refactor(http): Simplify Authorizer (#17704)

Have AuthorizerIsOpen() assert if a given authizer has an AuthorizeUnrestricted() method and if so, call that to provide the result of AuthorizerIsOpen(). Otherwise we check if the supplied Authorizer is nil. This preserves the fast-path for checking tag-level (and other) tsdb operations. This simplifies how we handle such authorizers by handling this case in only one place.
2020-04-15 08:59:52 -04:00 · 2020-04-15 08:59:52 -04:00 · f51709f09c
parent 5c8b2a9f8e
commit f51709f09c
2 changed files with 5 additions and 6 deletions
--- a/query/executor.go
+++ b/query/executor.go
@ -111,6 +111,9 @@ func (a openAuthorizer) AuthorizeQuery(_ string, _ *influxql.Query) error { retu
 // function should be preferred over directly checking if an Authorizer is nil
 // or not.
 func AuthorizerIsOpen(a Authorizer) bool {
+	if u, ok := a.(interface{ AuthorizeUnrestricted() bool }); ok {
+		return u.AuthorizeUnrestricted()
+	}
 	return a == nil || a == OpenAuthorizer
 }

--- a/services/httpd/handler.go
+++ b/services/httpd/handler.go
@ -585,12 +585,8 @@ func (h *Handler) serveQuery(w http.ResponseWriter, r *http.Request, user meta.U
 	}

 	if h.Config.AuthEnabled {
-		if user != nil && user.AuthorizeUnrestricted() {
-			opts.Authorizer = query.OpenAuthorizer
-		} else {
-			// The current user determines the authorized actions.
-			opts.Authorizer = user
-		}
+		// The current user determines the authorized actions.
+		opts.Authorizer = user
 	} else {
 		// Auth is disabled, so allow everything.
 		opts.Authorizer = query.OpenAuthorizer