Merge pull request #6418 from influxdata/dn-auth

add WriteAuthorizer interface
2016-04-19 08:01:27 -04:00 · 2016-04-19 08:01:27 -04:00 · c3813fc64f
parent 5a53fc5d0d 5e9ff7bc93
commit c3813fc64f
3 changed files with 37 additions and 3 deletions
--- a/cmd/influxd/run/server_default.go
+++ b/cmd/influxd/run/server_default.go
@ -41,6 +41,7 @@ func (s *Server) appendHTTPDService(c httpd.Config) {
 	srv := httpd.NewService(c)
 	srv.Handler.MetaClient = s.MetaClient
 	srv.Handler.QueryAuthorizer = meta.NewQueryAuthorizer(s.MetaClient)
+	srv.Handler.WriteAuthorizer = meta.NewWriteAuthorizer(s.MetaClient)
 	srv.Handler.QueryExecutor = s.QueryExecutor
 	srv.Handler.PointsWriter = s.PointsWriter
 	srv.Handler.Version = s.buildInfo.Version
--- a/services/httpd/handler.go
+++ b/services/httpd/handler.go
@ -63,6 +63,10 @@ type Handler struct {
 		AuthorizeQuery(u *meta.UserInfo, query *influxql.Query, database string) error
 	}

+	WriteAuthorizer interface {
+		AuthorizeWrite(username, database string) error
+	}
+
 	QueryExecutor *influxql.QueryExecutor

 	PointsWriter interface {
@ -425,9 +429,11 @@ func (h *Handler) serveWrite(w http.ResponseWriter, r *http.Request, user *meta.
 		return
 	}

-	if h.requireAuthentication && !user.Authorize(influxql.WritePrivilege, database) {
-		resultError(w, influxql.Result{Err: fmt.Errorf("%q user is not authorized to write to database %q", user.Name, database)}, http.StatusUnauthorized)
-		return
+	if h.requireAuthentication {
+		if err := h.WriteAuthorizer.AuthorizeWrite(user.Name, database); err != nil {
+			resultError(w, influxql.Result{Err: fmt.Errorf("%q user is not authorized to write to database %q", user.Name, database)}, http.StatusUnauthorized)
+			return
+		}
 	}

 	// Handle gzip decoding of the body
--- a/services/meta/write_authorizer.go
+++ b/services/meta/write_authorizer.go
@ -0,0 +1,27 @@
+package meta
+
+import (
+	"fmt"
+
+	"github.com/influxdata/influxdb/influxql"
+)
+
+type WriteAuthorizer struct {
+	Client *Client
+}
+
+func NewWriteAuthorizer(c *Client) *WriteAuthorizer {
+	return &WriteAuthorizer{Client: c}
+}
+
+// AuthorizeWrite returns nil if the user has permission to write to the database.
+func (a WriteAuthorizer) AuthorizeWrite(username, database string) error {
+	u, err := a.Client.User(username)
+	if err != nil || u == nil || !u.Authorize(influxql.WritePrivilege, database) {
+		return &ErrAuthorize{
+			Database: database,
+			Message:  fmt.Sprintf("%s not authorized to write to %s", username, database),
+		}
+	}
+	return nil
+}