Restricting chronograf users to a specific database


#1

I was wondering if it is possible to restrict certain databases to specific chronograf users. For example, say I have a database “Blue” and another database “Red”. There are then two chronograf users, “Bob” and “John”. The user Bob has access to the Blue database, while the user John has access to the Red database. What I want to avoid is having John being able to view the Blue database (the database in which Bob can see) and vice versa (primarily for organizational reasons). I know this is possible by creating users within InfluxDB, but is it possible to achieve this level of restriction in chronograf?

Thanks to all of those who reply in advance.


#2

Use Chronograf Organizations for this. I assume since you have Chronograf users, you have figured out OAuth. To restrict access to certain databases you will need to make changes both in Chronograf and InfluxDB:

  1. Create two organizations in Chronograf: “Blue Organization” and “Red Organization”.

  2. In the Influx shell, create an “admin” user, a “blueReader” non-admin user and a “redReader” non-admin user. Give “admin” user all privileges. Give “blueReader” permission to read the Blue database. Give “redReader” permission to read the Red database:

    CREATE USER “admin” WITH PASSWORD “supersecretpassword” WITH ALL PRIVILEGES

    CREATE USER “blueReader” WITH PASSWORD “bluePW”
    GRANT READ ON “Blue” TO “blueReader”

    CREATE USER “redReader” WITH PASSWORD “redPW”
    GRANT READ ON “Red” TO “redReader”

  3. Enable authentication in /etc/influxdb/influxdb.conf (look in the [http] section for auth-enabled = false and set it to true) and restart InfluxDB. .

  4. Log in to Chronograf as a SuperAdmin. Go to Configuration->Chronograf->All Users. Assign user “Bob” to “Blue Organization” and assign user “John” to “Red Organization”.

  5. (Still as a Chronograf SuperAdmin) Switch to “Blue Organization” and setup the sole source as an InfluxDB connection with InfluxDB user “blueReader”. Do the same for Red/redReader.

That should configure Blue Organization to have only the access that InfluxDB user “blueReader” has. Since Bob is assigned to only “Blue Organization”, when he logs in to Chronograf all he can see is what “blueReader” can.