diff --git a/cmd/influxd/run/server_default.go b/cmd/influxd/run/server_default.go index 38785aad9f..b394c213a3 100644 --- a/cmd/influxd/run/server_default.go +++ b/cmd/influxd/run/server_default.go @@ -41,6 +41,7 @@ func (s *Server) appendHTTPDService(c httpd.Config) { srv := httpd.NewService(c) srv.Handler.MetaClient = s.MetaClient srv.Handler.QueryAuthorizer = meta.NewQueryAuthorizer(s.MetaClient) + srv.Handler.WriteAuthorizer = meta.NewWriteAuthorizer(s.MetaClient) srv.Handler.QueryExecutor = s.QueryExecutor srv.Handler.PointsWriter = s.PointsWriter srv.Handler.Version = s.buildInfo.Version diff --git a/services/httpd/handler.go b/services/httpd/handler.go index 8df25f5f1d..8fa9aa4198 100644 --- a/services/httpd/handler.go +++ b/services/httpd/handler.go @@ -63,6 +63,10 @@ type Handler struct { AuthorizeQuery(u *meta.UserInfo, query *influxql.Query, database string) error } + WriteAuthorizer interface { + AuthorizeWrite(username, database string) error + } + QueryExecutor *influxql.QueryExecutor PointsWriter interface { @@ -425,9 +429,11 @@ func (h *Handler) serveWrite(w http.ResponseWriter, r *http.Request, user *meta. return } - if h.requireAuthentication && !user.Authorize(influxql.WritePrivilege, database) { - resultError(w, influxql.Result{Err: fmt.Errorf("%q user is not authorized to write to database %q", user.Name, database)}, http.StatusUnauthorized) - return + if h.requireAuthentication { + if err := h.WriteAuthorizer.AuthorizeWrite(user.Name, database); err != nil { + resultError(w, influxql.Result{Err: fmt.Errorf("%q user is not authorized to write to database %q", user.Name, database)}, http.StatusUnauthorized) + return + } } // Handle gzip decoding of the body diff --git a/services/meta/write_authorizer.go b/services/meta/write_authorizer.go new file mode 100644 index 0000000000..ffa2320ce4 --- /dev/null +++ b/services/meta/write_authorizer.go @@ -0,0 +1,27 @@ +package meta + +import ( + "fmt" + + "github.com/influxdata/influxdb/influxql" +) + +type WriteAuthorizer struct { + Client *Client +} + +func NewWriteAuthorizer(c *Client) *WriteAuthorizer { + return &WriteAuthorizer{Client: c} +} + +// AuthorizeWrite returns nil if the user has permission to write to the database. +func (a WriteAuthorizer) AuthorizeWrite(username, database string) error { + u, err := a.Client.User(username) + if err != nil || u == nil || !u.Authorize(influxql.WritePrivilege, database) { + return &ErrAuthorize{ + Database: database, + Message: fmt.Sprintf("%s not authorized to write to %s", username, database), + } + } + return nil +}