Authentication & Users (Legacy users.conf)
Authentication and user definitions are configured in hlquery.conf:
- Dev layout:
run/conf/hlquery.conf - System/Debian/RPM layouts:
/etc/hlquery/hlquery.conf
This page exists for backward compatibility with older layouts that used users.conf.
Current Location
Use this file for auth/user config:
run/conf/hlquery.conf (dev layout)
/etc/hlquery/hlquery.conf (system/debian/rpm layout)
Auth settings are defined with:
<auth enabled="true">
<user name="admin" token="replace-with-strong-token" flags="admin">
<user name="api_user" token="replace-with-strong-token" flags="user">
<user name="dashboard" password="replace-with-strong-password" flags="user">
What Each Field Means
enabledtrue: protected endpoints require authfalse: auth disabled (public access for most endpoints)
name- user identifier used by user-management APIs
token- API token used by clients
- can be plain token text (recommended for simplicity)
password- Optional password used with HTTP Basic auth
- requires
name - clients send it as
Authorization: Basic base64(name:password)
flagsadmin: full system access (keys/users/system endpoints)user: standard data access
Sending Tokens
Use either header:
curl -H "Authorization: Bearer <token>" http://localhost:9200/collections
curl -H "X-API-Key: <token>" http://localhost:9200/collections
curl -u dashboard:<password> http://localhost:9200/collections
Enabling Authentication
Edit hlquery.conf in your active config directory:
<auth enabled="true">
Then restart the daemon.
Legacy users.conf Notes
If your environment still has users.conf (run/conf/users.conf or /etc/hlquery/users.conf):
- treat it as legacy/split config
- prefer moving entries into
hlquery.conf(run/conf/hlquery.confor/etc/hlquery/hlquery.conf) - keep a single source of truth to avoid drift
Quick Validation
After restart:
- Request without token should return
401on protected endpoints. - Request with valid token should return
200. - Check logs for access-control entries in
run/logs/hlquery.log.