CODEWITHSUNDEEP
resthttptime-seriesinfluxdb
Kuldeep Jain
Kuldeep Jain

Reputation: 8598

InfluxDB http calls sending credentials (username & password) in URL as query params

For a sample project for Weather service I needed to store time series data. This is the first time I am using any time-series database. I did some reading on those and their comparison and found that InfluxDB is open-source and is one of the best, so decided to use that.

For my PoC I installed it locally on my machine and connecting it from my application. However, when I see the logs for various queries run against InfluxDB, found that it makes http calls to InfluxDB and it passes the username and password in the Query params in URL. This certainly seems like bad practice to pass credentials as as plain text in the URL while making the http call. Can someone comment why is it designed like this and is it supposed to be like this in real world scenario as well?

Logs:

2019-07-19 12:01:00.304  INFO 69709 --- [pool-1-thread-1] okhttp3.OkHttpClient                     : --> POST http://127.0.0.1:8086/write?u=admin&p=admin&db=weatherdata&rp=defaultPolicy&precision=n&consistency=one (78-byte body)

2019-07-19 13:48:28.461  INFO 69709 --- [nio-8080-exec-9] okhttp3.OkHttpClient                     : --> GET http://127.0.0.1:8086/query?u=admin&p=admin&db=weatherdata&q=Select+*+from+weather
2019-07-19 13:48:28.530  INFO 69709 --- [nio-8080-exec-9] okhttp3.OkHttpClient                     : <-- 200 OK http://127.0.0.1:8086/query?u=admin&p=admin&db=weatherdata&q=Select+*+from+weather (68ms, unknown-length body)

Upvotes: 0

Views: 735

Answers (1)

CantankerousBullMoose
CantankerousBullMoose

Reputation: 512

InfluxDB supports HTTP Basic Auth where username and password are passed via HTTP auth headers instead of the URL. I suspect you just need to configure your client to do that instead of using the URL parameters. Credentials are still in plaintext, but I think if you set up HTTPS, Basic Auth is secure-ish.

In general I don't think the Influx Devs expect InfluxDB to be a standalone, public-facing service. Instead, they expect that you're going to use InfluxDB as a backend, and then use something like Chronograf (which is their own visualization tool) or Grafana as a front end. So if they're going to spend time on more sophisticated authentication protocols, they're going to do it on the front end side.

The expectation would be that the front end and back end run on the same network, and communications between them can be secured via network segmentation.

Upvotes: 1

Related Questions