influx-cli icon indicating copy to clipboard operation
influx-cli copied to clipboard

Published 20 hours ago verified publisher icon influxdata

--org-id and --org behave differently from one another depending on token type

Open codyshepherd opened this issue 3 years ago • 1 comments

Attempting to run a command such as influx export all with an improperly-scoped token, e.g. a token with read/write access to a single bucket in a cloud2 account, gives different behavior depending on whether -o/--org or --org-id are passed.

If -o <org-name is passed, the cli returns the message Error: no org found with name <org-name>.

If --org-id <org-id> is passed, the CLI reports no error message, but the output it produces is a useless subset of the metadata one expects from influx export all.

If the token passed by the user has insufficient privileges to even discover the org name, then this lack of permissions should be presented in the same way to the user regardless of whether they have passed an org-name or an org-id. Possibly something along the lines of "your token has insufficient permissions. Please create ."

This is also partly a docs issue and is related to influxdata/docs-v2#3267.

codyshepherd avatar Oct 18 '21 21:10 codyshepherd

Environment:

  • Mac OS influx-cli versions: influx version Influx CLI 2.2.1 (git: 31ac78361b) build_date: 2021-11-09T21:19:29Z and influx-cli % bin/darwin/influx version Influx CLI dev (git: none) build_date: 2021-12-22T18:11:22Z

Confirming what @codyshepherd says, I found the following: Given an organization my-org with ID xyz123...

  • if I use a token that has the read:/orgs/xyz123 permission, then both export all -o my-org and export all --org-id xyz123 return all resources.
  • if I use a token that doesn't have the read:/orgs/xyz123, then export all --org-id xyz123 will return resources that the token has permission to read (as expected).
  • if I use a token that doesn't have the read:/orgs/xyz123, then export all -o my-org will return the error Error: no org found with name my-org.

In summary, it's maybe best to avoid using -o (unless you want an error instead of allowed resources). The behavior results in a confusing experience. I'm updating the template docs to expound on permissions and may remove use of "Organization name" for now.

jstirnaman avatar Dec 22 '21 21:12 jstirnaman