// Authorize user u to execute query q on database. // database can be "" for queries that do not require a database. // If no user is provided it will return an error unless the query's first statement is to create // a root user. func (q *QueryExecutor) Authorize(u *meta.UserInfo, query *influxql.Query, database string) error { // Special case if no users exist. if n := q.MetaClient.UserCount(); n == 0 { // Ensure there is at least one statement. if len(query.Statements) > 0 { // First statement in the query must create a user with admin privilege. cu, ok := query.Statements[0].(*influxql.CreateUserStatement) if ok && cu.Admin == true { return nil } } return NewErrAuthorize(q, query, "", database, "create admin user first or disable authentication") } if u == nil { return NewErrAuthorize(q, query, "", database, "no user provided") } // Admin privilege allows the user to execute all statements. if u.Admin { return nil } // Check each statement in the query. for _, stmt := range query.Statements { // Get the privileges required to execute the statement. privs := stmt.RequiredPrivileges() // Make sure the user has the privileges required to execute // each statement. for _, p := range privs { if p.Admin { // Admin privilege already checked so statement requiring admin // privilege cannot be run. msg := fmt.Sprintf("statement '%s', requires admin privilege", stmt) return NewErrAuthorize(q, query, u.Name, database, msg) } // Use the db name specified by the statement or the db // name passed by the caller if one wasn't specified by // the statement. db := p.Name if db == "" { db = database } if !u.Authorize(p.Privilege, db) { msg := fmt.Sprintf("statement '%s', requires %s on %s", stmt, p.Privilege.String(), db) return NewErrAuthorize(q, query, u.Name, database, msg) } } } return nil }
// serveWrite receives incoming series data in line protocol format and writes it to the database. func (h *Handler) serveWrite(w http.ResponseWriter, r *http.Request, user *meta.UserInfo) { h.statMap.Add(statWriteRequest, 1) defer func(start time.Time) { h.statMap.Add(statWriteRequestDuration, time.Since(start).Nanoseconds()) }(time.Now()) database := r.FormValue("db") if database == "" { resultError(w, influxql.Result{Err: fmt.Errorf("database is required")}, http.StatusBadRequest) return } if di, err := h.MetaClient.Database(database); err != nil { resultError(w, influxql.Result{Err: fmt.Errorf("metastore database error: %s", err)}, http.StatusInternalServerError) return } else if di == nil { resultError(w, influxql.Result{Err: fmt.Errorf("database not found: %q", database)}, http.StatusNotFound) return } if h.requireAuthentication && user == nil { resultError(w, influxql.Result{Err: fmt.Errorf("user is required to write to database %q", database)}, http.StatusUnauthorized) return } if h.requireAuthentication && !user.Authorize(influxql.WritePrivilege, database) { resultError(w, influxql.Result{Err: fmt.Errorf("%q user is not authorized to write to database %q", user.Name, database)}, http.StatusUnauthorized) return } // Handle gzip decoding of the body body := r.Body if r.Header.Get("Content-encoding") == "gzip" { b, err := gzip.NewReader(r.Body) if err != nil { resultError(w, influxql.Result{Err: err}, http.StatusBadRequest) return } defer b.Close() body = b } var bs []byte if clStr := r.Header.Get("Content-Length"); clStr != "" { if length, err := strconv.Atoi(clStr); err == nil { // This will just be an initial hint for the gzip reader, as the // bytes.Buffer will grow as needed when ReadFrom is called bs = make([]byte, 0, length) } } buf := bytes.NewBuffer(bs) _, err := buf.ReadFrom(body) if err != nil { if h.WriteTrace { h.Logger.Print("write handler unable to read bytes from request body") } resultError(w, influxql.Result{Err: err}, http.StatusBadRequest) return } h.statMap.Add(statWriteRequestBytesReceived, int64(buf.Len())) if h.WriteTrace { h.Logger.Printf("write body received by handler: %s", buf.Bytes()) } points, parseError := models.ParsePointsWithPrecision(buf.Bytes(), time.Now().UTC(), r.FormValue("precision")) // Not points parsed correctly so return the error now if parseError != nil && len(points) == 0 { if parseError.Error() == "EOF" { w.WriteHeader(http.StatusOK) return } resultError(w, influxql.Result{Err: parseError}, http.StatusBadRequest) return } // Write points. if err := h.PointsWriter.WritePoints(database, r.FormValue("rp"), models.ConsistencyLevelAny, points); influxdb.IsClientError(err) { h.statMap.Add(statPointsWrittenFail, int64(len(points))) resultError(w, influxql.Result{Err: err}, http.StatusBadRequest) return } else if err != nil { h.statMap.Add(statPointsWrittenFail, int64(len(points))) resultError(w, influxql.Result{Err: err}, http.StatusInternalServerError) return } else if parseError != nil { // We wrote some of the points h.statMap.Add(statPointsWrittenOK, int64(len(points))) // The other points failed to parse which means the client sent invalid line protocol. We return a 400 // response code as well as the lines that failed to parse. resultError(w, influxql.Result{Err: fmt.Errorf("partial write:\n%v", parseError)}, http.StatusBadRequest) return } h.statMap.Add(statPointsWrittenOK, int64(len(points))) w.WriteHeader(http.StatusNoContent) }
// serveWriteLine receives incoming series data in line protocol format and writes it to the database. func (h *Handler) serveWriteLine(w http.ResponseWriter, r *http.Request, body []byte, user *meta.UserInfo) { // Some clients may not set the content-type header appropriately and send JSON with a non-json // content-type. If the body looks JSON, try to handle it as as JSON instead if len(body) > 0 { var i int for { // JSON requests must start w/ an opening bracket if body[i] == '{' { h.serveWriteJSON(w, r, body, user) return } // check that the byte is in the standard ascii code range if body[i] > 32 || i >= len(body)-1 { break } i++ } } precision := r.FormValue("precision") if precision == "" { precision = "n" } points, parseError := models.ParsePointsWithPrecision(body, time.Now().UTC(), precision) // Not points parsed correctly so return the error now if parseError != nil && len(points) == 0 { if parseError.Error() == "EOF" { w.WriteHeader(http.StatusOK) return } resultError(w, influxql.Result{Err: parseError}, http.StatusBadRequest) return } database := r.FormValue("db") if database == "" { resultError(w, influxql.Result{Err: fmt.Errorf("database is required")}, http.StatusBadRequest) return } if di, err := h.MetaClient.Database(database); err != nil { resultError(w, influxql.Result{Err: fmt.Errorf("metastore database error: %s", err)}, http.StatusInternalServerError) return } else if di == nil { resultError(w, influxql.Result{Err: fmt.Errorf("database not found: %q", database)}, http.StatusNotFound) return } if h.requireAuthentication && user == nil { resultError(w, influxql.Result{Err: fmt.Errorf("user is required to write to database %q", database)}, http.StatusUnauthorized) return } if h.requireAuthentication && !user.Authorize(influxql.WritePrivilege, database) { resultError(w, influxql.Result{Err: fmt.Errorf("%q user is not authorized to write to database %q", user.Name, database)}, http.StatusUnauthorized) return } // Write points. if err := h.PointsWriter.WritePoints(database, r.FormValue("rp"), models.ConsistencyLevelAny, points); influxdb.IsClientError(err) { h.statMap.Add(statPointsWrittenFail, int64(len(points))) resultError(w, influxql.Result{Err: err}, http.StatusBadRequest) return } else if err != nil { h.statMap.Add(statPointsWrittenFail, int64(len(points))) resultError(w, influxql.Result{Err: err}, http.StatusInternalServerError) return } else if parseError != nil { // We wrote some of the points h.statMap.Add(statPointsWrittenOK, int64(len(points))) // The other points failed to parse which means the client sent invalid line protocol. We return a 400 // response code as well as the lines that failed to parse. resultError(w, influxql.Result{Err: fmt.Errorf("partial write:\n%v", parseError)}, http.StatusBadRequest) return } h.statMap.Add(statPointsWrittenOK, int64(len(points))) w.WriteHeader(http.StatusNoContent) }
// serveWriteJSON receives incoming series data in JSON and writes it to the database. func (h *Handler) serveWriteJSON(w http.ResponseWriter, r *http.Request, body []byte, user *meta.UserInfo) { if !h.JSONWriteEnabled { resultError(w, influxql.Result{Err: fmt.Errorf("JSON write protocol has been deprecated")}, http.StatusBadRequest) return } var bp client.BatchPoints var dec *json.Decoder dec = json.NewDecoder(bytes.NewReader(body)) if err := dec.Decode(&bp); err != nil { if err.Error() == "EOF" { w.WriteHeader(http.StatusOK) return } resultError(w, influxql.Result{Err: err}, http.StatusBadRequest) return } if bp.Database == "" { resultError(w, influxql.Result{Err: fmt.Errorf("database is required")}, http.StatusBadRequest) return } if di, err := h.MetaClient.Database(bp.Database); err != nil { resultError(w, influxql.Result{Err: fmt.Errorf("metastore database error: %s", err)}, http.StatusInternalServerError) return } else if di == nil { resultError(w, influxql.Result{Err: fmt.Errorf("database not found: %q", bp.Database)}, http.StatusNotFound) return } if h.requireAuthentication && user == nil { resultError(w, influxql.Result{Err: fmt.Errorf("user is required to write to database %q", bp.Database)}, http.StatusUnauthorized) return } if h.requireAuthentication && !user.Authorize(influxql.WritePrivilege, bp.Database) { resultError(w, influxql.Result{Err: fmt.Errorf("%q user is not authorized to write to database %q", user.Name, bp.Database)}, http.StatusUnauthorized) return } points, err := NormalizeBatchPoints(bp) if err != nil { resultError(w, influxql.Result{Err: err}, http.StatusBadRequest) return } // Convert the json batch struct to a points writer struct if err := h.PointsWriter.WritePoints(bp.Database, bp.RetentionPolicy, models.ConsistencyLevelAny, points); err != nil { h.statMap.Add(statPointsWrittenFail, int64(len(points))) if influxdb.IsClientError(err) { resultError(w, influxql.Result{Err: err}, http.StatusBadRequest) } else { resultError(w, influxql.Result{Err: err}, http.StatusInternalServerError) } return } h.statMap.Add(statPointsWrittenOK, int64(len(points))) w.WriteHeader(http.StatusNoContent) }