From 7ed188185da1f8c948a2447188c1fa6fc5e43384 Mon Sep 17 00:00:00 2001 From: David Norton Date: Tue, 17 May 2016 08:07:37 -0400 Subject: [PATCH] check admin exists instead of user count When authenticating a request, check that an admin user exists instead of checking for len(users) > 0. This prevents getting stuck with no admin user and being unable to create one. --- CHANGELOG.md | 1 + services/httpd/handler.go | 13 +++++++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e6d99f05c9..5dad5c7317 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ - [#6618](https://github.com/influxdata/influxdb/pull/6618): Optimize shard loading - [#6629](https://github.com/influxdata/influxdb/issues/6629): query-log-enabled in config not ignored anymore. - [#6607](https://github.com/influxdata/influxdb/issues/6607): SHOW TAG VALUES accepts != and !~ in WHERE clause. +- [#6649](https://github.com/influxdata/influxdb/issues/6649): Make sure admin exists before authenticating query. ## v0.13.0 [2016-05-12] diff --git a/services/httpd/handler.go b/services/httpd/handler.go index 297e579088..d2cef6b406 100644 --- a/services/httpd/handler.go +++ b/services/httpd/handler.go @@ -684,8 +684,17 @@ func authenticate(inner func(http.ResponseWriter, *http.Request, *meta.UserInfo) // Retrieve user list. uis := h.MetaClient.Users() + // See if admin user exists. + adminExists := false + for i := range uis { + if uis[i].Admin { + adminExists = true + break + } + } + // TODO corylanou: never allow this in the future without users - if requireAuthentication && len(uis) > 0 { + if requireAuthentication && adminExists { creds, err := parseCredentials(r) if err != nil { h.statMap.Add(statAuthFail, 1) @@ -704,7 +713,7 @@ func authenticate(inner func(http.ResponseWriter, *http.Request, *meta.UserInfo) user, err = h.MetaClient.Authenticate(creds.Username, creds.Password) if err != nil { h.statMap.Add(statAuthFail, 1) - httpError(w, err.Error(), false, http.StatusUnauthorized) + httpError(w, "authorization failed", false, http.StatusUnauthorized) return } case BearerAuthentication: