what is the point of having an ‘All Access Token’ if people cannot perform CRUD operations on organizations, or users with them? Apparently that is only possible with the ‘Operator’ token created during the setup process. Is this correct?
And is there a way to create/have two different operator tokens in the same Influxdb instance?
Hello @margaashnuruu,
Welcome.
Using the CLI create auth command gives the following options:
./influx auth create -h
Create authorization
Usage:
influx auth create [flags]
Flags:
-c, --active-config string Config name to use for command; Maps to env var $INFLUX_ACTIVE_CONFIG
--configs-path string Path to the influx CLI configurations; Maps to env var $INFLUX_CONFIGS_PATH (default "/Users/anaisdotis-georgiou/.influxdbv2/configs")
-d, --description string Token description
-h, --help Help for the create command
--hide-headers Hide the table headers; defaults false; Maps to env var $INFLUX_HIDE_HEADERS
--host string HTTP address of InfluxDB; Maps to env var $INFLUX_HOST
--json Output data as json; defaults false; Maps to env var $INFLUX_OUTPUT_JSON
-o, --org string The name of the organization; Maps to env var $INFLUX_ORG
--org-id string The ID of the organization; Maps to env var $INFLUX_ORG_ID
--read-bucket stringArray The bucket id
--read-buckets Grants the permission to perform read actions against organization buckets
--read-checks Grants the permission to read checks
--read-dashboards Grants the permission to read dashboards
--read-dbrps Grants the permission to read database retention policy mappings
--read-notificationEndpoints Grants the permission to read notificationEndpoints
--read-notificationRules Grants the permission to read notificationRules
--read-orgs Grants the permission to read organizations
--read-tasks Grants the permission to read tasks
--read-telegrafs Grants the permission to read telegraf configs
--read-user Grants the permission to perform read actions against organization users
--skip-verify Skip TLS certificate chain and host name verification.
-t, --token string Authentication token; Maps to env var $INFLUX_TOKEN
-u, --user string The user name
--write-bucket stringArray The bucket id
--write-buckets Grants the permission to perform mutative actions against organization buckets
--write-checks Grants the permission to create checks
--write-dashboards Grants the permission to create dashboards
--write-dbrps Grants the permission to create database retention policy mappings
--write-notificationEndpoints Grants the permission to create notificationEndpoints
--write-notificationRules Grants the permission to create notificationRules
--write-orgs Grants the permission to create organizations
--write-tasks Grants the permission to create tasks
--write-telegrafs Grants the permission to create telegraf configs
--write-user Grants the permission to perform mutative actions against organization users
that’s related to the question I wrote in another post:
With the “influx auth create [flags]” command, I can not create an all access token including write-authorizations and read-authorizations right. This means when the user has created a bucket and wants to generate a read/write access token for that bucket, it won’t work, as that user doesn’t own the write-authorzitaion priviledge.
My apologies @scTHU,
I didn’t read your question carefully enough. I appreciate you clarifying. I’m not sure if there is a solution to your question right now but I’m asking around.
In the meantime, can you please create a feature request?
@Anaisdg yes, I’m using the influx auth create command to create new tokens but I cannot generate a new ‘operator’ token and, as mentioned in the bug, if you try to create a new ‘all access’ token, it doesn’t get the permissions right. From my experience, it gets bind to the current organization and if you give the token to someone else, they won’t be able to read/write data for other orgs and users, what makes it almost unusable.