Merge pull request #10200 from influxdata/tg-auth

httpd/meta: use open auth when unrestricted
2018-08-21 08:40:23 -07:00 · 2018-08-21 08:40:23 -07:00 · df001c117c
parent 2d266ca186 9d711d9417
commit df001c117c
2 changed files with 12 additions and 2 deletions
--- a/services/httpd/handler.go
+++ b/services/httpd/handler.go
@ -475,8 +475,12 @@ func (h *Handler) serveQuery(w http.ResponseWriter, r *http.Request, user meta.U
 	}

 	if h.Config.AuthEnabled {
-		// The current user determines the authorized actions.
-		opts.Authorizer = user
+		if user != nil && user.AuthorizeUnrestricted() {
+			opts.Authorizer = query.OpenAuthorizer
+		} else {
+			// The current user determines the authorized actions.
+			opts.Authorizer = user
+		}
 	} else {
 		// Auth is disabled, so allow everything.
 		opts.Authorizer = query.OpenAuthorizer
--- a/services/meta/data.go
+++ b/services/meta/data.go
@ -1579,6 +1579,7 @@ type UserInfo struct {
 type User interface {
 	query.Authorizer
 	ID() string
+	AuthorizeUnrestricted() bool
 }

 func (u *UserInfo) ID() string {
@ -1604,6 +1605,11 @@ func (u *UserInfo) AuthorizeSeriesWrite(database string, measurement []byte, tag
 	return true
 }

+// AuthorizeUnrestricted allows admins to shortcut access checks.
+func (u *UserInfo) AuthorizeUnrestricted() bool {
+	return u.Admin
+}
+
 // clone returns a deep copy of si.
 func (ui UserInfo) clone() UserInfo {
 	other := ui