Create a user who can't delete data in influxdb?

1
votes

Is it possible to create a non-admin user who can't delete data in influxdb?

I would like to create a user who can read/write (query/insert) data but not delete what has already been inserted.

According to what I can see in the official docs, I don't think I can. Is that correct? Or is there a sneaky workaround?

Non-admin users

Non-admin users can have one of the following three privileges per database:
* READ
WRITE
ALL (both READ and WRITE access)

READ, WRITE, and ALL privileges are controlled per user per database. A new non-admin user has no access to any database until they are specifically granted privileges to a database by an admin user.

GRANT READ, WRITE or ALL database privileges to an existing user:

GRANT [READ,WRITE,ALL] ON <database_name> TO <username>
1
influxdb

1 Answers

3
votes

No, Deleting is a write operation. Write privilege allows you to make changes which can be adding, overwriting, or deleting things. Even if deleting was somehow restricted, if you can insert data then you can always overwrite existing data which allows you to destroy any actual data, essentially "deleting" it.

EDIT: as pointed out in the comment below, this applies for community edition of influxdb. Indeed the Enterprise edition supports more refined roles, and supports what the OP asked for, namely DROP_DATA role. Read more here https://docs.influxdata.com/chronograf/v1.7/administration/managing-influxdb-users/#dropdata and here https://docs.influxdata.com/enterprise_influxdb/v1.7/guides/fine-grained-authorization/