All users appear to have admin permissions even when they are granted with limited access rights

[actionjack]

What

I appear to having an issue, the issue is that a user with limited access seems to have equivalent admin access when it has only been give WRITE and READ permissions to a single database.

I have create a user with WRITE and READ privileges to a single influxdb database however the user can see other databases in the InfluxDB console, create new databases and delete all other databases that were not created or owned by it.

Why

I am unsure why this is happening.

How to validate

I've created a Vagrant test environment here.

If you look at defaults/main.yml and tasks/main.yml in the repository you can see that the databases are created using:

defaults/main.yml:

# defaults file for ansible-playbook-influxdb
#
influxdb_version: latest
influxdb_admin_user: root
influxdb_admin_password: root
influxdb_database: testdb
influxdb_user: someuser
influxdb_password: somepassword

tasks/main.yml:

- name: create admin user for all influxdb databases
  shell: "curl -G http://localhost:8086/query --data-urlencode \"u={{ influxdb_admin_user }}\" --data-urlencode \"p={{ influxdb_admin_password }}\" --data-urlencode \"q=CREATE USER {{ influxdb_admin_user }} WITH PASSWORD '{{ influxdb_admin_password }}' WITH ALL PRIVILEGES\""

- name: create influxdb database
  shell: "curl -G http://localhost:8086/query --data-urlencode \"u={{ influxdb_admin_user }}\" --data-urlencode \"p={{ influxdb_admin_password }}\" --data-urlencode \"q=CREATE DATABASE {{ influxdb_database }}\""

- name: create user for influxdb database
  shell: "curl -G http://localhost:8086/query --data-urlencode \"u={{ influxdb_admin_user }}\" --data-urlencode \"p={{ influxdb_admin_password }}\" --data-urlencode \"q=CREATE USER {{ influxdb_user }} WITH PASSWORD {{ influxdb_password }}\""

- name: grant privileges to user for influxdb database
  shell: "curl -G http://localhost:8086/query --data-urlencode \"u={{ influxdb_admin_user }}\" --data-urlencode \"p={{ influxdb_admin_password }}\" --data-urlencode \"q=GRANT ALL ON {{ influxdb_database }} TO {{ influxdb_user }}\""

The Vagrant machine based test case can be used by doing:

git clone git@github.com:alphagov/ansible-playbook-influxdb.git
cd ansible-playbook-influxdb
echo "influxdb_http_auth_enabled: 'true'" >> defaults/main.yml
vagrant up

Point your browser at http://localhost:8083/

• Login as root with password root
• Create a new database
• Logout/Disconnect
• Refresh browser cache (shift and reload)
• Login as someuser with password somepassword
• Create a new a new database (this should not be allowed)
• Delete the database that root created (this should not be allowed either)

[beckettsean]

@actionjack authentication is disabled by default. Did you enable auth in the influxdb.conf? See https://influxdb.com/docs/v0.9/administration/authentication.html for details.

[actionjack]

Hi @beckettsean

I enabled auth by doing the following in the test harness located here by doing :

echo "influxdb_http_auth_enabled: 'true'" >> defaults/main.yml
vagrant up

The above enables http auth by sending the value of true to this template , specifically this:

At line 74:

[http]
  enabled = true
  bind-address = ":8086"
  auth-enabled = {{ influxdb_http_auth_enabled | default('false') }}
  log-enabled = true

[pauldix]

@gunnaraasen is this one done?

[gunnaraasen]

This is fixed in 0.9.2-RC1 by #3244.