Upgrade: User with a read only permission should not be able to write into a bucket

[gshif]

InfluxDB 1.x can have users that are only able to write into a database or only read from a database. If we have a user that has only a read permission, then after upgrade to 2.0 this same user will be able to write into the bucket, even though it does not have permission to do that.
Setup:

• Install InfluxDB 1.8.3 (latest OSS)
• Update configuration to use authentication under [http] section if the influxdb.conf file:

  # Determines whether user authentication is enabled over HTTP/HTTPS.
  auth-enabled = true
  

• Start influxdb v1 service
• Create an admin user and restart the service
• Create a user A with a READ permission
• Create a user B with a WRITE permission
• Download v2.0.0 InfluxDB
• Run upgrade
• Write data into migrated database as a user with READ only permissions:

  curl -vv -u read_test_db_1:read_test_db_1 -X POST http://localhost:8086/write?db=test_db_1 --data-binary "m,r=1 f=1"
  
  *   Trying 127.0.0.1...
  * TCP_NODELAY set
  * Connected to localhost (127.0.0.1) port 8086 (#0). 
  * Server auth using Basic with user 'read_test_db_1'
  POST /write?db=test_db_1 HTTP/1.1Host: localhost:8086
  Authorization: Basic cmVhZF90ZXN0X2RiXzE6cmVhZF90ZXN0X2RiXzE=User-Agent: curl/7.58.0
  Accept: */*
  Content-Length: 9
  Content-Type: application/x-www-form-urlencoded
  * upload completely sent off: 9 out of 9 bytes
   HTTP/1.1 204 No Content
   Date: Tue, 10 Nov 2020 18:30:57 GMT
  
  * Connection #0 to host localhost left intact
  

When running influx v1 auth list command it mapps READ and WRITE users to admin user:

root@ip-172-31-14-196:/tmp# /usr/bin/influx v1 auth list
ID			Description			Name / Token	User Name	User ID			Permissions
0698cb720526e000	read_test_db_1's Legacy Token	read_test_db_1	admin_user	0698cb71dde6e000	[read:orgs/31ee98c80563ba36/buckets/b9a96022e9ce3e1e read:orgs/31ee98c80563ba36/buckets/5593dffd6d852fef]
0698cb7205e6e000	write_test_db_1's Legacy Token	write_test_db_1	admin_user	0698cb71dde6e000	[write:orgs/31ee98c80563ba36/buckets/b9a96022e9ce3e1e write:orgs/31ee98c80563ba36/buckets/5593dffd6d852fef]

[danxmoran]

This is caused by the changes from #19945. Prior to that PR, the legacy write-path required users to have read access on any bucket they wanted to write data into (as part of finding the bucket underlying a legacy DB/RP). The fix was to:

1. Remove a layer of auth middleware around the BucketService passed to the DBRP mapper during influxd's initial setup
2. Modify the auth rules for finding DBRP objects, to allow either read or write permission

These changes allowed write-only users to write data via the legacy APIs. Unfortunately, I removed/loosened the only auth checks along the legacy write-path, so now read-only users can write data as well.

[danxmoran]

More info: @stuartcarnie and I assumed that removing the auth layer around the BucketService was the root cause, but adding it back in doesn't fix the issue when I test locally.

[danxmoran]

It looks like the write-access check was just missed during the initial implementation of the V1 write path. Fixed by mirroring the logic from the V2 handler.