Feature request: Overhaul user, role and permission management to support database-level permissions for OSS and Enterprise

[timhallinflux]

Current behavior:
Chronograf supports the ability to set user and role permissions at the instance level. This means that when granting permissions for a user/role these permissions apply for every database within an InfluxDB instance (OSS or Enterprise).

Proposed behavior:
InfluxDB OSS supports management of user permissions at the individual database level -- using InfluxQL.

InfluxDB Enterprise also supported management of user and role permissions at the individual database level -- using the /user meta API.

Chronograf already detects whether it is connected to an OSS and/or Enterprise edition (along with whether it has appropriate access to the meta nodes). It should offer a more sophisticated UI to support database-level permissions.

[danatinflux]

@samhld @timhallinflux Any movement on this one?

[timhallinflux]

Planned as part of the Chronograf 1.10 release -- as labeled.

[samhld]

@ivankudibal @sranka

Additional context:
In giving this some thought, I think we might want to include all permissions in this if we're assuming admins are using Chronograf as a user management interface, in general. While not all permissions are related to behavior of the UI, itself, admins may still want to create and manage non-UI users from Chronograf as well?

Placement:
I would have this configuration placed in the same user administration area of the UI that already exists.

UX:
I am open to other ideas but my brain currently thinks of this as a table. Users being rows, resources being columns, and permissions being a dropdown (box select type, for multiple selections) for each resource. The value of the each table cell would then be a list of permissions.

[sranka]

Thank you @samhld for your initial input, makes sense to me. I wll start with user/permission management in a table-like visualization as you suggest (with a user/database filter that can be used if there are more databases or users ). The InfluxDB Users management page will also change to not manage permissions at all (it is a wrong concept since permissions can have database scope).

I will initially postpone InfluxDB role management changes, it might however look the same (assigning users to roles). Roles are already administered by the UI, this will be revised and likely changed. I will initially put off restrictions management, since it will require a different approach.

While not all permissions are related to behavior of the UI, itself, admins may still want to create and manage non-UI users from Chronograf as well?

Yes, chronograf authorizations are different to InfluxDB authorizations, InfluxDB user/role/permission management against InfluxDB Enterprise (when detected) is the primary goal of this issue, OSS must be supported as well. Pages accessible from Admin/InfluxDB sidebar menu will change.

[sranka]

The new User and Role management now also includes the ability to manage permissions per DB for both roles and users.

[tarainfluxd]

Hey @sranka! Is there documentation for this feature?

[samhld]

@tara-influxdata Documentation will be included with its release

[tarainfluxd]

Perfect, thank you @samhld!