Netdata Community

Api-key not authorised error

Environment

Centos 7

Problem/Question

When I set the client to stream to the master. I have set the api-key in the agent and I get an error on the master that the api key is not authorised. Even though I have specifically enabled that particular api key in the stream.conf file

What I expected to happen

should pickup the api key being passed to it and allow the connection

Hey @ryanlindsay,

From the looks of it, it must be a configuration error. Can you please send us the configuration of both agents so we can take a look? It is true that they are a bit convoluted, so mistakes do happen more often that we would have liked.

P.S Welcome to our community. We hope you enjoy your time here.

Best,
Odysseas

Sure
This is the client side

[stream]
    # Enable this on child nodes, to have them send metrics.
    enabled = yes

    # Where is the receiving netdata?
    # A space separated list of:
    #
    #      [PROTOCOL:]HOST[%INTERFACE][:PORT][:SSL]
    #
    # If many are given, the first available will get the metrics.
    #
    # PROTOCOL  = tcp, udp, or unix (only tcp and unix are supported by parent nodes)
    # HOST      = an IPv4, IPv6 IP, or a hostname, or a unix domain socket path.
    #             IPv6 IPs should be given with brackets [ip:address]
    # INTERFACE = the network interface to use (only for IPv6)
    # PORT      = the port number or service name (/etc/services)
    # SSL       = when this word appear at the end of the destination string
    #             the Netdata will encrypt the connection with the parent.
    #
    # This communication is not HTTP (it cannot be proxied by web proxies).
    destination = 10.126.24.167

    # Skip Certificate verification?
    #
    # The netdata child is configurated to avoid invalid SSL/TLS certificate,
    # so certificates that are self-signed or expired will stop the streaming.
    # Case the server certificate is not valid, you can enable the use of
    # 'bad' certificates setting the next option as 'yes'.
    #
    #ssl skip certificate verification = yes

    # Certificate Authority Path
    #
    # OpenSSL has a default directory where the known certificates are stored,
    # case it is necessary it is possible to change this rule using the variable
    # "CApath"
    #
    #CApath = /etc/ssl/certs/

    # Certificate Authority file
    #
    # When the Netdata parent has certificate, that is not recognized as valid,
    # we can add this certificate in the list of known certificates in CApath
    # and give for Netdata as argument.
    #
    #CAfile = /etc/ssl/certs/cert.pem

    # The API_KEY to use (as the sender)
    api key = e7772f6c-06e2-4cc2-b003-5d9164c60a1f

    # The timeout to connect and send metrics
    timeout seconds = 60

    # If the destination line above does not specify a port, use this
    default port = 19999

   
    send charts matching = *

    buffer size bytes = 1048576

    # If the connection fails, or it disconnects,
    # retry after that many seconds.
    reconnect delay seconds = 5

    # Sync the clock of the charts for that many iterations, when starting.
    initial clock resync iterations = 60

And this is the collator side, receiving the data.

[e7772f6c-06e2-4cc2-b003-5d9164c60a1f]
enabled = yes
allow from = 10.126.20.33
default history = 3600
default memory mode = ram
health enabled by default = auto
default postpone alarms on connect seconds = 60

That’s from the stream.conf file on both sides. Do you need any of the other parts of the config file?

Hi Odysseas
Since it’s a huge file. Here is the relevant section on the master collator side for the netdata.conf file


[global]
        run as user = netdata
        history = 3996
        process scheduling policy = idle
        OOM score = 1000
        stock config directory = /etc/netdata/conf.d
        # glibc malloc arena max for plugins = 1
        # glibc malloc arena max for netdata = 1
        # hostname = removed.by.author
        # update every = 1
        # config directory = /etc/netdata
        # log directory = /var/log/netdata
        # web files directory = /usr/share/netdata/web
        # cache directory = /var/cache/netdata
        # lib directory = /var/lib/netdata
        # home directory = /var/log/netdata
        # lock directory = /var/lib/netdata/lock
        # plugins directory = "/usr/libexec/netdata/plugins.d" "/etc/netdata/custom-plugins.d"
        # memory mode = dbengine
        # page cache size = 32
        # dbengine disk space = 256
        # dbengine multihost disk space = 256
        # host access prefix =
        # memory deduplication (ksm) = yes
        # TZ environment variable = :/etc/localtime
        # timezone = Australia/Melbourne
        # debug flags = 0x0000000000000000
        # debug log = /var/log/netdata/debug.log
        # error log = /var/log/netdata/error.log
        # access log = /var/log/netdata/access.log
        # facility log = daemon
        # errors flood protection period = 1200
        # errors to trigger flood protection = 200
        # pthread stack size = 8388608
        # cleanup obsolete charts after seconds = 3600
        # gap when lost iterations above = 1
        # cleanup orphan hosts after seconds = 3600
        # delete obsolete charts files = yes
        # delete orphan hosts files = yes
        # enable zero metrics = no

[web]
        web files owner = root
        web files group = netdata
        bind to = 0.0.0.0
        # ssl key = /etc/netdata/ssl/key.pem
        # ssl certificate = /etc/netdata/ssl/cert.pem
        # tls version = 1.3
        # tls ciphers = none
        # ses max window = 15
        # des max window = 15
        # mode = static-threaded
        # listen backlog = 4096
        # default port = 19999
        # disconnect idle clients after seconds = 60
        # timeout for first request = 60
        # accept a streaming request every seconds = 0
        # respect do not track policy = no
        # x-frame-options response header =
        # allow connections from = localhost *
        # allow connections by dns = heuristic
        # allow dashboard from = localhost *
        # allow dashboard by dns = heuristic
        # allow badges from = *
        # allow badges by dns = heuristic
        # allow streaming from = *
        # allow streaming by dns = heuristic
        # allow netdata.conf from = localhost fd* 10.* 192.168.* 172.16.* 172.17.* 172.18.* 172.19.* 172.20.* 172.21.* 172.22.* 172.23.* 172.24.* 172.25.* 172.26.* 172.27.* 172.28.* 172.29.* 172.30.* 172.31.* UNKNOWN
        # allow netdata.conf by dns = no
        # allow management from = localhost
        # allow management by dns = heuristic
        # enable gzip compression = yes
        # gzip compression strategy = default
        # gzip compression level = 3
        # web server threads = 6
        # web server max sockets = 256

And this is from the stream.conf file

[stream]
    # Enable this on child nodes, to have them send metrics.
    enabled = no

    # Where is the receiving netdata?
    # A space separated list of:
    #
    #      [PROTOCOL:]HOST[%INTERFACE][:PORT][:SSL]
    #
    # If many are given, the first available will get the metrics.
    #
    # PROTOCOL  = tcp, udp, or unix (only tcp and unix are supported by parent nodes)
    # HOST      = an IPv4, IPv6 IP, or a hostname, or a unix domain socket path.
    #             IPv6 IPs should be given with brackets [ip:address]
    # INTERFACE = the network interface to use (only for IPv6)
    # PORT      = the port number or service name (/etc/services)
    # SSL       = when this word appear at the end of the destination string
    #             the Netdata will encrypt the connection with the parent.
    #
    # This communication is not HTTP (it cannot be proxied by web proxies).
    destination =

    # Skip Certificate verification?
    #
    # The netdata child is configurated to avoid invalid SSL/TLS certificate,
    # so certificates that are self-signed or expired will stop the streaming.
    # Case the server certificate is not valid, you can enable the use of
    # 'bad' certificates setting the next option as 'yes'.
    #
    #ssl skip certificate verification = yes

    # Certificate Authority Path
    #
    # OpenSSL has a default directory where the known certificates are stored,
    # case it is necessary it is possible to change this rule using the variable
    # "CApath"
    #
    #CApath = /etc/ssl/certs/
   # Certificate Authority file
    #
    # When the Netdata parent has certificate, that is not recognized as valid,
    # we can add this certificate in the list of known certificates in CApath
    # and give for Netdata as argument.
    #
    #CAfile = /etc/ssl/certs/cert.pem

    # The API_KEY to use (as the sender)
    api key =

    # The timeout to connect and send metrics
    timeout seconds = 60

    # If the destination line above does not specify a port, use this
    default port = 19999

    # filter the charts to be streamed
    # netdata SIMPLE PATTERN:
    # - space separated list of patterns (use \ to include spaces in patterns)
    # - use * as wildcard, any number of times within each pattern
    # - prefix a pattern with ! for a negative match (ie not stream the charts it matches)
    # - the order of patterns is important (left to right)
    # To send all except a few, use: !this !that *   (ie append a wildcard pattern)
    send charts matching = *

    # The buffer to use for sending metrics.
    # 1MB is good for 10-20 seconds of data, so increase this if you expect latencies.
    # The buffer is flushed on reconnects (this will not prevent gaps at the charts).
    buffer size bytes = 1048576

    # If the connection fails, or it disconnects,
    # retry after that many seconds.
    reconnect delay seconds = 5

    # Sync the clock of the charts for that many iterations, when starting.
    initial clock resync iterations = 60

# -----------------------------------------------------------------------------
# 2. ON PARENT NETDATA - THE ONE THAT WILL BE RECEIVING METRICS

#    You can have one API key per child,
#         or the same API key for all child nodes.
#
#    netdata searches for options in this order:
#
#    a) parent netdata settings (netdata.conf)
#    b) [stream] section        (above)
#    c) [API_KEY] section       (below, settings for the API key)
#    d) [MACHINE_GUID] section  (below, settings for each machine)
#
#    You can combine the above (the more specific setting will be used).

# API key authentication
# If the key is not listed here, it will not be able to push metrics.

# [API_KEY] is [YOUR-API-KEY], i.e [11111111-2222-3333-4444-555555555555]
[e7772f6c-06e2-4cc2-b003-5d9164c60a1f]
enabled = yes
allow from = 10.126.20.33
default history = 3600
default memory mode = ram
health enabled by default = auto
default postpone alarms on connect seconds = 60

Then on the client sending its data
From stream.conf

[stream]
    # Enable this on child nodes, to have them send metrics.
    enabled = yes

    # Where is the receiving netdata?
    # A space separated list of:
    #
    #      [PROTOCOL:]HOST[%INTERFACE][:PORT][:SSL]
    #
    # If many are given, the first available will get the metrics.
    #
    # PROTOCOL  = tcp, udp, or unix (only tcp and unix are supported by parent nodes)
    # HOST      = an IPv4, IPv6 IP, or a hostname, or a unix domain socket path.
    #             IPv6 IPs should be given with brackets [ip:address]
    # INTERFACE = the network interface to use (only for IPv6)
    # PORT      = the port number or service name (/etc/services)
    # SSL       = when this word appear at the end of the destination string
    #             the Netdata will encrypt the connection with the parent.
    #
    # This communication is not HTTP (it cannot be proxied by web proxies).
    destination = 10.126.24.167

    # Skip Certificate verification?
    #
    # The netdata child is configurated to avoid invalid SSL/TLS certificate,
    # so certificates that are self-signed or expired will stop the streaming.
    # Case the server certificate is not valid, you can enable the use of
    # 'bad' certificates setting the next option as 'yes'.
    #
    #ssl skip certificate verification = yes

    # Certificate Authority Path
    #
    # OpenSSL has a default directory where the known certificates are stored,
    # case it is necessary it is possible to change this rule using the variable
    # "CApath"
    #
    #CApath = /etc/ssl/certs/
   # Certificate Authority file
    #
    # When the Netdata parent has certificate, that is not recognized as valid,
    # we can add this certificate in the list of known certificates in CApath
    # and give for Netdata as argument.
    #
    #CAfile = /etc/ssl/certs/cert.pem

    # The API_KEY to use (as the sender)
    api key = e7772f6c-06e2-4cc2-b003-5d9164c60a1f

    # The timeout to connect and send metrics
    timeout seconds = 60

    # If the destination line above does not specify a port, use this
    default port = 19999

    # filter the charts to be streamed
    # netdata SIMPLE PATTERN:
    # - space separated list of patterns (use \ to include spaces in patterns)
    # - use * as wildcard, any number of times within each pattern
    # - prefix a pattern with ! for a negative match (ie not stream the charts it matches)
    # - the order of patterns is important (left to right)
    # To send all except a few, use: !this !that *   (ie append a wildcard pattern)
    send charts matching = *

    # The buffer to use for sending metrics.
    # 1MB is good for 10-20 seconds of data, so increase this if you expect latencies.
    # The buffer is flushed on reconnects (this will not prevent gaps at the charts).
    buffer size bytes = 1048576

    # If the connection fails, or it disconnects,
    # retry after that many seconds.
    reconnect delay seconds = 5

    # Sync the clock of the charts for that many iterations, when starting.
    initial clock resync iterations = 60

And it’s netdata.conf

[global]
    run as user = netdata
    memory mode = none
    # the default database size - 1 hour
    history = 3600

    # some defaults to run netdata with least priority
    process scheduling policy = idle
    OOM score = 1000

[web]
    web files owner = root
    web files group = netdata
    mode = none
    # by default do not expose the netdata port
    bind to = 10.126.20.33