it appears to me that the prviledge of a user in influx 2.0.7 is not really exactly limited as it is supposed to be.
For example as shown in the screenshots below, for this testUser3, the admin only gave him the R/W priviledges for two demo buckets, but in the user interface via web browser, that user do see all the buckets of our organization. The testUser3 can even explorer all the data and download them as a csv file. This makes it difficult to manage users for an organization with a lot of critical data.
Is it a known issue, is there a solution or workaround?
I basically used the influx CLI in the docker compose terminal to create new user and tokens.
Just followed the official documentation:
For example, to create a new member, I use:
influx user create -n [username] -p [password] -o [org]
To assign him a token with all read access, I would use the following CLI command:
influx auth create --user [username] -d [description] -o [org] --read-buckets --read-dashboards --read-orgs --read-tasks --read-telegrafs --read-notificationRules --read-notificationEndpoints --read-checks --read-dbrps
to give a new user a R/W access token for specific bucket, I would use this CLI command:
influx auth create --user [username] -d [description] -o [org] --read-bucket [bucket-id] --write-bucket [bucket-id]
when I use that user account to upload data in other buckets or delete buckets, it won’ work. However, that user can explorer all buckets of the organization and even download data in csv files, this makes it critical…
Hm it looks like it’s not a bug. There’s not a clean way to restrict privileges in the UI I still encourage you to create a feature request please and share it so I can include it in our community feedback analytics tool to help product plan.
a little more information:
the tokens do not determine a user’s access inside the UI. If you give that token to a user, their access to the API outside of the UI will have those restrictions.
Inside the UI there’s really only 2 options. A user can either be an OWNER which lets them modify anything in the organization. The other option is MEMBER which allows read-only access to the organization.
totally agree with you. For the most of our influxDB users, it’s not a problem to dealing with data in a python IDE with their access token. While we still have staffs and students, who are not really familiar with programming languange and thus prefer to using the web-interface. For admin it is also much easier if a certain user can create, view and delete his own buckets.
I will put this points into my feature request.
