search

influxdata / influxdb

Scalable datastore for metrics, events, and real-time analytics
https://influxdata.com
Apache License 2.0
28.92k stars 3.55k forks source link

Unable to create buckets using new token #21453

Open umrikar opened 3 years ago

umrikar commented 3 years ago

Steps to reproduce: List the minimal actions needed to reproduce the behavior.

  1. create new user influx user create -n abc -p svwuevcw -t supersecretadmintoken

  2. create token for new user with all permissions influx auth create -t supersecretadmintoken -u abc --read-buckets --read-checks --read-dashboards --read-dbrps --read-notificationEndpoints --read-notificationRules --read-tasks --read-orgs --read-telegrafs --read-user --skip-verify --write-buckets --write-checks --write-dashboards --write-dbrps --write-notificationEndpoints --write-notificationRules --write-orgs --write-tasks --write-telegrafs --write-user -d newToken2 -o myorg

  3. create bucket using new generated token influx bucket create -n abccvw -t P-SkqtZPrLs7ByAADWDtg9pXAf1qUgbhlKE7pyrVjFUFVLE2zAYuFejLiVnVJAikE39UQo9ZkMJmCWnJYAGKYA== -o myorg

Expected behavior: user should be able to create new bucket using new token

Actual behavior: i get below error Error: Failed to get ID for org 'myorg' (do you have org-level read permission?): organization not found. See 'influx bucket create -h' for help

Environment info:

Config: Copy any non-default config values here or attach the full config as a gist or file.

Logs: Include snippet of errors in log.

Performance: Generate profiles with the following commands for bugs related to performance, locking, out of memory (OOM), etc.

# Commands should be run when the bug is actively happening.
# Note: This command will run for ~30 seconds.
curl -o profiles.tar.gz "http://localhost:8086/debug/pprof/all?cpu=30s"
iostat -xd 1 30 > iostat.txt
# Attach the `profiles.tar.gz` and `iostat.txt` output files.
danxmoran commented 3 years ago

@umrikar as a work-around, passing --org-id should work instead.

This is failing because when influx auth create is passed both -o <org-name> and --read-orgs, it creates a permission to read orgs nested within <org-name>. IMO the work needed to fix this is:

  1. Disallow permissions for nested orgs until that becomes an actual concept in our system (if ever)
  2. Update the API/CLI to support updating existing auths, to allow 2-stage configuration

influxdata/influx-cli#66 would also help with this specific use-case.

umrikar commented 3 years ago

@umrikar as a work-around, passing --org-id should work instead.

This is failing because when influx auth create is passed both -o <org-name> and --read-orgs, it creates a permission to read orgs nested within <org-name>. IMO the work needed to fix this is:

1. Disallow permissions for nested orgs until that becomes an actual concept in our system (if ever)

2. Update the API/CLI to support updating existing auths, to allow 2-stage configuration

influxdata/influx-cli#66 would also help with this specific use-case.

@danxmoran , Thanks, I am able to create buckets when used --org-id instead of orgname.

With new token i have limited access to particular organization only. I am unable to print organizations using new token with new token:-

influx org list -t NnPbDpjQBUe3csoZfXiLAQ41w02pLuVKqs_3U8-MfYhAcFrqUPasqWNCg7GwfzKkko8yyANMIV2jYaTYOHO59g==

ID Name

with initial admin token:-

influx org list -t supersecretadmintoken

ID Name 21d0b6c73c990866 myorg

I want to create new user and token for new user with all privileges ,delete the existing (initial)admin user and start using token created for new user, but i see with new token i cant list organization details and i will still require initial token(full access token)