Skip to main content

Authentication & Users (Legacy users.conf)

Authentication and user definitions are configured in hlquery.conf:

  • Dev layout: run/conf/hlquery.conf
  • System/Debian/RPM layouts: /etc/hlquery/hlquery.conf

This page exists for backward compatibility with older layouts that used users.conf.

Current Location

Use this file for auth/user config:

run/conf/hlquery.conf (dev layout)
/etc/hlquery/hlquery.conf (system/debian/rpm layout)

Auth settings are defined with:

<auth enabled="true">
<user name="admin" token="replace-with-strong-token" flags="admin">
<user name="api_user" token="replace-with-strong-token" flags="user">
<user name="dashboard" password="replace-with-strong-password" flags="user">

What Each Field Means

  • enabled
    • true: protected endpoints require auth
    • false: auth disabled (public access for most endpoints)
  • name
    • user identifier used by user-management APIs
  • token
    • API token used by clients
    • can be plain token text (recommended for simplicity)
  • password
    • Optional password used with HTTP Basic auth
    • requires name
    • clients send it as Authorization: Basic base64(name:password)
  • flags
    • admin: full system access (keys/users/system endpoints)
    • user: standard data access

Sending Tokens

Use either header:

curl -H "Authorization: Bearer <token>" http://localhost:9200/collections
curl -H "X-API-Key: <token>" http://localhost:9200/collections
curl -u dashboard:<password> http://localhost:9200/collections

Enabling Authentication

Edit hlquery.conf in your active config directory:

<auth enabled="true">

Then restart the daemon.

Legacy users.conf Notes

If your environment still has users.conf (run/conf/users.conf or /etc/hlquery/users.conf):

  • treat it as legacy/split config
  • prefer moving entries into hlquery.conf (run/conf/hlquery.conf or /etc/hlquery/hlquery.conf)
  • keep a single source of truth to avoid drift

Quick Validation

After restart:

  1. Request without token should return 401 on protected endpoints.
  2. Request with valid token should return 200.
  3. Check logs for access-control entries in run/logs/hlquery.log.