Merge pull request #6648 from influxdata/dn-check-admin

check admin exists instead of user count

CHANGELOG.md

@@ -18,6 +18,7 @@
 - [#6618](https://github.com/influxdata/influxdb/pull/6618): Optimize shard loading
 - [#6629](https://github.com/influxdata/influxdb/issues/6629): query-log-enabled in config not ignored anymore.
 - [#6607](https://github.com/influxdata/influxdb/issues/6607): SHOW TAG VALUES accepts != and !~ in WHERE clause.
+- [#6649](https://github.com/influxdata/influxdb/issues/6649): Make sure admin exists before authenticating query.
 
 ## v0.13.0 [2016-05-12]
 

services/httpd/handler.go

@@ -684,8 +684,17 @@ func authenticate(inner func(http.ResponseWriter, *http.Request, *meta.UserInfo)
 		// Retrieve user list.
 		uis := h.MetaClient.Users()
 
+		// See if admin user exists.
+		adminExists := false
+		for i := range uis {
+			if uis[i].Admin {
+				adminExists = true
+				break
+			}
+		}
+
 		// TODO corylanou: never allow this in the future without users
-		if requireAuthentication && len(uis) > 0 {
+		if requireAuthentication && adminExists {
 			creds, err := parseCredentials(r)
 			if err != nil {
 				h.statMap.Add(statAuthFail, 1)
@@ -704,7 +713,7 @@ func authenticate(inner func(http.ResponseWriter, *http.Request, *meta.UserInfo)
 				user, err = h.MetaClient.Authenticate(creds.Username, creds.Password)
 				if err != nil {
 					h.statMap.Add(statAuthFail, 1)
-					httpError(w, err.Error(), false, http.StatusUnauthorized)
+					httpError(w, "authorization failed", false, http.StatusUnauthorized)
 					return
 				}
 			case BearerAuthentication: