Add Basic Authentication documentation and enhance InfluxDB migration auth guide #255
Conversation
…uxDB migration guide
|
|
|
Hi, @javier, Please Check and Merge My Commit. |
|
Thanks, @KanavCode . I would need the contributor agreement signed. Otherwise the automation doesn't allow me to preview and approve |
Yeah, Please Do. |
Did you sign the CLA? The CLAAssistant comment above failed to verify it |
Yupp, Done 👍 |
|
|
||
| HTTP Basic Authentication provides a simple method to secure access to QuestDB's HTTP endpoints, including the REST API, Web Console, and Health Check endpoints. | ||
|
|
||
| This authentication method requires users to provide a username and password with each request, making it ideal for development environments and simple production setups. |
There was a problem hiding this comment.
I would refrain from recommending this for production. Basic auth sends everything unencrypted, so it is very unsafe unless you have a proxy with TLS, which would be out of the scope of this guide
There was a problem hiding this comment.
I would move the note you have below about enterprise to this point instead
| - **Web Console Access Control**: Protect the web console interface | ||
| - **Health Check Security**: Optional authentication for monitoring endpoints | ||
| - **Client Library Integration**: Built-in support across all QuestDB client libraries | ||
| - **Multiple User Support**: Configure different users with varying access levels |
There was a problem hiding this comment.
This is misleading, as it allows just for one admin user and a readonly user. I think it would be best to say "Both the built-in admin and the optional read-only user can be configured for Basic Auth"
| - **Health Check Security**: Optional authentication for monitoring endpoints | ||
| - **Client Library Integration**: Built-in support across all QuestDB client libraries | ||
| - **Multiple User Support**: Configure different users with varying access levels | ||
|
|
There was a problem hiding this comment.
I would move this note at the intro, before the Overview, so Enterprise users can skip the page completely
| http.health.check.authentication.required=true | ||
|
|
||
| # Optional: Configure security settings | ||
| http.security.max.response.rows=10000 |
There was a problem hiding this comment.
I wouldn't feature the max response rows parameter here, as it has nothing to do with Basic Auth
| http.security.max.response.rows=10000 | ||
| http.security.readonly=false | ||
|
|
||
| # Optional: CORS settings for web applications |
There was a problem hiding this comment.
Where did you see this? It is not part of the questdb config.
| 3. **Test Thoroughly**: Verify all integrations work with authentication enabled | ||
| 4. **Monitor Logs**: Watch for authentication failures after deployment | ||
|
|
||
| ```bash |
There was a problem hiding this comment.
This example doesn't really says much, as client applications are not mentioned, and also coordinating application deployment with server restart can be tricky. I would rather leave the whole example out. You already mentioned how to configure and how to test earlier in the same page
| curl -u "questdb_user:secure_password_123" http://localhost:9000/ping | ||
| ``` | ||
|
|
||
| ## Next Steps |
There was a problem hiding this comment.
I would delete everything from this point on. Some things are unrelated, and some things are enterprise-only, which we already mentioned at the initial note.
|
|
||
| # For QuestDB Open Source without authentication: | ||
| # client = InfluxDBClient(url="http://localhost:9000", token="") | ||
|
|
There was a problem hiding this comment.
Why are you removing the enterprose option for user and password? Even if token is recommended, user and password for enterprise work as well
| print(f"Authentication failed: {e}") | ||
| ``` | ||
|
|
||
| ### Environment Variables Migration |
There was a problem hiding this comment.
I would remove this section. Not sure it is needed, and it is misleading as these variables are only for SERVER SIDE, not for client
Or individual variables
export QDB_HTTP_USER="admin"
export QDB_HTTP_PASSWORD="quest"
and the QDB_URL variable is not used by either client or server
| export QDB_URL="http://localhost:9000" | ||
| ``` | ||
|
|
||
| ### Security Considerations |
There was a problem hiding this comment.
I would remove this section. Some things are enterprise only, and the rest are very mild generic recommendations
3 participants
Changes Made
New Documentation
operations/basic-auth.md)Enhanced Documentation
guides/influxdb-migration.md)