// Test multiple statement query authorization. func TestServer_MultiStatementQueryAuthorization(t *testing.T) { s := OpenServer(NewMessagingClient()) defer s.Close() // Create cluster admin. s.CreateUser("admin", "admin", true) admin := s.User("admin") // Create normal database user. s.CreateUser("user", "user", false) user := s.User("user") user.Privileges["foo"] = influxql.ReadPrivilege s.Restart() // Create a query that requires read for one statement and write for the second. readWriteQuery := &influxql.Query{ Statements: []influxql.Statement{ // Statement that requires read. &influxql.SelectStatement{ Fields: []*influxql.Field{&influxql.Field{Expr: &influxql.Call{Name: "count"}}}, Source: &influxql.Measurement{Name: "cpu"}, }, // Statement that requires write. &influxql.SelectStatement{ Fields: []*influxql.Field{&influxql.Field{Expr: &influxql.Call{Name: "count"}}}, Source: &influxql.Measurement{Name: "cpu"}, Target: &influxql.Target{Measurement: "tmp"}, }, }, } // Admin should be authorized to execute both statements in the query. if err := influxdb.Authorize(admin, readWriteQuery, "foo"); err != nil { t.Fatal(err) } // Normal user with only read privileges should not be authorized to execute both statements. if err := influxdb.Authorize(user, readWriteQuery, "foo"); err == nil { t.Fatalf("user should not be authorized to execute both statements") } }
// Test single statement query authorization. func TestServer_SingleStatementQueryAuthorization(t *testing.T) { s := OpenServer(NewMessagingClient()) defer s.Close() // Create cluster admin. s.CreateUser("admin", "admin", true) admin := s.User("admin") // Create normal database user. s.CreateUser("user", "user", false) user := s.User("user") user.Privileges["foo"] = influxql.ReadPrivilege s.Restart() // Create a query that only cluster admins can run. adminOnlyQuery := &influxql.Query{ Statements: []influxql.Statement{ &influxql.DropDatabaseStatement{Name: "foo"}, }, } // Create a query that requires read on one db and write on another. readWriteQuery := &influxql.Query{ Statements: []influxql.Statement{ &influxql.CreateContinuousQueryStatement{ Name: "myquery", Database: "foo", Source: &influxql.SelectStatement{ Fields: []*influxql.Field{&influxql.Field{Expr: &influxql.Call{Name: "count"}}}, Target: &influxql.Target{Measurement: "measure1", Database: "bar"}, Source: &influxql.Measurement{Name: "myseries"}, }, }, }, } // admin user should be authorized to execute any query. if err := influxdb.Authorize(admin, adminOnlyQuery, ""); err != nil { t.Fatal(err) } if err := influxdb.Authorize(admin, readWriteQuery, "foo"); err != nil { t.Fatal(err) } // Normal user should not be authorized to execute admin only query. if err := influxdb.Authorize(user, adminOnlyQuery, ""); err == nil { t.Fatalf("normal user should not be authorized to execute cluster admin level queries") } // Normal user should not be authorized to execute query that selects into another // database which (s)he doesn't have privileges on. if err := influxdb.Authorize(user, readWriteQuery, ""); err == nil { t.Fatalf("normal user should not be authorized to write to database bar") } // Grant normal user write privileges on database "bar". user.Privileges["bar"] = influxql.WritePrivilege //Authorization on the previous query should now succeed. if err := influxdb.Authorize(user, readWriteQuery, ""); err != nil { t.Fatal(err) } }