User access priviledges not restricted according to assigned access token

Hello influx community,

it appears to me that the prviledge of a user in influx 2.0.7 is not really exactly limited as it is supposed to be.
For example as shown in the screenshots below, for this testUser3, the admin only gave him the R/W priviledges for two demo buckets, but in the user interface via web browser, that user do see all the buckets of our organization. The testUser3 can even explorer all the data and download them as a csv file. This makes it difficult to manage users for an organization with a lot of critical data.

Is it a known issue, is there a solution or workaround?

many thanks,
Shuo

grafik

Hello @scTHU,
How did you create a new member? Can you walk me through those steps or the documentation that you followed?

Hello Anaisdg,

I basically used the influx CLI in the docker compose terminal to create new user and tokens.
Just followed the official documentation:
https://docs.influxdata.com/influxdb/v2.0/users/create-user/
https://docs.influxdata.com/influxdb/v2.0/security/tokens/create-token/

For example, to create a new member, I use:
influx user create -n [username] -p [password] -o [org]

To assign him a token with all read access, I would use the following CLI command:
influx auth create --user [username] -d [description] -o [org] --read-buckets --read-dashboards --read-orgs --read-tasks --read-telegrafs --read-notificationRules --read-notificationEndpoints --read-checks --read-dbrps

to give a new user a R/W access token for specific bucket, I would use this CLI command:
influx auth create --user [username] -d [description] -o [org] --read-bucket [bucket-id] --write-bucket [bucket-id]

best regards,
Shuo

Hmm @scTHU,
Thanks for sharing, I’m not sure why this isn’t successful. I
Can you run

influx auth list --user username

To verify that your user has the appropriate token?

I’m pretty sure that user has the appropriate token, just as shown in the figure below:

when I use that user account to upload data in other buckets or delete buckets, it won’ work. However, that user can explorer all buckets of the organization and even download data in csv files, this makes it critical…

Hello @scTHU,
This sounds like a bug. Can you please create an issue

Hm it looks like it’s not a bug. There’s not a clean way to restrict privileges in the UI I still encourage you to create a feature request please and share it so I can include it in our community feedback analytics tool to help product plan.

a little more information:
the tokens do not determine a user’s access inside the UI. If you give that token to a user, their access to the API outside of the UI will have those restrictions.

Inside the UI there’s really only 2 options. A user can either be an OWNER which lets them modify anything in the organization. The other option is MEMBER which allows read-only access to the organization.

1 Like

Hi Anaisdg,

thanks for your reply, I would like to create a feature request, how can I do that, can you give me a link?

best regards,
Shuo

Hi Anthony,

totally agree with you. For the most of our influxDB users, it’s not a problem to dealing with data in a python IDE with their access token. While we still have staffs and students, who are not really familiar with programming languange and thus prefer to using the web-interface. For admin it is also much easier if a certain user can create, view and delete his own buckets.
I will put this points into my feature request.

many thanks,
Shuo

Hello @scTHU,
Here you go:

Thanks!