Sending a Query Across All Buckets and Organizations

balsa · August 16, 2022, 7:25pm

Is there any way to send a query that would read data across all buckets and organizations?

For instance, I can send a query like this:

from(bucket: "Test Bucket")
    |> range(start: -30d)
    |> last()

But, suppose I wanted to get the most recent reading from each bucket in every organization.
The query below does not work because bucket is a required argument, but I imagine that what I want to do might look something like this:

from()
    |> range(start: -30d)
    |> last()

Is such a thing possible, or will it be necessary to send a separate query for every bucket and every organization?

Giovanni_Luisotto · August 17, 2022, 7:43am

Short answer:
It will be necessary to send a separate query for every bucket and every organization.

You will also have a permission “problem” as everything is organization scoped, meaning you can’t use the same user on multiple orgs, unless you use the super-admin user (I forgot the actual name)… which is not recommended at all

balsa · August 17, 2022, 8:11am

Thank you, @Giovanni_Luisotto. That’s what I expected.

What I didn’t expect is that users were organization-scoped. I’m testing against OSS InfluxDB, and was creating per-bucket authorizations in external orgs using, e.g.:

authorizationsAPI.postAuthorizations({body: {userID: user.influxId, orgID: user.orgId, permissions: [{action: 'read', resource: {id: device.bucketId, type: 'buckets'}}]}});

Looking at this again, this code seems suspect to me though somehow I’d convinced myself that this was indeed correctly allowing cross-organization permissions to specific buckets. I will double-check this code. If indeed I can’t have cross-organization users, that will require a major re-architecting of our systems.

Giovanni_Luisotto · August 17, 2022, 8:23am

as a reference…

github.com/influxdata/influxdb

Add Instance level privileges/tokens

opened 02:39PM - 14 Mar 22 UTC

Trovalo

__Proposal:__ I'd love to see instance-level permission management. This is wh…at I mean by Instance-level ``` - Instance - Organizations - Buckets ``` As of now, It's not possible to access InfluxDB with a ReadOnly/WriteOnly token that is valid for multiple organizations, exception made for the "operator token", the equivalent of sysadmin, which should not be used for applications. __Current behavior:__ There is no way to create a token that allows access to more than one Organization __Desired behavior:__ Create and manage tokens that allow access to more than one Organization __Alternatives considered:__ I've tried with the v1 authorization (for backward compatibility), but the created user is still organization scoped. There is no way around it. __Use case:__ My personal use case is to have a single token with write-only permission on multiple Organizations, I have a centralized system, in which all the data pass through a single Telegraf gateway. Using InflxDB1 I've got no problems, as I just need a user with Write permission on all databases... by translating this into InfluxDB2, the best fit is to turn a DB into an Organization, but I can't have a token to access them all... which means the routing (made by the telegraf gateway) becomes hell. The whole idea started from a telegraf feature request https://github.com/influxdata/telegraf/issues/10778, you may find some more details about my use case there. edit: typos

balsa · August 17, 2022, 9:02am

Thank you for that information. I think that I can work around this limitation with some refactoring.

One more question: The API documentation I have around the AuthorizationsAPI, and indeed around permissions in general, is pretty limited. Are you aware of detailed documentation about what is possible permissions-wise?

If not, maybe you could sanity-check my expectations:

Users within an org do not, by default, have read access to all buckets in that org. So, if I created a bucket for a user, I would use BucketsAPI.postBucketsIDOwners to set that user as the owner and the bucket would by default not be accessible to other users.
AuthorizationsAPI.postAuthorizations with userID specified can grant read-only access to specific users.
AuthorizationsAPI.postAuthorizations without userID specified can grant read-only access to the entire org, if desired.

Giovanni_Luisotto · August 17, 2022, 12:16pm

I’m unable to find a “clean” list and I’ve never used the API before, but from here you might get the idea of existing permissions even if some info are missing, I’ve found a more complete list here but I’m not sure it’s fully supported. (as it’s meant for API usage, it sure is for read/write operations)

I’d create the user and grant them proper permission, be it read/write on a single, multiple, or all buckets (all read/write has his own syntax)

balsa · August 17, 2022, 7:58pm

Thank you for your guidance, @Giovanni_Luisotto. I appreciate it!

Topic		Replies	Views
How can I query all the buckets in an organization using Flux? InfluxDB 2 influxdb , flux , java	2	571	April 2, 2024
Change Bucket Organization InfluxDB 2	2	919	March 23, 2022
System buckets permissions InfluxDB 2 influxdb	1	763	April 4, 2023
Deny Read Permission to Buckets for Org Members InfluxDB 2	2	413	August 22, 2022
Cloud 2 access token permissions InfluxDB 2 influxdb-cloud-2-0	2	1688	January 8, 2020

Sending a Query Across All Buckets and Organizations

Related topics