Fine-grained access permissions in Influx 2.0

Hi folks,
With Influx 1.x Enterprise, there is fine-grained authorization, which - for a given set of credentials - allows restricting access down to a per-series basis. I understand that there is no direct equivalent for Influx 2.0, but I’d like to explore what a potentially similar setup could look like.

A bit about our use case, which I suspect is fairly common: we receive and store data from a number of separate physical systems (S). These systems are run by a number of operators (O), and serve a number of end-users (U). Each operator will generally operate systems for multiple end-users. So the hierarchy is single O -> multiple U -> multiple S.

Is there a way to segregate the system-level data (S) and set up authorization in a way that allows us to give an operator (O) access to data for all of their systems, while also giving end-users (U) access to (just) their own respective systems?

The two options I’ve considered so far:

Option A: Buckets everywhere

Putting data for each individual system in a separate bucket, and then providing each of the entities (O, U) credentials that only allow access to their respective buckets. Something like this may have worked with the database/user authorization model of Influx 1.x. But having looked further into the Influx 2’s organization-user-bucket hierarchy, it doesn’t look like this would be actually be a viable way here.

Option B: DIY authorization proxy

Having all data in one bucket/organization and not relying on Influx for authorization – instead, running all queries through a proxy that inserts an appropriate data filter into each Flux query, where this filter is dependent on the supplied user credentials.

I’ve actually implemented something similar that works quite reliably for InfluxQL, but not sure how viable that would be for Flux. And it’s admittedly a workaround rather than a proper solution.

Any suggestions would be welcome!

Hi,

We’ve been working on multi-user organizations and finer grained RBAC over the last few sprints and will continue to do so for the foreseeable future.

We currently allow, as of last week, for multiple admins on a single organization.

We plan to add readonly users to orgs next, and then continue to expand on this functionality.

I know it’s not great news for now, but we do understand this is a valued feature and we’ll do our best to implement it as timely as possible.

Hope that helps

Thanks for the update @rawkode. It’s great to see that you’re moving forward quickly here, and that this is already on the roadmap!

If you have any idea with respect to the timeline on which something like FGA will be available, I’d appreciate that. E.g. whether it would be a Q3/Q4 thing or a 2021 thing, etc. Would be helpful with our decision about a potential migration.