user create "write:users is unauthorized"

influxdata / influxdb

Scalable datastore for metrics, events, and real-time analytics

https://influxdata.com

Apache License 2.0

28.64k stars 3.54k forks source link

user create "write:users is unauthorized" #23934

Open mjangle opened 1 year ago

mjangle commented 1 year ago

Steps to reproduce: List the minimal actions needed to reproduce the behavior.

Install InfluxDB v2.5.1 on Windows
Use GUI to setup admin account
Create Token granting all access to Org
Install Influx CLI v2.5.0
Create CLI config
Attempt to create user
Receive 401 Unauthorized: write:users is unauthorized

Expected behavior:

I expect to be able to create new users

Actual behavior:

I receive "Error: failed to create user "username": 401 Unauthorized: write:users is unauthorized"

Environment info:

Windows Server 2019
InfluxDB v2.5.1 (git: 5b6fdbf05d) build_date: 2022-11-02T18:06:29Z

The generated token and CLI config does connect to the DB as I can use influx bucket list and it will return the correct buckets, or influx user list and it will return a list of users (single user). Attempting to generate an all access token via the CLI detailed here does not work and I receive a "403 Forbidden: permission read:users is not allowed" error

mjangle commented 1 year ago

Issue was resolved by removing existing ./influxdbv2 folder stored in the user directory and doing a fresh setup.

For anyone in the future having this issue this was resolved by removing the ./ingluxdbv2 folder in my user directory, restarting influxd, using the CLI to do initial setup .

Suggest updating documentation here to reflect the need to do initial setup via the CLI or removing the ability to setup via the UI.

@jeffreyssmith2nd

oneofthemany commented 1 year ago

hi @jeffreyssmith2nd

the issue still exists in v2.6.1 - im using podman:

InfluxDB v2.6.1Server: 9dcf880 Frontend: 5ba8e15

when looking at the authlist I can see that I have both read and write priv for user:

# influx auth list

ID          Description             Token           User Name       User ID      Permissions
my_id       admin                   my_token        admin           my_uid       [read:/users/uidwrite:/users/uid]

and when checking the config I can see that it's active:

# influx config ls
Active  Name    URL                     Org
*       default http://localhost:8086   my_org

and the config "/etc/influxdb2/influx-configs" reads as follows:

# cat influx-configs
[default]
  url = "http://localhost:8086"
  token = "my_token"
  org = "my_org"
  active = true

and checking the validity of the token:

  # influx user list -t my_token
  ID           Name
  my_uid       admin

Any idea when there will be fix?

Also when is user creation moving to the frontend?

jeffreyssmith2nd commented 1 year ago

Unfortunately it's misleading, but creating users requires the read:/users and write:/users permission. It does not work with org scoped access (read:/users/org and write:/users/org).

oneofthemany commented 1 year ago

Unfortunately it's misleading, but creating users requires the read:/users and write:/users permission. It does not work with org scoped access (read:/users/org and write:/users/org).

Apologies I got it wrong I have this:

ID          Description             Token           User Name       User ID      Permissions
my_id       admin                   my_token        admin           my_uid       [read:/users/my_uid write:/users/my_uid]

And a cap from the UI: So if this is correct what can be done to fix the error?

oneofthemany commented 1 year ago

found the issue

if you delete the admin token and recreate it in the UI it does not create a token with read:/users write:/users as a resource

can this be fixed please

RufusJWB commented 9 months ago

We were able to create a new user if the config is not scoped to an organization:

.\influx config create --config-name onboarding `
--host-url "https://[...]" `
--token "[...]==" `
--active