Closed gshif closed 5 years ago
The simplest use case for token/authorization modification is the event of a compromised token. You wouldn't want to delete the task and lose its history.
That being said, I was able to modify the token and authorization on a task from the command-line just now from master at a499a8b0d9e10a64d8f27a4e2366242a9cea38c8 with a fresh bolt database that had just been onboarded.
First create a simple task, and it automatically refers to the lone authorization belonging to my user, from using influx setup
:
$ ./influx task create --org-id 03708ce16e72e000 'option task = {name: "x", every: 30s} from(bucket:"a") |> range(start:-1m)'
ID Name OrganizationID Organization AuthorizationID Status Every Cron
03708d79a779a000 x 03708ce16e72e000 a 03708ce16e72e002 active 30s
$ ./influx auth find
ID Token Status User UserID Permissions
03708ce16e72e002 o943yre05phvFTlobvfYYxQXER516U67xz8UOmbhFOrpZO7PLF6gxXi1NF4c0jq5Jmqx3BxzIIe9OFG0wsOYNw== active <nil> 03708ce15bb2e000 [read:authorizations ...]
Then create a new authorization:
$ ./influx auth create -o a --read-buckets --read-tasks
ID Token Status UserID Permissions
03708e499f32e000 Z5zScKorTEqs6geMAaRqFPL-0ef4IdB79zE-pne9bJa0Ok-4fQhlv8KGXcWQrQMjGsJzzwg0hXIfRivRMCUttg== active 03708ce15bb2e000 [read:orgs/03708ce16e72e000/buckets read:orgs/03708ce16e72e000/tasks]
Then use curl to patch the task. I provide the token belonging to the authorization I just created, and the response reports the new authorization's ID:
$ curl -H "Authorization: Token $(cat ~/.influxdbv2/credentials)" -XPATCH 'http://localhost:9999/api/v2/tasks/03708d79a779a000' --data-binary '{"token": "Z5zScKorTEqs6geMAaRqFPL-0ef4IdB79zE-pne9bJa0Ok-4fQhlv8KGXcWQrQMjGsJzzwg0hXIfRivRMCUttg=="}'
{"links":{"labels":"/api/v2/tasks/03708d79a779a000/labels","logs":"/api/v2/tasks/03708d79a779a000/logs","members":"/api/v2/tasks/03708d79a779a000/members","owners":"/api/v2/tasks/03708d79a779a000/owners","runs":"/api/v2/tasks/03708d79a779a000/runs","self":"/api/v2/tasks/03708d79a779a000"},"labels":[],"id":"03708d79a779a000","orgID":"03708ce16e72e000","org":"a","authorizationID":"03708e499f32e000","name":"x","status":"active","flux":"option task = {name: \"x\", every: 30s} from(bucket:\"a\") |\u003e range(start:-1m)","every":"30s","latestCompleted":"2019-02-21T14:46:30-08:00","createdAt":"2019-02-21T14:41:27-08:00","updatedAt":"2019-02-21T14:46:49-08:00"}
$ ./influx task find
ID Name OrganizationID Organization AuthorizationID Status Every Cron
03708d79a779a000 x 03708ce16e72e000 a 03708e499f32e000 active 30s
I don't see what's wrong with the first patch
call in your example. In the example with status
and token
, the token is incomplete, but I don't know if you just truncated that while pasting into the issue. I would expect the request to fail if you provided an invalid token, but I'd have to run it to confirm if that's the case.
I will try with the latest master
tested with influxdb master @1471be4a7f3ae0e7181a329ad0441bb3e527c868
{"token":"qwertyuiiopasdfgh==123456fggh"}
token invalid or unreadable by the current user
Update with incomplete token
data='{"token:":"PxnxDihh75SebI6DuTuNOr8Gzxpll_-8AqnYQ077iGyhm3ecigW5Ygmh9plrcA=="}'
cannot update task without content
Update with incomplete token and status:
Request body:
data='{"status":"active","token:":"TFFVQdWXP2HsKIwxpAwkxfnOBInEh"}'
Request response:
{
"authorizationID": "03771e3424888000",
"createdAt": "2019-02-26T17:05:52-08:00",
"every": "1h0m0s",
"flux": "option task = {name: \"task_1\", every: 1h} from(bucket:\"read_from_b_query_params\") |> range(start: -1h)",
"id": "03771e7b0c2d3000",
"labels": [],
"latestCompleted": "2019-02-26T17:00:00-08:00",
"links": {
"labels": "/api/v2/tasks/03771e7b0c2d3000/labels",
"logs": "/api/v2/tasks/03771e7b0c2d3000/logs",
"members": "/api/v2/tasks/03771e7b0c2d3000/members",
"owners": "/api/v2/tasks/03771e7b0c2d3000/owners",
"runs": "/api/v2/tasks/03771e7b0c2d3000/runs",
"self": "/api/v2/tasks/03771e7b0c2d3000"
},
"name": "task_1",
"org": "org_name_query_param",
"orgID": "03771e342b888000",
"status": "active",
"updatedAt": "2019-02-26T17:13:13-08:00"
}
Note Should return an error message instead of success.
The second and third examples have "token:" instead of "token" so the json parser is ignoring the value, due to an unrecognized key.
On Tue, Feb 26, 2019 at 5:19 PM Gershon Shif notifications@github.com wrote:
tested with influxdb master @1471be4a7f3ae0e7181a329ad0441bb3e527c868
-
Updated using invalid token, returns error message:
Request body
{"token":"qwertyuiiopasdfgh==123456fggh"}
Error:
token invalid or unreadable by the current user
Update with incomplete token
Request body:
data='{"token:":"PxnxDihh75SebI6DuTuNOr8Gzxpll_-8AqnYQ077iGyhm3ecigW5Ygmh9plrcA=="}'
Error:
cannot update task without content
NOTE: The message is not correct.
Update with incomplete token and status:
Request body:
data='{"status":"active","token:":"TFFVQdWXP2HsKIwxpAwkxfnOBInEh"}'
-
Request response:
{ "authorizationID": "03771e3424888000", "createdAt": "2019-02-26T17:05:52-08:00", "every": "1h0m0s", "flux": "option task = {name: \"task_1\", every: 1h} from(bucket:\"read_from_b_query_params\") |> range(start: -1h)", "id": "03771e7b0c2d3000", "labels": [], "latestCompleted": "2019-02-26T17:00:00-08:00", "links": { "labels": "/api/v2/tasks/03771e7b0c2d3000/labels", "logs": "/api/v2/tasks/03771e7b0c2d3000/logs", "members": "/api/v2/tasks/03771e7b0c2d3000/members", "owners": "/api/v2/tasks/03771e7b0c2d3000/owners", "runs": "/api/v2/tasks/03771e7b0c2d3000/runs", "self": "/api/v2/tasks/03771e7b0c2d3000" }, "name": "task_1", "org": "org_name_query_param", "orgID": "03771e342b888000", "status": "active", "updatedAt": "2019-02-26T17:13:13-08:00" }
- Note Should return an error message instead of success.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/influxdata/influxdb/issues/12074#issuecomment-467683823, or mute the thread https://github.com/notifications/unsubscribe-auth/AARvV4k1pmCLTSC4fzSLgDEakhcHgppSks5vRd0lgaJpZM4bIcTk .
@mark-rushakoff , I always new an extra set of eyes are sooo helpful. Thanks. Will retest agains.
Now it is working as expected.
according to the swagger doc, If we want to just update the token of the existing tasks, we should be able to do that, but if we just using
token
filed in the request body, the below error will be returned.and if
token
field is being used together with another filed, then new value of thetoken
is being ignored.super user
token
:Cannot update task without content
error is being returned,token
andstatus
fields:return object will still have the original
authorizationID
:I am not sure what is the use case for updating the token, maybe it should be removed from the request Body.