Influxdata
/
influxdb
mirror of https://github.com/influxdata/influxdb.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

fix: enable write-only users to pass auth checks in the V1 API (#19945)

pull/19959/head
Daniel Moran 2020-11-09 18:10:35 -05:00 committed by GitHub
parent 07e009c616
commit 3317ea0644
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -10,6 +10,7 @@
1. [19928](https://github.com/influxdata/influxdb/pull/19928): Fix parsing of retention policy CLI args in `influx setup` and `influxd upgrade`
1. [19952](https://github.com/influxdata/influxdb/pull/19952): Use `db`/`rp` naming convention when migrating DBs to buckets
1. [19925](https://github.com/influxdata/influxdb/pull/19937): Create CLI configs in `influxd upgrade`
1. [19945](https://github.com/influxdata/influxdb/pull/19945): Allow write-only V1 tokens to find DBRPs
## v2.0.0-rc.4 [2020-11-05]

7
authorizer/authorize_find.go
View File

@ -6,13 +6,18 @@ import (
"github.com/influxdata/influxdb/v2"
)
// AuthorizeFindDBRPs takes the given items and returns only the ones that the user is authorized to read.
// AuthorizeFindDBRPs takes the given items and returns only the ones that the user is authorized to access.
func AuthorizeFindDBRPs(ctx context.Context, rs []*influxdb.DBRPMappingV2) ([]*influxdb.DBRPMappingV2, int, error) {
// This filters without allocating
// https://github.com/golang/go/wiki/SliceTricks#filtering-without-allocating
rrs := rs[:0]
for _, r := range rs {
// N.B. we have to check both read and write permissions here to support the legacy write-path,
// which calls AuthorizeFindDBRPs when locating the bucket underlying a DBRP target.
_, _, err := AuthorizeRead(ctx, influxdb.BucketsResourceType, r.BucketID, r.OrganizationID)
if err != nil {
_, _, err = AuthorizeWrite(ctx, influxdb.BucketsResourceType, r.BucketID, r.OrganizationID)
}
if err != nil && influxdb.ErrorCode(err) != influxdb.EUnauthorized {
return nil, 0, err
}

4
cmd/influxd/launcher/launcher.go
View File

@ -954,8 +954,8 @@ func (m *Launcher) run(ctx context.Context) (err error) {
}
}
dbrpSvc := dbrp.NewService(ctx, authorizer.NewBucketService(ts.BucketService), m.kvStore)
dbrpSvc = dbrp.NewAuthorizedService(dbrpSvc)
// N.B. the BucketService used by the DBRP service doesn't perform authorization.
dbrpSvc := dbrp.NewAuthorizedService(dbrp.NewService(ctx, ts.BucketService, m.kvStore))
cm := iqlcontrol.NewControllerMetrics([]string{})
m.reg.MustRegister(cm.PrometheusCollectors()...)