Influxdata
/
influxdb
mirror of https://github.com/influxdata/influxdb.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/master' into sgc/tsm1

pull/19446/head
Stuart Carnie 2020-08-26 10:14:42 -07:00
parent 31f4b1a403 a8fe07bfc7
commit 9163edb187
No known key found for this signature in database
GPG Key ID: 848D9C9718D78B4F
8 changed files with 46 additions and 196 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
checks/service_external_test.go
View File

@ -158,7 +158,6 @@ var taskCmpOptions = cmp.Options{
// skip comparing permissions
cmpopts.IgnoreFields(
influxdb.Task{},
"Authorization",
"LatestCompleted",
"LatestScheduled",
"CreatedAt",

90
http/task_service_test.go
View File

@ -86,21 +86,19 @@ func TestTaskHandler_handleGetTasks(t *testing.T) {
FindTasksFn: func(ctx context.Context, f influxdb.TaskFilter) ([]*influxdb.Task, int, error) {
tasks := []*influxdb.Task{
{
ID: 1,
Name: "task1",
Description: "A little Task",
OrganizationID: 1,
OwnerID: 1,
Organization: "test",
AuthorizationID: 0x100,
ID: 1,
Name: "task1",
Description: "A little Task",
OrganizationID: 1,
OwnerID: 1,
Organization: "test",
},
{
ID: 2,
Name: "task2",
OrganizationID: 2,
OwnerID: 2,
Organization: "test",
AuthorizationID: 0x200,
ID: 2,
Name: "task2",
OrganizationID: 2,
OwnerID: 2,
Organization: "test",
},
}
return tasks, len(tasks), nil
@ -195,12 +193,11 @@ func TestTaskHandler_handleGetTasks(t *testing.T) {
FindTasksFn: func(ctx context.Context, f influxdb.TaskFilter) ([]*influxdb.Task, int, error) {
tasks := []*influxdb.Task{
{
ID: 2,
Name: "task2",
OrganizationID: 2,
OwnerID: 2,
Organization: "test",
AuthorizationID: 0x200,
ID: 2,
Name: "task2",
OrganizationID: 2,
OwnerID: 2,
Organization: "test",
},
}
return tasks, len(tasks), nil
@ -269,12 +266,11 @@ func TestTaskHandler_handleGetTasks(t *testing.T) {
FindTasksFn: func(ctx context.Context, f influxdb.TaskFilter) ([]*influxdb.Task, int, error) {
tasks := []*influxdb.Task{
{
ID: 2,
Name: "task2",
OrganizationID: 2,
OwnerID: 2,
Organization: "test2",
AuthorizationID: 0x200,
ID: 2,
Name: "task2",
OrganizationID: 2,
OwnerID: 2,
Organization: "test2",
},
}
return tasks, len(tasks), nil
@ -342,20 +338,18 @@ func TestTaskHandler_handleGetTasks(t *testing.T) {
FindTasksFn: func(ctx context.Context, f influxdb.TaskFilter) ([]*influxdb.Task, int, error) {
tasks := []*influxdb.Task{
{
ID: 1,
Name: "task1",
OrganizationID: 1,
OwnerID: 1,
Organization: "test2",
AuthorizationID: 0x100,
ID: 1,
Name: "task1",
OrganizationID: 1,
OwnerID: 1,
Organization: "test2",
},
{
ID: 2,
Name: "task2",
OrganizationID: 2,
OwnerID: 2,
Organization: "test2",
AuthorizationID: 0x200,
ID: 2,
Name: "task2",
OrganizationID: 2,
OwnerID: 2,
Organization: "test2",
},
}
return tasks, len(tasks), nil
@ -1245,7 +1239,7 @@ func TestTaskHandler_CreateTaskWithOrgName(t *testing.T) {
t.Fatalf("expected task to be created with org ID %s, got %s", o.ID, tc.OrganizationID)
}
return &influxdb.Task{ID: 9, OrganizationID: o.ID, OwnerID: o.ID, AuthorizationID: authz.ID, Name: "x", Flux: tc.Flux}, nil
return &influxdb.Task{ID: 9, OrganizationID: o.ID, OwnerID: o.ID, Name: "x", Flux: tc.Flux}, nil
},
}
@ -1388,9 +1382,8 @@ func TestTaskHandler_Sessions(t *testing.T) {
}
return &influxdb.Task{
ID: taskID,
OrganizationID: o.ID,
AuthorizationID: taskAuth.ID,
ID: taskID,
OrganizationID: o.ID,
}, nil
},
}
@ -1482,9 +1475,8 @@ func TestTaskHandler_Sessions(t *testing.T) {
}
return &influxdb.Task{
ID: taskID,
OrganizationID: o.ID,
AuthorizationID: taskAuth.ID,
ID: taskID,
OrganizationID: o.ID,
}, nil
},
}
@ -1578,9 +1570,8 @@ func TestTaskHandler_Sessions(t *testing.T) {
}
return &influxdb.Task{
ID: taskID,
OrganizationID: o.ID,
AuthorizationID: taskAuth.ID,
ID: taskID,
OrganizationID: o.ID,
}, nil
},
}
@ -1673,9 +1664,8 @@ func TestTaskHandler_Sessions(t *testing.T) {
}
return &influxdb.Task{
ID: taskID,
OrganizationID: o.ID,
AuthorizationID: taskAuth.ID,
ID: taskID,
OrganizationID: o.ID,
}, nil
},
}

13
kv/service.go
View File

@ -1,7 +1,6 @@
package kv
import (
"context"
"time"
"github.com/benbjohnson/clock"
@ -50,8 +49,6 @@ type Service struct {
variableStore *IndexStore
urmByUserIndex *Index
disableAuthorizationsForMaxPermissions func(context.Context) bool
}
// NewService returns an instance of a Service.
@ -71,9 +68,6 @@ func NewService(log *zap.Logger, kv Store, configs ...ServiceConfig) *Service {
endpointStore: newEndpointStore(),
variableStore: newVariableStore(),
urmByUserIndex: NewIndex(URMByUserIndexMapping, WithIndexReadPathEnabled),
disableAuthorizationsForMaxPermissions: func(context.Context) bool {
return false
},
}
if len(configs) > 0 {
@ -110,10 +104,3 @@ func (s *Service) WithResourceLogger(audit resource.Logger) {
func (s *Service) WithStore(store Store) {
s.kv = store
}
// WithMaxPermissionFunc sets the useAuthorizationsForMaxPermissions function
// which can trigger whether or not max permissions uses the users authorizations
// to derive maximum permissions.
func (s *Service) WithMaxPermissionFunc(fn func(context.Context) bool) {
s.disableAuthorizationsForMaxPermissions = fn
}

109
kv/task.go
View File

@ -88,19 +88,11 @@ func kvToInfluxTask(k *kvTask) *influxdb.Task {
func (s *Service) FindTaskByID(ctx context.Context, id influxdb.ID) (*influxdb.Task, error) {
var t *influxdb.Task
err := s.kv.View(ctx, func(tx Tx) error {
if influxdb.FindTaskAuthRequired(ctx) {
task, err := s.findTaskByIDWithAuth(ctx, tx, id)
if err != nil {
return err
}
t = task
} else {
task, err := s.findTaskByID(ctx, tx, id)
if err != nil {
return err
}
t = task
task, err := s.findTaskByID(ctx, tx, id)
if err != nil {
return err
}
t = task
return nil
})
if err != nil {
@ -110,35 +102,6 @@ func (s *Service) FindTaskByID(ctx context.Context, id influxdb.ID) (*influxdb.T
return t, nil
}
// findTaskByIDWithAuth is a task lookup that populates the auth
// This is to be used when we want to satisfy the FindTaskByID method
// But is more taxing on the system then if we want to find the task alone.
func (s *Service) findTaskByIDWithAuth(ctx context.Context, tx Tx, id influxdb.ID) (*influxdb.Task, error) {
t, err := s.findTaskByID(ctx, tx, id)
if err != nil {
return nil, err
}
t.Authorization = &influxdb.Authorization{
Status: influxdb.Active,
ID: influxdb.ID(1),
OrgID: t.OrganizationID,
UserID: t.OwnerID,
}
if t.OwnerID.Valid() {
ctx = icontext.SetAuthorizer(ctx, t.Authorization)
// populate task Auth
ps, err := s.maxPermissions(ctx, tx, t.OwnerID)
if err != nil {
return nil, err
}
t.Authorization.Permissions = ps
}
return t, nil
}
// findTaskByID is an internal method used to do any action with tasks internally
// that do not require authorization.
func (s *Service) findTaskByID(ctx context.Context, tx Tx, id influxdb.ID) (*influxdb.Task, error) {
@ -297,11 +260,6 @@ func (s *Service) findTasksByUser(ctx context.Context, tx Tx, filter influxdb.Ta
return nil, 0, influxdb.ErrUnexpectedTaskBucketErr(err)
}
ps, err := s.maxPermissions(ctx, tx, *filter.User)
if err != nil {
return nil, 0, err
}
matchFn := newTaskMatchFn(filter, nil)
for k, v := c.Next(); k != nil; k, v = c.Next() {
@ -312,14 +270,6 @@ func (s *Service) findTasksByUser(ctx context.Context, tx Tx, filter influxdb.Ta
t := kvToInfluxTask(kvTask)
if matchFn == nil || matchFn(t) {
t.Authorization = &influxdb.Authorization{
Status: influxdb.Active,
UserID: t.OwnerID,
ID: influxdb.ID(1),
OrgID: t.OrganizationID,
Permissions: ps,
}
ts = append(ts, t)
if len(ts) >= filter.Limit {
@ -399,7 +349,7 @@ func (s *Service) findTasksByOrg(ctx context.Context, tx Tx, filter influxdb.Tas
return nil, 0, influxdb.ErrInvalidTaskID
}
t, err := s.findTaskByIDWithAuth(ctx, tx, *id)
t, err := s.findTaskByID(ctx, tx, *id)
if err != nil {
if err == influxdb.ErrTaskNotFound {
// we might have some crufty index's
@ -656,16 +606,6 @@ func (s *Service) createTask(ctx context.Context, tx Tx, tc influxdb.TaskCreate)
return nil, influxdb.ErrUnexpectedTaskBucketErr(err)
}
// populate permissions so the task can be used immediately
// if we cant populate here we shouldn't error.
ps, _ := s.maxPermissions(ctx, tx, task.OwnerID)
task.Authorization = &influxdb.Authorization{
Status: influxdb.Active,
ID: influxdb.ID(1),
OrgID: task.OrganizationID,
Permissions: ps,
}
uid, _ := icontext.GetUserID(ctx)
if err := s.audit.Log(resource.Change{
Type: resource.Create,
@ -1711,42 +1651,3 @@ func ExtractTaskOptions(ctx context.Context, lang influxdb.FluxLanguageService,
}
return options.FromScript(lang, flux)
}
func (s *Service) maxPermissions(ctx context.Context, tx Tx, userID influxdb.ID) ([]influxdb.Permission, error) {
// TODO(desa): these values should be cached so it's not so expensive to lookup each time.
f := influxdb.UserResourceMappingFilter{UserID: userID}
mappings, err := s.findUserResourceMappings(ctx, tx, f)
if err != nil {
return nil, &influxdb.Error{
Err: err,
}
}
ps := make([]influxdb.Permission, 0, len(mappings))
for _, m := range mappings {
p, err := m.ToPermissions()
if err != nil {
return nil, &influxdb.Error{
Err: err,
}
}
ps = append(ps, p...)
}
ps = append(ps, influxdb.MePermissions(userID)...)
if !s.disableAuthorizationsForMaxPermissions(ctx) {
// TODO(desa): this is super expensive, we should keep a list of a users maximal privileges somewhere
// we did this so that the oper token would be used in a users permissions.
af := influxdb.AuthorizationFilter{UserID: &userID}
as, err := s.findAuthorizations(ctx, tx, af)
if err != nil {
return nil, err
}
for _, a := range as {
ps = append(ps, a.Permissions...)
}
}
return ps, nil
}

1
kv/task_test.go
View File

@ -165,7 +165,6 @@ func TestRetrieveTaskWithBadAuth(t *testing.T) {
return err
}
task.OwnerID = influxdb.ID(1)
task.AuthorizationID = influxdb.ID(132) // bad id or an id that doesnt match any auth
tbyte, err := json.Marshal(task)
if err != nil {
return err

20
task.go
View File

@ -29,32 +29,12 @@ var (
TaskSystemType = "system"
)
type contextKey string
const (
taskAuthKey contextKey = "taskAuth"
)
// TODO: these are temporary functions until we can work through optimizing auth
// FindTaskWithAuth adds a auth hint for lookup of tasks
func FindTaskWithoutAuth(ctx context.Context) context.Context {
return context.WithValue(ctx, taskAuthKey, "omit")
}
// FindTaskAuthRequired retrieves the taskAuth hint
func FindTaskAuthRequired(ctx context.Context) bool {
val, ok := ctx.Value(taskAuthKey).(string)
return !(ok && val == "omit")
}
// Task is a task. 🎊
type Task struct {
ID ID `json:"id"`
Type string `json:"type,omitempty"`
OrganizationID ID `json:"orgID"`
Organization string `json:"org"`
AuthorizationID ID `json:"-"`
Authorization *Authorization `json:"-"`
OwnerID ID `json:"ownerID"`
Name string `json:"name"`
Description string `json:"description,omitempty"`

2
task/backend/analytical_storage.go
View File

@ -70,7 +70,7 @@ type AnalyticalStorage struct {
func (as *AnalyticalStorage) FinishRun(ctx context.Context, taskID, runID influxdb.ID) (*influxdb.Run, error) {
run, err := as.TaskControlService.FinishRun(ctx, taskID, runID)
if run != nil && run.ID.String() != "" {
task, err := as.TaskService.FindTaskByID(influxdb.FindTaskWithoutAuth(ctx), run.TaskID)
task, err := as.TaskService.FindTaskByID(ctx, run.TaskID)
if err != nil {
return run, err
}

6
task/servicetest/servicetest.go
View File

@ -280,8 +280,6 @@ func testTaskCRUD(t *testing.T, sys *System) {
LatestScheduled: tsk.LatestScheduled,
OrganizationID: cr.OrgID,
Organization: cr.Org,
AuthorizationID: tsk.AuthorizationID,
Authorization: tsk.Authorization,
OwnerID: tsk.OwnerID,
Name: "task #0",
Cron: "* * * * *",
@ -291,10 +289,6 @@ func testTaskCRUD(t *testing.T, sys *System) {
Type: influxdb.TaskSystemType,
}
// tasks sets user id on authorization to that
// of the tasks owner
want.Authorization.UserID = tsk.OwnerID
for fn, f := range found {
if diff := cmp.Diff(f, want); diff != "" {
t.Logf("got: %+#v", f)