Hi folks,
With Influx 1.x Enterprise, there is fine-grained authorization, which - for a given set of credentials - allows restricting access down to a per-series basis. I understand that there is no direct equivalent for Influx 2.0, but I’d like to explore what a potentially similar setup could look like.
A bit about our use case, which I suspect is fairly common: we receive and store data from a number of separate physical systems (S). These systems are run by a number of operators (O), and serve a number of end-users (U). Each operator will generally operate systems for multiple end-users. So the hierarchy is single O → multiple U → multiple S.
Is there a way to segregate the system-level data (S) and set up authorization in a way that allows us to give an operator (O) access to data for all of their systems, while also giving end-users (U) access to (just) their own respective systems?
The two options I’ve considered so far:
Option A: Buckets everywhere
Putting data for each individual system in a separate bucket, and then providing each of the entities (O, U) credentials that only allow access to their respective buckets. Something like this may have worked with the database/user authorization model of Influx 1.x. But having looked further into the Influx 2’s organization-user-bucket hierarchy, it doesn’t look like this would be actually be a viable way here.
Option B: DIY authorization proxy
Having all data in one bucket/organization and not relying on Influx for authorization – instead, running all queries through a proxy that inserts an appropriate data filter into each Flux query, where this filter is dependent on the supplied user credentials.
I’ve actually implemented something similar that works quite reliably for InfluxQL, but not sure how viable that would be for Flux. And it’s admittedly a workaround rather than a proper solution.
Any suggestions would be welcome!