管理细粒度授权
重要
认证 必须在 授权之前启用。如果未启用认证,则不会强制执行权限。请参阅“启用认证”。
使用细粒度授权(FGA)以控制数据库、度量和系列级别的用户访问。
您必须拥有管理员权限才能设置FGA。
FGA不适用于Flux
FGA不限制Flux查询(读取和写入)执行的操作。如果您使用FGA,我们建议[禁用Flux](/enterprise_influxdb/1.11/flux/installation/).
FGA仅在InfluxDB Enterprise中可用。InfluxDB OSS 1.x仅在数据库级别控制访问。
设置细粒度授权
在您的InfluxDB配置文件中启用认证。
通过InfluxDB查询API创建用户。
CREATE USER username WITH PASSWORD 'password'有关更多信息,请参阅用户管理命令。
请确保您可以访问元节点 API(默认端口8091)。
在典型的集群配置中,数据节点的HTTP端口(默认为8086)对客户端公开,但元节点的HTTP端口不公开。您可能需要与您的网络管理员合作,才能访问元节点的HTTP端口。
创建用户。执行以下操作
作为管理员,创建用户并授予用户所有权限。以下示例授予用户
east和west对datacenters数据库的所有权限。CREATE DATABASE datacenters CREATE USER east WITH PASSWORD 'east' GRANT ALL ON datacenters TO east CREATE USER west WITH PASSWORD 'west' GRANT ALL ON datacenters TO west根据需要向用户添加细粒度权限。
创建角色以授予分配给角色的用户的权限。
有关InfluxDB Enterprise中用户和角色如何工作的概述,请参阅InfluxDB Enterprise用户。
设置限制。限制适用于所有非管理员用户。
权限(目前为“读取”和“写入”)可以根据场景独立限制。
设置授权以取消指定用户和角色的限制。
关于示例的说明
以下示例使用curl(一种数据传输的命令行工具)向Meta API发送HTTP请求,以及jq(一种命令行JSON处理器),以便更易于阅读JSON输出。每个选项都有替代方案,但在此文档中未涵盖。
所有示例都假设InfluxDB已启用身份验证。每个请求都必须发送管理员凭证。使用curl -u标志传递身份验证凭证。
curl -u `username:password` #...
匹配方法
管理数据库、测量或系列的限制和权限时,以下匹配方法可用:
exact(仅匹配精确字符串匹配)prefix(匹配以指定前缀开始的字符串)
# Match a database name exactly
"database": {"match": "exact", "value": "my_database"}
# Match any databases that begin with "my_"
"database": {"match": "prefix", "value": "my_"}
通配符匹配
exact和prefix匹配方法不允许通配符匹配。
管理角色
角色允许您将权限分配给用户组。以下示例假设user1、user2和ops用户已存在于InfluxDB中。
创建角色
要创建新角色,请使用InfluxDB Meta API的/role端点,并将请求体中的action字段设置为create。
以下示例创建了两个新角色:
- east
- west
# Create east role
curl -s --location-trusted -XPOST "https://127.0.0.1:8091/role" \
-u "admin-username:admin-password" \
-H "Content-Type: application/json" \
--data-binary '{
"action": "create",
"role": {
"name": "east"
}
}'
# Create west role
curl -s --location-trusted -XPOST "https://127.0.0.1:8091/role" \
-u "admin-username:admin-password" \
-H "Content-Type: application/json" \
--data-binary '{
"action": "create",
"role": {
"name": "west"
}
}'
指定角色权限
要指定角色的权限,请使用InfluxDB Meta API的/role端点,并将action字段设置为add-permissions。指定要为每个数据库添加的权限。
以下示例为east和west角色在db1上设置读写权限。
curl -s --location-trusted -XPOST "https://127.0.0.1:8091/role" \
-u "admin-username:admin-password" \
-H "Content-Type: application/json" \
--data-binary '{
"action": "add-permissions",
"role": {
"name": "east",
"permissions": {
"db1": ["ReadData", "WriteData"]
}
}
}'
curl -s --location-trusted -XPOST "https://127.0.0.1:8091/role" \
-u "admin-username:admin-password" \
-H "Content-Type: application/json" \
--data-binary '{
"action": "add-permissions",
"role": {
"name": "west",
"permissions": {
"db1": ["ReadData", "WriteData"]
}
}
}'
移除角色权限
要从角色中移除权限,请使用InfluxDB Meta API的/role端点,并将action字段设置为remove-permissions。指定要从每个数据库中移除的权限。
以下示例从db1中移除east角色的读写权限。
curl -s --location-trusted -XPOST "https://127.0.0.1:8091/role" \
-u "admin-username:admin-password" \
-H "Content-Type: application/json" \
--data-binary '{
"action": "remove-permissions",
"role": {
"name": "east",
"permissions": {
"db1": ["ReadData", "WriteData"]
}
}
}'
将用户分配给角色
要将用户分配给角色,请将action字段设置为add-users,并在role字段中包含用户列表。
以下示例将user1、user2和ops用户添加到east和west角色。
# Add user1 and ops to the east role
curl -s --location-trusted -XPOST "https://127.0.0.1:8091/role" \
-u "admin-username:admin-password" \
-H "Content-Type: application/json" \
--data-binary '{
"action": "add-users",
"role": {
"name": "east",
"users": ["user1", "ops"]
}
}'
# Add user1 and ops to the west role
curl -s --location-trusted -XPOST "https://127.0.0.1:8091/role" \
-u "admin-username:admin-password" \
-H "Content-Type: application/json" \
--data-binary '{
"action": "add-users",
"role": {
"name": "west",
"users": ["user2", "ops"]
}
}'
查看现有角色
要查看具有分配权限和用户的现有角色,请使用GET请求方法对InfluxDB Meta API的/role端点进行请求。
curl --location-trusted -XGET https://127.0.0.1:8091/role | jq
删除角色
要删除角色,请使用InfluxDB Meta API的/role端点,将action字段设置为delete,并包括要删除的角色名称。
curl -s --location-trusted -XPOST "https://127.0.0.1:8091/role" \
-u "admin-username:admin-password" \
-H "Content-Type: application/json" \
--data-binary '{
"action": "delete",
"role": {
"name": "west"
}
}'
删除角色不会删除分配给该角色的用户。
管理限制
限制可以限制InfluxDB资产上的读取和/或写入权限。限制适用于所有非管理员用户。 授权可以覆盖限制。
为了运行元查询(如
SHOW MEASUREMENTS或SHOW TAGS),用户必须具有查询的数据库和保留策略的读取权限。
使用InfluxDB Meta API的acl/restrictions端点管理限制。
curl --location-trusted -XGET "https://127.0.0.1:8091/influxdb/v2/acl/restrictions"
注意:为了最佳性能,设置最小限制。
按数据库限制
在大多数情况下,限制数据库是最简单的选项,对性能的影响最小。以下示例限制了my_database数据库的读写。
curl --location-trusted -XPOST "https://127.0.0.1:8091/influxdb/v2/acl/restrictions" \
-u "admin-username:admin-password" \
-H "Content-Type: application/json" \
--data-binary '{
"database": {"match": "exact", "value": "my_database"},
"permissions": ["read", "write"]
}'
按数据库中的测量限制
以下示例限制了my_database数据库中network测量的读写权限。此限制不适用于my_database数据库中的其他测量。
curl --location-trusted -XPOST "https://127.0.0.1:8091/influxdb/v2/acl/restrictions" \
-u "admin-username:admin-password" \
-H "Content-Type: application/json" \
--data-binary '{
"database": {"match": "exact", "value": "my_database"},
"measurement": {"match": "exact", "value": "network"},
"permissions": ["read", "write"]
}'
在数据库中按系列限制
最细粒度的限制选项是限制测量和数据库中的特定标签。以下示例限制了my_database数据库中network测量中的datacenter=east标签的读写权限。此限制不适用于network测量中的其他标签或标签值。
curl --location-trusted -XPOST "https://127.0.0.1:8091/influxdb/v2/acl/restrictions" \
-u "admin-username:admin-password" \
-H "Content-Type: application/json" \
--data-binary '{
"database": {"match": "exact", "value": "my_database"},
"measurement": {"match": "exact", "value": "network"},
"tags": [{"match": "exact", "key": "datacenter", "value": "east"}],
"permissions": ["read", "write"]
}'
请仔细考虑此选项,因为它允许在不带标签的情况下写入network或写入带有标签键为datacenter且标签值非east的network。
将限制应用于由多个标签定义的系列
curl --location-trusted -XPOST "https://127.0.0.1:8091/influxdb/v2/acl/restrictions" \
-u "admin-username:admin-password" \
-H "Content-Type: application/json" \
--data-binary '{
"database": {"match": "exact", "value": "my_database"},
"measurement": {"match": "exact", "value": "network"},
"tags": [
{"match": "exact", "key": "tag1", "value": "value1"},
{"match": "exact", "key": "tag2", "value": "value2"}
],
"permissions": ["read", "write"]
}'
一次性创建多个限制
有时您可能需要使用每个唯一值来创建限制。要为值列表创建多个限制,请使用bash for循环
for value in val1 val2 val3 val4; do
curl --location-trusted -XPOST "https://127.0.0.1:8091/influxdb/v2/acl/restrictions" \
-u "admin-username:admin-password" \
-H "Content-Type: application/json" \
--data-binary '{
"database": {"match": "exact", "value": "my_database"},
"measurement": {"match": "exact", "value": "network"},
"tags": [{"match": "exact", "key": "datacenter", "value": "'$value'"}],
"permissions": ["read", "write"]
}'
done
查看现有限制
要查看现有限制,请使用带有acl/restrictions端点的GET请求方法。
curl --location-trusted -u "admin-username:admin-password" -XGET "https://127.0.0.1:8091/influxdb/v2/acl/restrictions" | jq
更新限制
您不能直接修改限制。删除现有限制并使用更新参数创建新限制。
移除限制
要移除限制,请使用带有acl/restrictions端点的GET请求方法获取限制ID。使用DELETE请求方法通过ID删除限制。
# Obtain the restriction ID from the list of restrictions
curl --location-trusted -u "admin-username:admin-password" \
-XGET "https://127.0.0.1:8091/influxdb/v2/acl/restrictions" | jq
# Delete the restriction using the restriction ID
curl --location-trusted -u "admin-username:admin-password" \
-XDELETE "https://127.0.0.1:8091/influxdb/v2/acl/restrictions/<restriction_id>"
管理授权
授权移除限制并授予用户或角色在InfluxDB资产上的读和写权限。
使用InfluxDB元API的acl/grants端点管理授权。
curl --location-trusted -u "admin-username:admin-password" \
-XGET "https://127.0.0.1:8091/influxdb/v2/acl/grants"
按数据库授权权限
以下示例授予对my_database数据库的读写权限。
注意:这不能保证用户会写入正确的测量或使用正确的标签。
授予用户数据库级别权限
curl -s --location-trusted -XPOST "https://127.0.0.1:8091/influxdb/v2/acl/grants" \
-u "admin-username:admin-password" \
-H "Content-Type: application/json" \
--data-binary '{
"database": {"match": "exact", "value": "my_database"},
"permissions": ["read", "write"],
"users": [
{"name": "user1"},
{"name": "user2"}
]
}'
授予角色数据库级别权限
curl -s --location-trusted -XPOST "https://127.0.0.1:8091/influxdb/v2/acl/grants" \
-u "admin-username:admin-password" \
-H "Content-Type: application/json" \
--data-binary '{
"database": {"match": "exact", "value": "my_database"},
"permissions": ["read", "write"],
"roles": [
{"name": "role1"},
{"name": "role2"}
]
}'
按数据库中的测量授权权限
以下示例授予对my_database数据库中的network测量的权限。这些授权不适用于my_database数据库中的其他测量,也不保证用户会使用正确的标签。
授予用户测量级别权限
curl -s --location-trusted -XPOST "https://127.0.0.1:8091/influxdb/v2/acl/grants" \
-u "admin-username:admin-password" \
-H "Content-Type: application/json" \
--data-binary '{
"database": {"match": "exact", "value": "my_database"},
"measurement": {"match": "exact", "value": "network"},
"permissions": ["read", "write"],
"users": [
{"name": "user1"},
{"name": "user2"}
]
}'
要授予角色访问权限,请运行
curl -s --location-trusted -XPOST "https://127.0.0.1:8091/influxdb/v2/acl/grants" \
-u "admin-username:admin-password" \
-H "Content-Type: application/json" \
--data-binary '{
"database": {"match": "exact", "value": "my_database"},
"measurement": {"match": "exact", "value": "network"},
"permissions": ["read", "write"],
"roles": [
{"name": "role1"},
{"name": "role2"}
]
}'
按数据库中的系列授权权限
以下示例仅授予与对应datacenter标签的数据的访问权限。它们都不保证用户会使用network测量。
授予用户系列级别权限
# Grant user1 read/write permissions on data with the 'datacenter=east' tag set.
curl -s --location-trusted -XPOST "https://127.0.0.1:8091/influxdb/v2/acl/grants" \
-u "admin-username:admin-password" \
-H "Content-Type: application/json" \
--data-binary '{
"database": {"match": "exact", "value": "my_database"},
"tags": [{"match": "exact", "key": "datacenter", "value": "east"}],
"permissions": ["read", "write"],
"users": [{"name": "user1"}]
}'
# Grant user2 read/write permissions on data with the 'datacenter=west' tag set.
curl -s --location-trusted -XPOST "https://127.0.0.1:8091/influxdb/v2/acl/grants" \
-u "admin-username:admin-password" \
-H "Content-Type: application/json" \
--data-binary '{
"database": {"match": "exact", "value": "my_database"},
"tags": [{"match": "exact", "key": "datacenter", "value": "west"}],
"permissions": ["read", "write"],
"users": [{"name": "user2"}]
}'
授予角色系列级别权限
# Grant role1 read/write permissions on data with the 'datacenter=east' tag set.
curl -s --location-trusted -XPOST "https://127.0.0.1:8091/influxdb/v2/acl/grants" \
-u "admin-username:admin-password" \
-H "Content-Type: application/json" \
--data-binary '{
"database": {"match": "exact", "value": "my_database"},
"tags": [{"match": "exact", "key": "datacenter", "value": "east"}],
"permissions": ["read", "write"],
"roles": [{"name": "role1"}]
}'
# Grant role2 read/write permissions on data with the 'datacenter=west' tag set.
curl -s --location-trusted -XPOST "https://127.0.0.1:8091/influxdb/v2/acl/grants" \
-u "admin-username:admin-password" \
-H "Content-Type: application/json" \
--data-binary '{
"database": {"match": "exact", "value": "my_database"},
"tags": [{"match": "exact", "key": "datacenter", "value": "west"}],
"permissions": ["read", "write"],
"roles": [{"name": "role2"}]
}'
授予对测量中特定系列的访问权限
以下示例授予对network测量中对应的datacenter标签的读写权限。它们各自在请求体中指定了测量。
在测量中授予用户系列级别权限
# Grant user1 read/write permissions on data with the 'datacenter=west' tag set
# inside the 'network' measurement.
curl -s --location-trusted -XPOST "https://127.0.0.1:8091/influxdb/v2/acl/grants" \
-u "admin-username:admin-password" \
-H "Content-Type: application/json" \
--data-binary '{
"database": {"match": "exact", "value": "my_database"},
"measurement": {"match": "exact", "value": "network"},
"tags": [{"match": "exact", "key": "datacenter", "value": "east"}],
"permissions": ["read", "write"],
"users": [{"name": "user1"}]
}'
# Grant user2 read/write permissions on data with the 'datacenter=west' tag set
# inside the 'network' measurement.
curl -s --location-trusted -XPOST "https://127.0.0.1:8091/influxdb/v2/acl/grants" \
-u "admin-username:admin-password" \
-H "Content-Type: application/json" \
--data-binary '{
"database": {"match": "exact", "value": "my_database"},
"measurement": {"match": "exact", "value": "network"},
"tags": [{"match": "exact", "key": "datacenter", "value": "west"}],
"permissions": ["read", "write"],
"users": [{"name": "user2"}]
}'
在测量中授予角色系列级别权限
# Grant role1 read/write permissions on data with the 'datacenter=west' tag set
# inside the 'network' measurement.
curl -s --location-trusted -XPOST "https://127.0.0.1:8091/influxdb/v2/acl/grants" \
-u "admin-username:admin-password" \
-H "Content-Type: application/json" \
--data-binary '{
"database": {"match": "exact", "value": "my_database"},
"measurement": {"match": "exact", "value": "network"},
"tags": [{"match": "exact", "key": "datacenter", "value": "east"}],
"permissions": ["read", "write"],
"roles": [{"name": "role1"}]
}'
# Grant role2 read/write permissions on data with the 'datacenter=west' tag set
# inside the 'network' measurement.
curl -s --location-trusted -XPOST "https://127.0.0.1:8091/influxdb/v2/acl/grants" \
-u "admin-username:admin-password" \
-H "Content-Type: application/json" \
--data-binary '{
"database": {"match": "exact", "value": "my_database"},
"measurement": {"match": "exact", "value": "network"},
"tags": [{"match": "exact", "key": "datacenter", "value": "west"}],
"permissions": ["read", "write"],
"roles": [{"name": "role2"}]
}'
特定系列的资助也适用于元查询。元查询的结果将根据系列级别的权限进行限制。例如,SHOW TAG VALUES只返回用户有权限查看的标签值。
有了这些资助,用户或角色只有在数据包含适当的datacenter标签集时,才能从或向network度量读取或写入数据。
请注意,这仅是存在该标签的要求;datacenter=east,foo=bar也将被接受。
查看现有授权
要查看现有的资助,请使用带有acl/grants端点的GET请求方法。
curl --location-trusted -u "admin-username:admin-password" \
-XGET "https://127.0.0.1:8091/influxdb/v2/acl/grants" | jq
更新授权
您不能直接修改资助。删除现有的资助,然后使用更新后的参数创建一个新的资助。
移除授权
要删除资助,请使用带有acl/grants端点的GET请求方法获取资助ID。使用DELETE请求方法通过ID删除资助。
# Obtain the grant ID from the list of grants
curl --location-trusted -u "admin-username:admin-password" \
-XGET "https://127.0.0.1:8091/influxdb/v2/acl/grants" | jq
# Delete the grant using the grant ID
curl --location-trusted -u "admin-username:admin-password" \
-XDELETE "https://127.0.0.1:8091/influxdb/v2/acl/grants/<grant_id>"
这个页面有帮助吗?
感谢您的反馈!