To allow rudimentary security auditing of logs,
add the authenticating ID and the user ID when
possible to the request logs. When a request is
authorized for V1 or V2 API, store the authorizer
object to be used by the logger up the call stack.
closes https://github.com/influxdata/influxdb/issues/24473
* fix: forbid reading OSS buckets for a token with only write permissions
We previously enabled write tokens to also find DBRP buckets, in order to allow
the legacy /write (not /api/v2/write) endpoint to read the DBRP mappings and
find the real bucket id to write to.
This had the unintended consequency of allowing tokens with only write permissions
to read data in buckets via the legacy /query (not /api/v2/query) endpoint with
InfluxQL.
This change fixes the behaviour to allow writing to /write with a write-only
token, while forbidding reading from /query.
* fix: nanosecond precision in tests
* fix: duplicated X-version and X-Build headers for /ping endpoint
Signed-off-by: Jakub Bednar <jakub.bednar@gmail.com>
* chore: change branch to master
* chore: only http/handler.go is responsible for sets headers
Signed-off-by: Jakub Bednar <jakub.bednar@gmail.com>
davidby-influx
Dane Strandboge
Sam Arnold
Jonathan A. Sternberg
Jakub Bednář
Daniel Moran
Stuart Carnie
Brett Buddin