使用InfluxDB企业元API管理授权
重要
必须在授权之前启用身份验证。如果未启用身份验证,则不会强制执行权限。请参阅“启用身份验证”。
使用InfluxDB企业元API管理集群的授权。
API可以用于管理集群级和数据库特定的权限。Chronograf只能管理集群级权限。要在数据库级别管理权限,请使用API。
有关更多信息,请参阅企业用户和权限。
示例API请求
以下许多示例使用jq实用工具格式化JSON输出以提高可读性。安装jq以处理JSON输出。如果您没有访问权限,请删除示例中显示的| jq。
用户:
角色:
用户
使用InfluxDB企业元API的/user端点来管理用户。
列出用户
查看现有用户的列表。
curl --location-trusted -u "admin:changeit" -s https://cluster_node_1:8091/user | jq
{
"users": [
{
"hash": "$2a$10$NelNfrWdxubN0/TnP7DwquKB9/UmJnyZ7gy0i69MPldK73m.2WfCu",
"name": "admin",
"permissions": {
"": [
"ViewAdmin",
"ViewChronograf",
"CreateDatabase",
"CreateUserAndRole",
"AddRemoveNode",
"DropDatabase",
"DropData",
"ReadData",
"WriteData",
"Rebalance",
"ManageShard",
"ManageContinuousQuery",
"ManageQuery",
"ManageSubscription",
"Monitor",
"CopyShard",
"KapacitorAPI",
"KapacitorConfigAPI"
]
}
}
]
}
在从节点上创建用户
必须使用POST将修改用户存储的事务发送到主元节点。
如果节点返回307重定向消息,请根据HTTP响应头中的Location字段指示的重定向到主节点重新发送请求。
curl --location-trusted -u "admin:changeit" -s -v \
-d '{"action":"create","user":{"name":"phantom2","password":"changeit"}}' \
https://cluster_node_2:8091/user
在主节点上创建用户
curl --location-trusted -u "admin:changeit" -s -v \
-d '{"action":"create","user":{"name":"phantom","password":"changeit"}}' \
https://cluster_node_1:8091/user
检索用户详细信息文档
curl --location-trusted --negotiate -u "admin:changeit" -s https://cluster_node_1:8091/user?name=phantom | jq
{
"users": [
{
"hash": "$2a$10$hR.Ih6DpIHUaynA.uqFhpOiNUgrADlwg3rquueHDuw58AEd7zk5hC",
"name": "phantom"
}
]
}
授予用户对所有数据库的权限
要为集群中所有数据库授予权限列表,请在权限对象中使用空字符串键,如下例所示。
curl --location-trusted --negotiate -u "admin:changeit" -s -v \
-d '{"action":"add-permissions","user":{"name":"phantom","permissions":{"":["ReadData", "WriteData"]}}}' \
https://cluster_node_1:8091/user
授予用户特定数据库的权限
授予名为phantom的用户对MyDatabase的ReadData和WriteData权限。
curl --location-trusted --negotiate -u "admin:changeit" -s -v \
-d '{"action":"add-permissions","user":{"name":"phantom","permissions":{"MyDatabase":["ReadData","WriteData"]}}}' \
https://cluster_node_1:8091/user
验证用户权限
curl --location-trusted --negotiate -u "admin:changeit" -s https://cluster_node_1:8091/user?name=phantom | jq
{
"users": [
{
"hash": "$2a$10$hR.Ih6DpIHUaynA.uqFhpOiNUgrADlwg3rquueHDuw58AEd7zk5hC",
"name": "phantom",
"permissions": {
"MyDatabase": [
"ReadData",
"WriteData"
]
}
}
]
}
从用户中移除权限
curl --location-trusted --negotiate -u "admin:changeit" -s -v \
-d '{"action":"remove-permissions","user":{"name":"phantom","permissions":{"":["KapacitorConfigAPI"]}}}' \
https://cluster_node_1:8091/user
删除用户
curl --location-trusted --negotiate -u "admin:changeit" -s -v \
-d '{"action":"delete","user":{"name":"phantom2"}}' \
https://cluster_node_1:8091/user
验证用户删除
curl --location-trusted --negotiate -u "admin:changeit" -s https://cluster_node_1:8091/user?name=phantom
{
"error": "user not found"
}
更改用户的密码
curl --location-trusted -u "admin:changeit" -H "Content-Type: application/json" \
-d '{"action": "change-password", "user": {"name": "<username>", "password": "newpassword"}}' \
localhost:8091/user
角色
Influxd-Meta API提供了一个用于管理角色的端点/role。
列出角色
curl --location-trusted --negotiate -u "admin:changeit" -s https://cluster_node_1:8091/role | jq
{}
在新安装中,尚未创建任何角色。就像创建用户一样,必须使用主节点。
创建角色
curl --location-trusted --negotiate -u "admin:changeit" -v \
-d '{"action":"create","role":{"name":"spectre"}}' \
https://cluster_node_1:8091/role
验证角色
验证角色已创建。
curl --location-trusted --negotiate -u "admin:changeit" -s https://cluster_node_1:8091/role | jq
{
"roles": [
{
"name": "djinn",
},
{
"name": "spectre"
},
]
}
检索角色文档
检索单个节点的记录。
curl --location-trusted --negotiate -u "admin:changeit" -s https://cluster_node_1:8091/role?name=spectre | jq
{
"roles": [
{
"name": "spectre"
}
]
}
为所有数据库向角色添加权限
为了向集群中所有数据库的角色授予一组权限,请在权限对象中使用以下示例中所示的""键。
curl --location-trusted --negotiate -u "admin:changeit" -s -v \
-d '{"action":"add-permissions","role":{"name":"spectre","permissions":{"":["ReadData","WriteData"]}}}' \
https://cluster_node_1:8091/role
为特定数据库向角色添加权限
为名为spectre的角色授予对MyDatabase的ReadData和WriteData权限。
curl --location-trusted --negotiate -u "admin:changeit" -s -v \
-d '{"action":"add-permissions","role":{"name":"spectre","permissions":{"MyDatabase":["ReadData","WriteData"]}}}' \
https://cluster_node_1:8091/role
验证角色权限
验证权限是否已添加。
curl --location-trusted --negotiate -u "admin:changeit" -s https://cluster_node_1:8091/role?name=spectre | jq
{
"roles": [
{
"name": "spectre",
"permissions": {
"MyDatabase": [
"ReadData",
"WriteData"
]
}
}
]
}
将用户添加到角色
curl --location-trusted --negotiate -u "admin:changeit" -s -v \
-d '{"action":"add-users","role":{"name":"spectre","users":["phantom"]}}' \
https://cluster_node_1:8091/role
验证角色中的用户
验证用户是否已添加到角色中。
curl --location-trusted --negotiate -u "admin:changeit" -s https://cluster_node_1:8091/role?name=spectre | jq
{
"roles": [
{
"name": "spectre",
"permissions": {
"": [
"KapacitorAPI",
"KapacitorConfigAPI"
]
},
"users": [
"phantom"
]
}
]
}
从角色中删除用户
curl --location-trusted --negotiate -u "admin:changeit" -s -v \
-d '{"action":"remove-users","role":{"name":"spectre","users":["phantom"]}}' \
https://admin:changeit@cluster_node_1:8091/role
从角色中删除权限
curl --location-trusted --negotiate -u "admin:changeit" -s -v \
-d '{"action":"remove-permissions","role":{"name":"spectre","permissions":{"":["KapacitorConfigAPI"]}}}' \
https://cluster_node_1:8091/role
删除角色
curl --location-trusted --negotiate -u "admin:changeit" -s -v \
-d '{"action":"delete","role":{"name":"spectre"}}' \
https://cluster_node_1:8091/role
验证角色删除
curl --location-trusted --negotiate -u "admin:changeit" -s https://cluster_node_1:8091/role?name=spectre | jq
{
"error": "role not found"
}
这个页面有帮助吗?
感谢您的反馈!