influxdb/services/meta/write_authorizer.go

package meta

import (
	"fmt"

	"github.com/influxdata/influxdb/influxql"
)

// WriteAuthorizer determines whether a user is authorized to write to a given database.
type WriteAuthorizer struct {
	Client *Client
}

// NewWriteAuthorizer returns a new instance of WriteAuthorizer.
func NewWriteAuthorizer(c *Client) *WriteAuthorizer {
	return &WriteAuthorizer{Client: c}
}

// AuthorizeWrite returns nil if the user has permission to write to the database.
func (a WriteAuthorizer) AuthorizeWrite(username, database string) error {
	u, err := a.Client.User(username)
	if err != nil || u == nil || !u.AuthorizeDatabase(influxql.WritePrivilege, database) {
		return &ErrAuthorize{
			Database: database,
			Message:  fmt.Sprintf("%s not authorized to write to %s", username, database),
		}
	}
	return nil
}
add WriteAuthorizer interface 2016-04-19 02:25:53 +00:00			`package meta`

			`import (`
			`"fmt"`

			`"github.com/influxdata/influxdb/influxql"`
			`)`

Update godoc for services The admin service was deliberately skipped due to it being deprecated. 2016-12-31 01:17:59 +00:00			`// WriteAuthorizer determines whether a user is authorized to write to a given database.`
add WriteAuthorizer interface 2016-04-19 02:25:53 +00:00			`type WriteAuthorizer struct {`
			`Client *Client`
			`}`

Update godoc for services The admin service was deliberately skipped due to it being deprecated. 2016-12-31 01:17:59 +00:00			`// NewWriteAuthorizer returns a new instance of WriteAuthorizer.`
add WriteAuthorizer interface 2016-04-19 02:25:53 +00:00			`func NewWriteAuthorizer(c Client) WriteAuthorizer {`
			`return &WriteAuthorizer{Client: c}`
			`}`

			`// AuthorizeWrite returns nil if the user has permission to write to the database.`
			`func (a WriteAuthorizer) AuthorizeWrite(username, database string) error {`
			`u, err := a.Client.User(username)`
Allow non-admin users to execute SHOW DATABASES This commit introduces a new interface type, influxql.Authorizer, that is passed as part of a statement's execution context and determines whether the context is permitted to access a given database. In the future, the Authorizer interface may be expanded to other resources besides databases. In this commit, the Authorizer interface is specifically used to determine which databases are returned when executing SHOW DATABASES. When HTTP authentication is enabled, the existing meta.UserInfo struct implements Authorizer, meaning admin users can SHOW every database, and non-admin users can SHOW only databases for which they have read and/or write permission. When HTTP authentication is disabled, all databases are visible through SHOW DATABASES. This addresses a long-standing issue where Chronograf or Grafana would be unable to list databases if the logged-in user did not have admin privileges. Fixes #4785. 2017-02-09 19:32:52 +00:00			`if err != nil \|\| u == nil \|\| !u.AuthorizeDatabase(influxql.WritePrivilege, database) {`
add WriteAuthorizer interface 2016-04-19 02:25:53 +00:00			`return &ErrAuthorize{`
			`Database: database,`
			`Message: fmt.Sprintf("%s not authorized to write to %s", username, database),`
			`}`
			`}`
			`return nil`
			`}`