InfluxDB 2.0 | Backup results in `read:dbrp is unauthorized`. How to migrate bucket data?

Server Fault Asked by Kiwi on January 1, 2022

We are running an InfluxDB 2.0 instance in a docker environment. For some weeks we have collected data using telegraf and store them into a bucket. Now, we would like to do a backup of our data.

What we can do to save our data is to make a copy of /root/.influxdbv2/, but we prefere to use build-in features and be able to restore the data into another instance of InfluxDB 2.0. This is were the problems begin.

Influx version

$ influx version
Influx CLI 2.0.0-beta.13 (git: 86796ddf2d) build_date: 2020-07-09T12:15:08Z

Trying to do a backup

$ export INFLUX_TOKEN=<token of admin user>
$ influx bucket find --org myOrg
ID                      Name            Retention       Organization ID
05b89a36ffe01003        _monitoring     168h0m0s        05b89a36ffe01000
05b89a36ffe01002        _tasks          72h0m0s         05b89a36ffe01000
05b89a36ffe01001        myBucket        0s              05b89a36ffe01000

$ influx backup -p /backup/backup_$(date '+%Y-%m-%d_%H-%M')
Error: read:dbrp is unauthorized
See 'influx backup -h' for help

Searching for influx "Error: read:dbrp is unauthorized" would not find anything on the internet.

The only hint I got is from the documentation:

If you set up InfluxDB using v2.0.0-beta.1 or earlier, you cannot back up data. Root tokens created prior to v2.0.0-beta.2 do not have the necessary permissions. To succesfully use the backup tool, set up a new InfluxDB instance using v2.0.0-beta.2+.

I pretty sure we started with a later beta version, from march, but I cannot doublecheck this. However, I would like to find a solution to export our data.

Trying to add missing permissions

As it seemed we do not have the right permissions, I checked the permissions and wanted to try adding the missing permissions to my admin user, which obviously did not work.

Check current permissions

During the check for permissions, I can see, that my admin user token does not have any dbrp permissions. But when I generate a new token in the GUI via Generate -> All access token, then the new token seems to have the required permissions:

$ influx auth list
05f79912b4f73000        <newToken>       myAdmin        05b89a36e7e01000        [... read:orgs/05b89a36ffe01000/dbrp write:orgs/05b89a36ffe01000/dbrp ...]

(I shortened the output)

Error on adding permissions

However, just in case I tried to add the permissions to my admin user anyway.

$ influx auth create --user myAdmin --org myOrg --read-dbrps
Error: Permission read:orgs/05b89a36ffe01000/dbrp is not allowed: read:orgs/05b89a36ffe01000/dbrp is unauthorized.

Trying the new created token

As we saw in the step above, the new token has dprp permissions. When I use this token for the backup, I receive another error message.

$ export INFLUX_TOKEN=<newToken>
$ influx backup -p /backup/backup_$(date '+%Y-%m-%d_%H-%M')
Error: read:authorizations is unauthorized
See 'influx backup -h' for help

Searching for this error, I find one similar issue, which references another.

After reading this, I tried to set my token via the credentials file. But that did not change anything.

Migrating data to a fresh InfluxDB 2.0 instance

When I spawn a fresh Docker container of InfluxDB 2.0, the influx backup command works as expected. So, in order to use the build-in commands, I would like to migrate the collected data from my bucket into another instance. Do you see any possibility or am I missing anything to make these commands work?

Thanks a lot.

PS: Oh, there is no influxdb tag, at all? And I do not have enough reputation to create that tag. I hope it’s the right q&a platform to ask my question?

2 Answers

I posted this answer to an issue yesterday which will help (instructions duplicated below):

You can manually edit the boltdb file to add those missing permissions to the token. Here's how:

  1. Stop your influxd process
  2. Upgrade to the latest influxd beta (currently beta-15).
  3. Install in the machine where the backup is. There are probably other boltdb browsers out there, but this is the one i used to test this.
  4. MAKE A BACKUP OF YOUR ~/.influxdbv2/influxd.bolt . Like, this is really important. If you corrupt this file in any way, you will NOT be able to access any of the data in your database. So heck, maybe make two backups :)
  5. Load up your boltdb file using something like boltbrowser ~/.influxdbv2/influxd.bolt You should see something like this: enter image description here
  6. Navigate to the authorizationsv1 parent and find the key with the id of the root token. If you have more than one token, you can find the mapping for token -> id in the authorizationindexv1 parent.
  7. What we want to do is add the dbrp permission into the json array value. if you hit e, you will be able to manually edit the value. At the very end of the permissions array, and add the following entry for reading and writing the dbrp resource: {"action":"read","resource":{"type":"dbrp"}},{"action":"write","resource":{"type":"dbrp"}} (don't forget the comma). You might find it easier to export the json to a file ( the x key ) and test the editing there.
  8. You might also need to add permissions to the stack resource, which is {"action":"read","resource":{"type":"stack"}},{"action":"write","resource":{"type":"stack"}}. Long story short, if you go through this process and still get a message like Error: read:<resource> is unauthorized, just go back in and add the read/write for that resource.
  9. Hit enter to save the value, and then esc to get back to the terminal.
  10. Fire up your influxd instance, and check that the token is valid by navigating to the tokens page in the UI or running influx auth list in the cli. You should see the new permissions added.
  11. Try the export again.

If anything goes wrong, delete the edited bolt file, restore your backup, and try again.

Answered by Russ Savage on January 1, 2022

This is a pretty frustrating problem. Maybe we could manually change the contents of the boltdb in which influxdb stores the configuration settings.

Looks like my hacky idea works.

Edit the influxd.bolt file with boltbrowser:

  • Open authorizationsv1 bucket
  • Find the backup user's token (the value is in json format)
  • Add the following two objects to the permissions array:
    "action": "read",
    "resource": {
      "type": "dbrp"
  }, {
    "action": "write",
    "resource": {
      "type": "dbrp"

Answered by gergo on January 1, 2022

Add your own answers!

Related Questions

Apache reverse proxy from root to context

1  Asked on December 13, 2021 by jzonthemtn


Barman: rsync wal archival stalls on some files

1  Asked on December 13, 2021 by thoro


Unable to port forward via ssh on windows

1  Asked on December 13, 2021 by justtryingnottofail


git clone does not work in (sshfs) mapped drive in windows

0  Asked on December 13, 2021 by dhanabal-m


OpenSSL – error in SSLv2/v3 read client hello A

1  Asked on December 13, 2021 by tuyen-nguyen


Prevent port change on redirect in nginx

5  Asked on December 11, 2021 by arbales


PHP-FPM does not automatically start after reboot

3  Asked on December 11, 2021 by steveedson


Postgres roles best practice implementation

1  Asked on December 11, 2021 by jp-beaudry


Rinetd failing to run

1  Asked on December 11, 2021 by opad


Nagios service check interval based on host type

2  Asked on December 11, 2021 by sebastien-prudhomme


Cannot connect to Linux Samba share from Windows 10

15  Asked on December 11, 2021 by pngl


Ask a Question

Get help from others!

© 2023 All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP