feat(cmd/influxd): warn if auth wasn't enabled and users were upgraded (

#20036)
influxdata · Nov 17, 2020 · a844410 · a844410
1 parent 55eaa05
commit a844410
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 10 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 ## v2.0.2 [unreleased]
 
+### Features
+
+1. [20036](https://github.com/influxdata/influxdb/pull/): warn if V1 users are upgraded, but V1 auth wasn't enabled
+
 ### Bug Fixes
 
 1. [19987](https://github.com/influxdata/influxdb/pull/19987): Fix various typos. Thanks @kumakichi!

diff --git a/cmd/influxd/upgrade/security.go b/cmd/influxd/upgrade/security.go
@@ -16,12 +16,19 @@ import (
 )
 
 // upgradeUsers creates tokens representing v1 users.
-func upgradeUsers(ctx context.Context, v1 *influxDBv1, v2 *influxDBv2, targetOptions *optionsV2, dbBuckets map[string][]platform.ID, log *zap.Logger) error {
+func upgradeUsers(
+	ctx context.Context,
+	v1 *influxDBv1,
+	v2 *influxDBv2,
+	targetOptions *optionsV2,
+	dbBuckets map[string][]platform.ID,
+	log *zap.Logger,
+) (int, error) {
 	// check if there any 1.x users at all
 	v1meta := v1.meta
 	if len(v1meta.Users()) == 0 {
 		log.Info("There are no users in 1.x, nothing to upgrade.")
-		return nil
+		return 0, nil
 	}
 
 	// get helper instance
@@ -30,10 +37,11 @@ func upgradeUsers(ctx context.Context, v1 *influxDBv1, v2 *influxDBv2, targetOpt
 	// check if target buckets exists in 2.x
 	proceed := helper.checkDbBuckets(v1meta, dbBuckets)
 	if !proceed {
-		return errors.New("upgrade: there were errors/warnings, please fix them and run the command again")
+		return 0, errors.New("upgrade: there were errors/warnings, please fix them and run the command again")
 	}
 
 	// upgrade users
+	numUpgraded := 0
 	for _, row := range helper.sortUserInfo(v1meta.Users()) {
 		username := row.Name
 		if row.Admin {
@@ -53,24 +61,24 @@ func upgradeUsers(ctx context.Context, v1 *influxDBv1, v2 *influxDBv2, targetOpt
 					case influxql.ReadPrivilege:
 						p, err := platform.NewPermissionAtID(id, platform.ReadAction, platform.BucketsResourceType, targetOptions.orgID)
 						if err != nil {
-							return err
+							return numUpgraded, err
 						}
 						permissions = append(permissions, *p)
 					case influxql.WritePrivilege:
 						p, err := platform.NewPermissionAtID(id, platform.WriteAction, platform.BucketsResourceType, targetOptions.orgID)
 						if err != nil {
-							return err
+							return numUpgraded, err
 						}
 						permissions = append(permissions, *p)
 					case influxql.AllPrivileges:
 						p, err := platform.NewPermissionAtID(id, platform.ReadAction, platform.BucketsResourceType, targetOptions.orgID)
 						if err != nil {
-							return err
+							return numUpgraded, err
 						}
 						permissions = append(permissions, *p)
 						p, err = platform.NewPermissionAtID(id, platform.WriteAction, platform.BucketsResourceType, targetOptions.orgID)
 						if err != nil {
-							return err
+							return numUpgraded, err
 						}
 						permissions = append(permissions, *p)
 					}
@@ -95,13 +103,14 @@ func upgradeUsers(ctx context.Context, v1 *influxDBv1, v2 *influxDBv2, targetOpt
 					continue
 				}
 				log.Info("User upgraded.", zap.String("username", username))
+				numUpgraded++
 			} else {
 				log.Info("User has no privileges and will not be upgraded.", zap.String("username", username))
 			}
 		}
 	}
 
-	return nil
+	return numUpgraded, nil
 }
 
 // securityUpgradeHelper is a helper used by `upgrade` command.

diff --git a/cmd/influxd/upgrade/security_test.go b/cmd/influxd/upgrade/security_test.go
@@ -3,6 +3,7 @@ package upgrade
 import (
 	"context"
 	"errors"
+	"github.com/influxdata/influxdb/v2/pkg/testing/assert"
 	"reflect"
 	"sort"
 	"testing"
@@ -244,7 +245,8 @@ func TestUpgradeSecurity(t *testing.T) {
 			}
 
 			// command execution
-			err = upgradeUsers(ctx, v1, v2, &targetOptions, tc.db2ids, log)
+			n, err := upgradeUsers(ctx, v1, v2, &targetOptions, tc.db2ids, log)
+			assert.Equal(t, len(tc.want), n, "Upgraded count must match")
 			if err != nil {
 				if tc.wantErr != nil {
 					if diff := cmp.Diff(tc.wantErr.Error(), err.Error()); diff != "" {

diff --git a/cmd/influxd/upgrade/upgrade.go b/cmd/influxd/upgrade/upgrade.go
@@ -46,6 +46,7 @@ type configV1 struct {
 	Http struct {
 		BindAddress  string `toml:"bind-address"`
 		HttpsEnabled bool   `toml:"https-enabled"`
+		AuthEnabled  bool   `toml:"auth-enabled"`
 	} `toml:"http"`
 }
 
@@ -327,6 +328,7 @@ func runUpgradeE(*cobra.Command, []string) error {
 
 	log.Info("Starting InfluxDB 1.x upgrade")
 
+	var authEnabled bool
 	if options.source.configFile != "" {
 		log.Info("Upgrading config file", zap.String("file", options.source.configFile))
 		v1Config, err := upgradeConfig(options.source.configFile, options.target, log)
@@ -337,6 +339,7 @@ func runUpgradeE(*cobra.Command, []string) error {
 		options.source.dataDir = v1Config.Data.Dir
 		options.source.walDir = v1Config.Data.WALDir
 		options.source.dbURL = v1Config.dbURL()
+		authEnabled = v1Config.Http.AuthEnabled
 	} else {
 		log.Info("No InfluxDB 1.x config file specified, skipping its upgrade")
 	}
@@ -401,9 +404,15 @@ func runUpgradeE(*cobra.Command, []string) error {
 		return err
 	}
 
-	if err = upgradeUsers(ctx, v1, v2, &options.target, db2BucketIds, log); err != nil {
+	usersUpgraded, err := upgradeUsers(ctx, v1, v2, &options.target, db2BucketIds, log)
+	if err != nil {
 		return err
 	}
+	if usersUpgraded > 0 && !authEnabled {
+		log.Warn(
+			"V1 users were upgraded, but V1 auth was not enabled. Existing clients will fail authentication against V2 if using invalid credentials.",
+		)
+	}
 
 	log.Info("Upgrade successfully completed. Start service now")