From 9d711d9417bbe2f96c65c0a79d0cf4446fd9422c Mon Sep 17 00:00:00 2001
From: Tanya Gordeeva <tanya@influxdata.com>
Date: Wed, 15 Aug 2018 08:52:13 -0700
Subject: [PATCH] httpd/meta: use open auth when unrestricted

This changes adds additional auth shortcutting, primarily for enterprise
usecases with simple FGA setups. OSS users won't see any changes.
---
 services/httpd/handler.go | 8 ++++++--
 services/meta/data.go     | 6 ++++++
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/services/httpd/handler.go b/services/httpd/handler.go
index 440c5381b4..c574a21e82 100644
--- a/services/httpd/handler.go
+++ b/services/httpd/handler.go
@@ -475,8 +475,12 @@ func (h *Handler) serveQuery(w http.ResponseWriter, r *http.Request, user meta.U
 	}
 
 	if h.Config.AuthEnabled {
-		// The current user determines the authorized actions.
-		opts.Authorizer = user
+		if user != nil && user.AuthorizeUnrestricted() {
+			opts.Authorizer = query.OpenAuthorizer
+		} else {
+			// The current user determines the authorized actions.
+			opts.Authorizer = user
+		}
 	} else {
 		// Auth is disabled, so allow everything.
 		opts.Authorizer = query.OpenAuthorizer
diff --git a/services/meta/data.go b/services/meta/data.go
index 14c39d66b6..7aeb06c587 100644
--- a/services/meta/data.go
+++ b/services/meta/data.go
@@ -1579,6 +1579,7 @@ type UserInfo struct {
 type User interface {
 	query.Authorizer
 	ID() string
+	AuthorizeUnrestricted() bool
 }
 
 func (u *UserInfo) ID() string {
@@ -1604,6 +1605,11 @@ func (u *UserInfo) AuthorizeSeriesWrite(database string, measurement []byte, tag
 	return true
 }
 
+// AuthorizeUnrestricted allows admins to shortcut access checks.
+func (u *UserInfo) AuthorizeUnrestricted() bool {
+	return u.Admin
+}
+
 // clone returns a deep copy of si.
 func (ui UserInfo) clone() UserInfo {
 	other := ui