Influxdata
/
influxdb
mirror of https://github.com/influxdata/influxdb.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
influxdb/query
History
WeblWabl 5778e075c2
fix: fixes bug with authorizer leakage in show queries (#27196) 
This PR fixes and authorization leak when running `SHOW QUERIES` as a user with access to the database you are using. 

Previously non-admin users could run `SHOW QUERIES` on DBs they owned, but, there was no filtering to stop them from seeing queries on other dbs too: 

```
# as admin
> CREATE USER bar WITH PASSWORD 'password'
> GRANT ALL on "mydb" TO "bar"

# as 'bar' user
> SHOW QUERIES
ERR: error authorizing query: bar not authorized to execute statement 'SHOW QUERIES', requires READ on
> use mydb
Using database mydb
> SHOW QUERIES
qid query                 database     duration status
--- -----                 --------     -------- ------
31  SELECT * FROM actions foobar 585ms    running                       # this wasn't granted to 'bar'!!
32  SHOW QUERIES          mydb         15µs     running
```
 		2026-02-06 16:02:57 -06:00
..
control chore: upgrade flux to v1.167.0 for 1.x (#23349) 2022-05-17 15:59:24 -04:00
internal feat: Upgrade flux to v0.196.1 (#26041) 2025-02-20 13:46:06 -06:00
neldermead move RewriteStatement and neldermead to influxdb/query package 2017-10-30 10:24:15 -07:00
call_iterator.go feat(query): Hyper log log operators in influxql (#20603) 2021-02-08 08:38:14 -05:00
call_iterator_test.go Cleanup query package 2018-01-21 12:08:23 -08:00
cast.go Fix subquery functionality when a function references a tag from the subquery 2018-10-04 10:05:20 -05:00
compile.go fix: error instead of panic for statement rewrite failure (#21792) 2021-07-06 11:05:21 -04:00
compile_test.go chore: upgrade to influxdata/influxql v1.2.0 (#24764) 2024-03-14 12:42:03 -05:00
cursor.go fix(fill): fill resets the previous value when a new series or window is encountered (#13459) 2019-04-18 10:44:15 -04:00
emitter.go Modify the Select call to return a Cursor 2018-03-09 12:47:41 -06:00
encode.go chore: upgrade Go to v1.19.3 (1.x) (#23941) 2022-11-28 12:15:47 -05:00
encode_test.go fix: tsi index should compact old or too-large log files (#21943) 2021-07-26 17:40:15 -04:00
execution_context.go fix: return correct count of ErrNotExecuted (#22273) 2021-08-24 11:27:10 -07:00
executor.go feat: show user when displaying or logging queries (#26981) 2025-11-19 13:21:57 -08:00
executor_test.go fix: fixes bug with authorizer leakage in show queries (#27196) 2026-02-06 16:02:57 -06:00
explain.go Modify the Select call to return a Cursor 2018-03-09 12:47:41 -06:00
functions.gen.go feat(query): Hyper log log operators in influxql (#20603) 2021-02-08 08:38:14 -05:00
functions.gen.go.tmpl feat(query): Hyper log log operators in influxql (#20603) 2021-02-08 08:38:14 -05:00
functions.go chore: upgrade Go to v1.19.3 (1.x) (#23941) 2022-11-28 12:15:47 -05:00
functions_test.go feat(query): Hyper log log operators in influxql (#20603) 2021-02-08 08:38:14 -05:00
iterator.gen.go fix: return MergeIterator.Close errors (#24975) 2024-05-13 15:10:56 -07:00
iterator.gen.go.tmpl fix: return MergeIterator.Close errors (#24975) 2024-05-13 15:10:56 -07:00
iterator.go fix: GROUP BY queries with offset that crosses a DST boundary fail. (#25082) 2024-06-24 10:24:34 -07:00
iterator_mapper.go Fix subquery functionality when a function references a tag from the subquery 2018-10-04 10:05:20 -05:00
iterator_mapper_test.go Strip tags from a subquery when the outer query does not group by that tag 2018-10-04 10:05:46 -05:00
iterator_test.go fix: GROUP BY queries with offset that crosses a DST boundary fail. (#25082) 2024-06-24 10:24:34 -07:00
linear.go Add unsigned iterators for all types 2017-09-18 15:09:10 -05:00
math.go Fix #10261 ABS(int64) 2018-09-11 21:53:44 +01:00
math_test.go Fix #10261 ABS(int64) 2018-09-11 21:53:44 +01:00
monitor.go Modify context key type 2018-10-16 11:25:33 +09:00
monitor_test.go fix: fix typo 'exceeed' with 'exceeded' (#25292) 2024-09-09 15:15:25 -07:00
point.gen.go build: upgrade protobuf library (#22606) 2021-10-15 11:42:47 -05:00
point.gen.go.tmpl build: upgrade protobuf library (#22606) 2021-10-15 11:42:47 -05:00
point.go build: upgrade protobuf library (#22606) 2021-10-15 11:42:47 -05:00
point_test.go Separate the query engine into a separate package 2017-08-16 13:38:43 -05:00
query.go build: upgrade protobuf library (#22606) 2021-10-15 11:42:47 -05:00
result.go influxdata/influxdb/influxql -> influxdata/influxql 2017-10-30 14:40:26 -07:00
select.go fix: do not panic on invalid multiple subqueries (#26143) 2025-03-14 13:38:57 -07:00
select_test.go fix: do not panic on invalid multiple subqueries (#26143) 2025-03-14 13:38:57 -07:00
statement_rewriter.go fix: Optimize SHOW FIELD KEY CARDINALITY (#23871) 2022-11-08 08:32:10 -08:00
statement_rewriter_test.go fix: Optimize SHOW FIELD KEY CARDINALITY (#23871) 2022-11-08 08:32:10 -08:00
subquery.go Strip tags from a subquery when the outer query does not group by that tag 2018-10-04 10:05:46 -05:00
subquery_test.go feat: add hook for optimizing series reads based on authorizer (#25207) 2024-08-02 15:03:44 -05:00
task_manager.go fix: fixes bug with authorizer leakage in show queries (#27196) 2026-02-06 16:02:57 -06:00
tmpldata Separate the query engine into a separate package 2017-08-16 13:38:43 -05:00