - DOCKER_INFLUXDB_INIT_USERNAME_FILE=/run/secrets/influxdbv2_admin_username
      - DOCKER_INFLUXDB_INIT_PASSWORD_FILE=/run/secrets/influxdbv2_admin_password
      - DOCKER_INFLUXDB_INIT_ADMIN_TOKEN_FILE=/run/secrets/influxdbv2_admin_token
      - INFLUXD_LOG_LEVEL=debug
    secrets:
      - source: influxdbv2_admin_username
        mode: 0444
      - source: influxdbv2_admin_password
        mode: 0444
      - source: influxdbv2_admin_token
        mode: 0444
    security_opt:
      - "no-new-privileges=true"
    volumes:
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro

secrets:
  influxdbv2_admin_username:
    environment: INFLUXDBV2_ADMIN_USERNAME
  influxdbv2_admin_password:
    environment: INFLUXDBV2_ADMIN_PASSWORD
  influxdbv2_admin_token:
    environment: INFLUXDBV2_ADMIN_TOKEN  

And the respective .env file:

# InfluxDBv2 Admin Credentials
INFLUXDBV2_ADMIN_USERNAME=admin
INFLUXDBV2_ADMIN_PASSWORD=testInfluxDB
INFLUXDBV2_ADMIN_TOKEN=testtoken
DOCKER_INFLUXDB_INIT_ORG=komponistorg
DOCKER_INFLUXDB_INIT_BUCKET=komponistdb
DOCKER_INFLUXDB_INIT_RETENTION=7d

It is rather strange that when the container is brought up and one accesses the shell using:

docker compose exec -it influxdbv2 sh

The output of the DOCKER_INFLUXDB_INIT_ADMIN_TOKEN is empty. Assuming the value is unset after the entrypoint.sh is executed I perform some other checks:

1. Check whether the /run/secrets/influxdbv2_admin_token has the token value, which it has

2. Use this Admin token within the container to query the auth lists using:

   curl -XGET "http://localhost:8086/api/v2/authorizations" \ 
         --header "Authorization: Token testtoken" \
         --header "Content-type: application/json"
   
     {"code":"unauthorized","message":"unauthorized access"}

Tests with Telegraf

I pass the admin token to the Output Plugin for InfluxDBv2 to try writing to the init bucket and I get authorization errors even though the ADMIN_TOKEN is the exact same.

Inference

I am almost certain that the ADMIN_TOKEN_FILE is unable to set the user-specified token because when I replace the DOCKER_INFLUXDB_INIT_ADMIN_TOKEN_FILE with DOCKER_INFLUXDB_INIT_ADMIN_TOKEN and set the value directly I can query the auth list query via curl and my Telegraf plugin is able to insert the values into the init bucket with any errors.

Please let me know if you need more reproduction proof.

(cc @powersj This can be the reason for users complaining about Authorization Errors)

[shantanoo-desai]

Reproduction

This GitHub Gist can be used to reproduce the error: https://gist.github.com/shantanoo-desai/291052ae8c118add9b5784a8c793e281

(you can also clone the Gist via git)

Logs

[jstirnaman]

Using image: influxdb:2, DOCKER_INFLUXDB_INIT_ADMIN_TOKEN_FILE seems to work as expected--for example, using the following Compose file:

# Compose configuration
name: influxdata-docs
secrets:
  influxdb2-admin:
    file: ~/.env.influxdb2-admin
  influxdb2-admin-pwd:
    file: ~/.env.influxdb2-admin-pwd
  influxdb2-admin-token:
    file: ~/.env.influxdb2-admin-token 
services:
  influxdb2:
    image: influxdb:2
    ports:
      - 8086:8086
    environment:
      DOCKER_INFLUXDB_INIT_MODE: setup
      DOCKER_INFLUXDB_INIT_USERNAME_FILE: /run/secrets/influxdb2-admin 
      DOCKER_INFLUXDB_INIT_PASSWORD_FILE: /run/secrets/influxdb2-admin-pwd 
      DOCKER_INFLUXDB_INIT_ADMIN_TOKEN_FILE: /run/secrets/influxdb2-admin-token
      DOCKER_INFLUXDB_INIT_ORG: docs 
      DOCKER_INFLUXDB_INIT_BUCKET: home 
    profiles:
      - v2
      - local 
    secrets:
      - influxdb2-admin
      - influxdb2-admin-pwd
      - influxdb2-admin-token
    volumes:
      - type: bind
        source: ./init_custom.sh
        target: /docker-entrypoint-initdb.d/init_custom.sh
      - type: volume
        source: influxdb2-data
        target: /var/lib/influxdb2
      - type: volume
        source: influxdb2-config
        target: /etc/influxdb2

And providing the same token value in a curl request to /api/v2/:

> cat ~/.env.influxdb2-admin-token | xargs -I TOKEN curl -v -XGET "http://localhost:8086/api/v2/authorizations" \
      --header "Authorization: Token TOKEN" \
      --header "Content-type: application/json"

The output is the following:

Note: Unnecessary use of -X or --request, GET is already inferred.
* Host localhost:8086 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:8086...
* Connected to localhost (::1) port 8086
> GET /api/v2/authorizations HTTP/1.1
> Host: localhost:8086
> User-Agent: curl/8.6.0
> Accept: */*
> Authorization: Token MyAdminToken123
> Content-type: application/json
> 
< HTTP/1.1 200 OK
< Content-Type: application/json; charset=utf-8
< X-Influxdb-Build: OSS
< X-Influxdb-Version: v2.7.6
< Date: Fri, 26 Jul 2024 16:31:02 GMT
< Transfer-Encoding: chunked
...

[shantanoo-desai]

Update

can confirm the problem seems to be solved in version: 2.7. Closing the issue.