Influxdb 2.0 auth tokens

Hello,

what is the point of having an ‘All Access Token’ if people cannot perform CRUD operations on organizations, or users with them? Apparently that is only possible with the ‘Operator’ token created during the setup process. Is this correct?

And is there a way to create/have two different operator tokens in the same Influxdb instance?

Thanks

Hello @margaashnuruu,
Welcome.
Using the CLI create auth command gives the following options:

./influx auth create -h
Create authorization

Usage:
  influx auth create [flags]

Flags:
  -c, --active-config string          Config name to use for command; Maps to env var $INFLUX_ACTIVE_CONFIG
      --configs-path string           Path to the influx CLI configurations; Maps to env var $INFLUX_CONFIGS_PATH (default "/Users/anaisdotis-georgiou/.influxdbv2/configs")
  -d, --description string            Token description
  -h, --help                          Help for the create command 
      --hide-headers                  Hide the table headers; defaults false; Maps to env var $INFLUX_HIDE_HEADERS
      --host string                   HTTP address of InfluxDB; Maps to env var $INFLUX_HOST
      --json                          Output data as json; defaults false; Maps to env var $INFLUX_OUTPUT_JSON
  -o, --org string                    The name of the organization; Maps to env var $INFLUX_ORG
      --org-id string                 The ID of the organization; Maps to env var $INFLUX_ORG_ID
      --read-bucket stringArray       The bucket id
      --read-buckets                  Grants the permission to perform read actions against organization buckets
      --read-checks                   Grants the permission to read checks
      --read-dashboards               Grants the permission to read dashboards
      --read-dbrps                    Grants the permission to read database retention policy mappings
      --read-notificationEndpoints    Grants the permission to read notificationEndpoints
      --read-notificationRules        Grants the permission to read notificationRules
      --read-orgs                     Grants the permission to read organizations
      --read-tasks                    Grants the permission to read tasks
      --read-telegrafs                Grants the permission to read telegraf configs
      --read-user                     Grants the permission to perform read actions against organization users
      --skip-verify                   Skip TLS certificate chain and host name verification.
  -t, --token string                  Authentication token; Maps to env var $INFLUX_TOKEN
  -u, --user string                   The user name
      --write-bucket stringArray      The bucket id
      --write-buckets                 Grants the permission to perform mutative actions against organization buckets
      --write-checks                  Grants the permission to create checks
      --write-dashboards              Grants the permission to create dashboards
      --write-dbrps                   Grants the permission to create database retention policy mappings
      --write-notificationEndpoints   Grants the permission to create notificationEndpoints
      --write-notificationRules       Grants the permission to create notificationRules
      --write-orgs                    Grants the permission to create organizations
      --write-tasks                   Grants the permission to create tasks
      --write-telegrafs               Grants the permission to create telegraf configs
      --write-user                    Grants the permission to perform mutative actions against organization users

Hello Anasidg,

that’s related to the question I wrote in another post:

With the “influx auth create [flags]” command, I can not create an all access token including write-authorizations and read-authorizations right. This means when the user has created a bucket and wants to generate a read/write access token for that bucket, it won’t work, as that user doesn’t own the write-authorzitaion priviledge.

Any solution to this problem?

best regards,
sc

My apologies @scTHU,
I didn’t read your question carefully enough. I appreciate you clarifying. I’m not sure if there is a solution to your question right now but I’m asking around.
In the meantime, can you please create a feature request?

Thank you

EDIT this is actively being worked on.

My guess is that this is due to this bug:

@Anaisdg yes, I’m using the influx auth create command to create new tokens but I cannot generate a new ‘operator’ token and, as mentioned in the bug, if you try to create a new ‘all access’ token, it doesn’t get the permissions right. From my experience, it gets bind to the current organization and if you give the token to someone else, they won’t be able to read/write data for other orgs and users, what makes it almost unusable.