InfluxDB 2.0 | Backup results in `read:dbrp is unauthorized`. How to migrate bucket data?

Question

We are running an InfluxDB 2.0 instance in a docker environment. For some weeks we have collected data using telegraf and store them into a bucket. Now, we would like to do a backup of our data.

What we can do to save our data is to make a copy of /root/.influxdbv2/, but we prefere to use build-in features and be able to restore the data into another instance of InfluxDB 2.0. This is were the problems begin.

Influx version

$ influx version
Influx CLI 2.0.0-beta.13 (git: 86796ddf2d) build_date: 2020-07-09T12:15:08Z

Trying to do a backup

$ export INFLUX_TOKEN=<token of admin user>
$ influx bucket find --org myOrg
ID                      Name            Retention       Organization ID
05b89a36ffe01003        _monitoring     168h0m0s        05b89a36ffe01000
05b89a36ffe01002        _tasks          72h0m0s         05b89a36ffe01000
05b89a36ffe01001        myBucket        0s              05b89a36ffe01000

$ influx backup -p /backup/backup_$(date '+%Y-%m-%d_%H-%M')
Error: read:dbrp is unauthorized
See 'influx backup -h' for help

Searching for influx "Error: read:dbrp is unauthorized" would not find anything on the internet.

The only hint I got is from the documentation:

If you set up InfluxDB using v2.0.0-beta.1 or earlier, you cannot back up data. Root tokens created prior to v2.0.0-beta.2 do not have the necessary permissions. To succesfully use the backup tool, set up a new InfluxDB instance using v2.0.0-beta.2+.

I pretty sure we started with a later beta version, from march, but I cannot doublecheck this. However, I would like to find a solution to export our data.

Trying to add missing permissions

As it seemed we do not have the right permissions, I checked the permissions and wanted to try adding the missing permissions to my admin user, which obviously did not work.

Check current permissions

During the check for permissions, I can see, that my admin user token does not have any dbrp permissions. But when I generate a new token in the GUI via Generate -> All access token, then the new token seems to have the required permissions:

$ influx auth list
05f79912b4f73000        <newToken>       myAdmin        05b89a36e7e01000        [... read:orgs/05b89a36ffe01000/dbrp write:orgs/05b89a36ffe01000/dbrp ...]

(I shortened the output)

Error on adding permissions

However, just in case I tried to add the permissions to my admin user anyway.

$ influx auth create --user myAdmin --org myOrg --read-dbrps
Error: Permission read:orgs/05b89a36ffe01000/dbrp is not allowed: read:orgs/05b89a36ffe01000/dbrp is unauthorized.

Trying the new created token

As we saw in the step above, the new token has dprp permissions. When I use this token for the backup, I receive another error message.

$ export INFLUX_TOKEN=<newToken>
$ influx backup -p /backup/backup_$(date '+%Y-%m-%d_%H-%M')
Error: read:authorizations is unauthorized
See 'influx backup -h' for help

Searching for this error, I find one similar issue, which references another.

After reading this, I tried to set my token via the credentials file. But that did not change anything.

Migrating data to a fresh InfluxDB 2.0 instance

When I spawn a fresh Docker container of InfluxDB 2.0, the influx backup command works as expected. So, in order to use the build-in commands, I would like to migrate the collected data from my bucket into another instance. Do you see any possibility or am I missing anything to make these commands work?

Thanks a lot.

PS: Oh, there is no influxdb tag, at all? And I do not have enough reputation to create that tag. I hope it’s the right q&a platform to ask my question?

backup command line interface migration

Russ Savage · Answer

I posted this answer to an issue yesterday which will help (instructions duplicated below): https://github.com/influxdata/influxdb/issues/18882#issuecomment-663113088
You can manually edit the boltdb file to add those missing permissions to the token. Here's how:

Stop your influxd process
Upgrade to the latest influxd beta (currently beta-15).
Install https://github.com/br0xen/boltbrowser in the machine where the backup is. There are probably other boltdb browsers out there, but this is the one i used to test this.
MAKE A BACKUP OF YOUR ~/.influxdbv2/influxd.bolt . Like, this is really important. If you corrupt this file in any way, you will NOT be able to access any of the data in your database. So heck, maybe make two backups :)
Load up your boltdb file using something like boltbrowser ~/.influxdbv2/influxd.bolt You should see something like this:

Navigate to the authorizationsv1 parent and find the key with the id of the root token. If you have more than one token, you can find the mapping for token -> id in the authorizationindexv1 parent.
What we want to do is add the dbrp permission into the json array value. if you hit e, you will be able to manually edit the value. At the very end of the permissions array, and add the following entry for reading and writing the dbrp resource: {"action":"read","resource":{"type":"dbrp"}},{"action":"write","resource":{"type":"dbrp"}} (don't forget the comma).  You might find it easier to export the json to a file ( the x key ) and test the editing there.
You might also need to add permissions to the stack resource, which is {"action":"read","resource":{"type":"stack"}},{"action":"write","resource":{"type":"stack"}}. Long story short, if you go through this process and still get a message like Error: read:<resource> is unauthorized, just go back in and add the read/write for that resource.
Hit enter to save the value, and then esc to get back to the terminal.
Fire up your influxd instance, and check that the token is valid by navigating to the tokens page in the UI or running influx auth list in the cli. You should see the new permissions added.
Try the export again.

If anything goes wrong, delete the edited bolt file, restore your backup, and try again.

gergo · Answer

This is a pretty frustrating problem.
Maybe we could manually change the contents of the boltdb in which influxdb stores the configuration settings.
Edit:
Looks like my hacky idea works.
Edit the influxd.bolt file with boltbrowser:

Open authorizationsv1 bucket
Find the backup user's token (the value is in json format)
Add the following two objects to the permissions array:

{
    "action": "read",
    "resource": {
      "type": "dbrp"
    }
  }, {
    "action": "write",
    "resource": {
      "type": "dbrp"
   }
 }