Skip to content

fix: fixes bug with authorizer leakage in show queries (#27196)#27197

Merged
devanbenz merged 1 commit into1.12from
db/cherrypick-5778e075c
Feb 6, 2026
Merged

fix: fixes bug with authorizer leakage in show queries (#27196)#27197
devanbenz merged 1 commit into1.12from
db/cherrypick-5778e075c

Conversation

@devanbenz
Copy link

@devanbenz devanbenz commented Feb 6, 2026

This PR fixes and authorization leak when running SHOW QUERIES as a user with access to the database you are using.

Previously non-admin users could run SHOW QUERIES on DBs they owned, but, there was no filtering to stop them from seeing queries on other dbs too:

# as admin
> CREATE USER bar WITH PASSWORD 'password'
> GRANT ALL on "mydb" TO "bar"

# as 'bar' user
> SHOW QUERIES
ERR: error authorizing query: bar not authorized to execute statement 'SHOW QUERIES', requires READ on
> use mydb
Using database mydb
> SHOW QUERIES
qid query                 database     duration status
--- -----                 --------     -------- ------
31  SELECT * FROM actions foobar 585ms    running                       # this wasn't granted to 'bar'!!
32  SHOW QUERIES          mydb         15µs     running

(cherry picked from commit 5778e07)

@devanbenz
fix: fixes bug with authorizer leakage in show queries (#27196)
8e4951c 
This PR fixes and authorization leak when running `SHOW QUERIES` as a user with access to the database you are using.

Previously non-admin users could run `SHOW QUERIES` on DBs they owned, but, there was no filtering to stop them from seeing queries on other dbs too:

```
# as admin
> CREATE USER bar WITH PASSWORD 'password'
> GRANT ALL on "mydb" TO "bar"

# as 'bar' user
> SHOW QUERIES
ERR: error authorizing query: bar not authorized to execute statement 'SHOW QUERIES', requires READ on
> use mydb
Using database mydb
> SHOW QUERIES
qid query                 database     duration status
--- -----                 --------     -------- ------
31  SELECT * FROM actions foobar 585ms    running                       # this wasn't granted to 'bar'!!
32  SHOW QUERIES          mydb         15µs     running
```

(cherry picked from commit 5778e07)
@devanbenz devanbenz self-assigned this Feb 6, 2026
@devanbenz devanbenz added area/influxql Issues related to InfluxQL query language kind/bug 1.x labels Feb 6, 2026
davidby-influx
davidby-influx approved these changes Feb 6, 2026
View reviewed changes
Copy link
Contributor

@davidby-influx davidby-influx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM as a cherry-pick

@devanbenz devanbenz merged commit 2b71644 into 1.12 Feb 6, 2026
6 of 7 checks passed
@devanbenz devanbenz deleted the db/cherrypick-5778e075c branch February 6, 2026 22:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@davidby-influx davidby-influx davidby-influx approved these changes

Assignees

@devanbenz devanbenz

Labels

1.x area/influxql Issues related to InfluxQL query language kind/bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@devanbenz @davidby-influx