Influxdata
/
influxdb
mirror of https://github.com/influxdata/influxdb.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
influxdb/coordinator/permissions.go

186 lines
6.1 KiB
Go
Raw Permalink Normal View History

Close #677. Extract coordinator.Permissions All ClusterAdmins now qualify as DbAdmins too.
2014-06-22 20:36:42 +00:00
package coordinator
import (
Restructure the codebase to be more idiomatic
2014-06-27 16:57:06 +00:00
"github.com/influxdb/influxdb/common"
Move permission checking to permissions
2014-08-15 19:07:23 +00:00
"github.com/influxdb/influxdb/parser"
Close #677. Extract coordinator.Permissions All ClusterAdmins now qualify as DbAdmins too.
2014-06-22 20:36:42 +00:00
)
type Permissions struct{}
Move permission checking to permissions
2014-08-15 19:07:23 +00:00
func (self *Permissions) CheckQueryPermissions(user common.User, db string, querySpec *parser.QuerySpec) (ok bool, err common.AuthorizationError) {
switch querySpec.Query().Type() {
case parser.Delete:
return self.AuthorizeDeleteQuery(user, db)
case parser.Select:
return self.AuthorizeSelectQuery(user, db, querySpec)
default:
return true, ""
}
}
func (self *Permissions) AuthorizeSelectQuery(user common.User, db string, querySpec *parser.QuerySpec) (ok bool, err common.AuthorizationError) {
// if this isn't a regex query do the permission check here
fromClause := querySpec.SelectQuery().GetFromClause()
for _, n := range fromClause.Names {
if _, ok := n.Name.GetCompiledRegex(); ok {
break
} else if name := n.Name.Name; !user.HasReadAccess(name) {
return false, common.NewAuthorizationError("User doesn't have read access to %s", name)
}
}
return true, ""
}
Close #677. Extract coordinator.Permissions All ClusterAdmins now qualify as DbAdmins too.
2014-06-22 20:36:42 +00:00
func (self *Permissions) AuthorizeDeleteQuery(user common.User, db string) (ok bool, err common.AuthorizationError) {
if !user.IsDbAdmin(db) {
return false, common.NewAuthorizationError("Insufficient permission to write to %s", db)
}
return true, ""
}
func (self *Permissions) AuthorizeDropSeries(user common.User, db string, seriesName string) (ok bool, err common.AuthorizationError) {
Non admin database users shouldn't be able to drop series Fix #736
2014-07-22 17:33:51 +00:00
if !user.IsDbAdmin(db) {
Close #677. Extract coordinator.Permissions All ClusterAdmins now qualify as DbAdmins too.
2014-06-22 20:36:42 +00:00
return false, common.NewAuthorizationError("Insufficient permissions to drop series")
}
return true, ""
}
func (self *Permissions) AuthorizeCreateContinuousQuery(user common.User, db string) (ok bool, err common.AuthorizationError) {
if !user.IsDbAdmin(db) {
return false, common.NewAuthorizationError("Insufficient permissions to create continuous query")
}
return true, ""
}
func (self *Permissions) AuthorizeDeleteContinuousQuery(user common.User, db string) (ok bool, err common.AuthorizationError) {
if !user.IsDbAdmin(db) {
return false, common.NewAuthorizationError("Insufficient permissions to delete continuous query")
}
return true, ""
}
func (self *Permissions) AuthorizeListContinuousQueries(user common.User, db string) (ok bool, err common.AuthorizationError) {
if !user.IsDbAdmin(db) {
return false, common.NewAuthorizationError("Insufficient permissions to list continuous queries")
}
return true, ""
}
func (self *Permissions) AuthorizeCreateDatabase(user common.User) (ok bool, err common.AuthorizationError) {
if !user.IsClusterAdmin() {
return false, common.NewAuthorizationError("Insufficient permissions to create database")
}
return true, ""
}
func (self *Permissions) AuthorizeListDatabases(user common.User) (ok bool, err common.AuthorizationError) {
if !user.IsClusterAdmin() {
return false, common.NewAuthorizationError("Insufficient permissions to list databases")
}
return true, ""
}
func (self *Permissions) AuthorizeDropDatabase(user common.User) (ok bool, err common.AuthorizationError) {
if !user.IsClusterAdmin() {
return false, common.NewAuthorizationError("Insufficient permissions to drop database")
}
return true, ""
}
func (self *Permissions) AuthorizeListClusterAdmins(user common.User) (ok bool, err common.AuthorizationError) {
if !user.IsClusterAdmin() {
return false, common.NewAuthorizationError("Insufficient permissions to list cluster admins")
}
return true, ""
}
func (self *Permissions) AuthorizeCreateClusterAdmin(user common.User) (ok bool, err common.AuthorizationError) {
if !user.IsClusterAdmin() {
return false, common.NewAuthorizationError("Insufficient permissions to create cluster admin")
}
return true, ""
}
func (self *Permissions) AuthorizeDeleteClusterAdmin(user common.User) (ok bool, err common.AuthorizationError) {
if !user.IsClusterAdmin() {
return false, common.NewAuthorizationError("Insufficient permissions to delete cluster admin")
}
return true, ""
}
func (self *Permissions) AuthorizeChangeClusterAdminPassword(user common.User) (ok bool, err common.AuthorizationError) {
if !user.IsClusterAdmin() {
return false, common.NewAuthorizationError("Insufficient permissions to change cluster admin password")
}
return true, ""
}
func (self *Permissions) AuthorizeCreateDbUser(user common.User, db string) (ok bool, err common.AuthorizationError) {
if !user.IsDbAdmin(db) {
return false, common.NewAuthorizationError("Insufficient permissions to create db user on %s", db)
}
return true, ""
}
func (self *Permissions) AuthorizeDeleteDbUser(user common.User, db string) (ok bool, err common.AuthorizationError) {
if !user.IsDbAdmin(db) {
return false, common.NewAuthorizationError("Insufficient permissions to delete db user on %s", db)
}
return true, ""
}
func (self *Permissions) AuthorizeListDbUsers(user common.User, db string) (ok bool, err common.AuthorizationError) {
if !user.IsDbAdmin(db) {
return false, common.NewAuthorizationError("Insufficient permissions to list db users on %s", db)
}
return true, ""
}
func (self *Permissions) AuthorizeGetDbUser(user common.User, db string) (ok bool, err common.AuthorizationError) {
if !user.IsDbAdmin(db) {
return false, common.NewAuthorizationError("Insufficient permissions to get db user on %s", db)
}
return true, ""
}
func (self *Permissions) AuthorizeChangeDbUserPassword(user common.User, db string, targetUsername string) (ok bool, err common.AuthorizationError) {
if !user.IsDbAdmin(db) && !(user.GetDb() == db && user.GetName() == targetUsername) {
return false, common.NewAuthorizationError("Insufficient permissions to change db user password for %s on %s", targetUsername, db)
}
return true, ""
}
func (self *Permissions) AuthorizeChangeDbUserPermissions(user common.User, db string) (ok bool, err common.AuthorizationError) {
if !user.IsDbAdmin(db) {
return false, common.NewAuthorizationError("Insufficient permissions to change db user permissions on %s", db)
}
return true, ""
}
func (self *Permissions) AuthorizeGrantDbUserAdmin(user common.User, db string) (ok bool, err common.AuthorizationError) {
if !user.IsDbAdmin(db) {
return false, common.NewAuthorizationError("Insufficient permissions to grant db user admin privileges on %s", db)
}
return true, ""
}