David Norton
commit
c3813fc64f
|
|
@ -41,6 +41,7 @@ func (s *Server) appendHTTPDService(c httpd.Config) {
|
||||||
srv := httpd.NewService(c)
|
srv := httpd.NewService(c)
|
||||||
srv.Handler.MetaClient = s.MetaClient
|
srv.Handler.MetaClient = s.MetaClient
|
||||||
srv.Handler.QueryAuthorizer = meta.NewQueryAuthorizer(s.MetaClient)
|
srv.Handler.QueryAuthorizer = meta.NewQueryAuthorizer(s.MetaClient)
|
||||||
|
srv.Handler.WriteAuthorizer = meta.NewWriteAuthorizer(s.MetaClient)
|
||||||
srv.Handler.QueryExecutor = s.QueryExecutor
|
srv.Handler.QueryExecutor = s.QueryExecutor
|
||||||
srv.Handler.PointsWriter = s.PointsWriter
|
srv.Handler.PointsWriter = s.PointsWriter
|
||||||
srv.Handler.Version = s.buildInfo.Version
|
srv.Handler.Version = s.buildInfo.Version
|
||||||
|
|
|
||||||
|
|
@ -63,6 +63,10 @@ type Handler struct {
|
||||||
AuthorizeQuery(u *meta.UserInfo, query *influxql.Query, database string) error
|
AuthorizeQuery(u *meta.UserInfo, query *influxql.Query, database string) error
|
||||||
}
|
}
|
||||||
|
|
||||||
|
WriteAuthorizer interface {
|
||||||
|
AuthorizeWrite(username, database string) error
|
||||||
|
}
|
||||||
|
|
||||||
QueryExecutor *influxql.QueryExecutor
|
QueryExecutor *influxql.QueryExecutor
|
||||||
|
|
||||||
PointsWriter interface {
|
PointsWriter interface {
|
||||||
|
|
@ -425,9 +429,11 @@ func (h *Handler) serveWrite(w http.ResponseWriter, r *http.Request, user *meta.
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if h.requireAuthentication && !user.Authorize(influxql.WritePrivilege, database) {
|
if h.requireAuthentication {
|
||||||
resultError(w, influxql.Result{Err: fmt.Errorf("%q user is not authorized to write to database %q", user.Name, database)}, http.StatusUnauthorized)
|
if err := h.WriteAuthorizer.AuthorizeWrite(user.Name, database); err != nil {
|
||||||
return
|
resultError(w, influxql.Result{Err: fmt.Errorf("%q user is not authorized to write to database %q", user.Name, database)}, http.StatusUnauthorized)
|
||||||
|
return
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Handle gzip decoding of the body
|
// Handle gzip decoding of the body
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,27 @@
|
||||||
|
package meta
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
|
||||||
|
"github.com/influxdata/influxdb/influxql"
|
||||||
|
)
|
||||||
|
|
||||||
|
type WriteAuthorizer struct {
|
||||||
|
Client *Client
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewWriteAuthorizer(c *Client) *WriteAuthorizer {
|
||||||
|
return &WriteAuthorizer{Client: c}
|
||||||
|
}
|
||||||
|
|
||||||
|
// AuthorizeWrite returns nil if the user has permission to write to the database.
|
||||||
|
func (a WriteAuthorizer) AuthorizeWrite(username, database string) error {
|
||||||
|
u, err := a.Client.User(username)
|
||||||
|
if err != nil || u == nil || !u.Authorize(influxql.WritePrivilege, database) {
|
||||||
|
return &ErrAuthorize{
|
||||||
|
Database: database,
|
||||||
|
Message: fmt.Sprintf("%s not authorized to write to %s", username, database),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
Loading…
Reference in New Issue