fix: org filtering for both kv and tenant need to match behaviors.

authorizer/org.go

@@ -4,6 +4,7 @@ import (
 	"context"
 
 	"github.com/influxdata/influxdb/v2"
+	icontext "github.com/influxdata/influxdb/v2/context"
 )
 
 var _ influxdb.OrganizationService = (*OrgService)(nil)
@@ -43,6 +44,18 @@ func (s *OrgService) FindOrganization(ctx context.Context, filter influxdb.Organ
 
 // FindOrganizations retrieves all organizations that match the provided filter and then filters the list down to only the resources that are authorized.
 func (s *OrgService) FindOrganizations(ctx context.Context, filter influxdb.OrganizationFilter, opt ...influxdb.FindOptions) ([]*influxdb.Organization, int, error) {
+	if filter.Name == nil && filter.ID == nil && filter.UserID == nil {
+		// if the user doesnt have permission to look up all orgs we need to add this users id to the filter to save lookup time
+		auth, err := icontext.GetAuthorizer(ctx)
+		if err != nil {
+			return nil, 0, err
+		}
+		if _, _, err := AuthorizeReadGlobal(ctx, influxdb.OrgsResourceType); err != nil {
+			userid := auth.GetUserID()
+			filter.UserID = &userid
+		}
+	}
+
 	// TODO: we'll likely want to push this operation into the database eventually since fetching the whole list of data
 	// will likely be expensive.
 	os, _, err := s.s.FindOrganizations(ctx, filter, opt...)

http/org_service.go

@@ -257,6 +257,15 @@ func (h *OrgHandler) handleGetOrgs(w http.ResponseWriter, r *http.Request) {
 		filter.ID = id
 	}
 
+	if userID := qp.Get("userID"); userID != "" {
+		id, err := influxdb.IDFromString(userID)
+		if err != nil {
+			h.API.Err(w, err)
+			return
+		}
+		filter.UserID = id
+	}
+
 	orgs, _, err := h.OrgSVC.FindOrganizations(r.Context(), filter)
 	if err != nil {
 		h.API.Err(w, err)

http/swagger.yml

@@ -3751,6 +3751,11 @@ paths:
           schema:
             type: string
           description: Filter organizations to a specific organization ID.
+        - in: query
+          name: userID
+          schema:
+            type: string
+          description: Filter organizations to a specific user ID.
       responses:
         '200':
           description: A list of organizations

kv/org.go

@@ -236,6 +236,29 @@ func (s *Service) FindOrganizations(ctx context.Context, filter influxdb.Organiz
 	}
 
 	os := []*influxdb.Organization{}
+
+	if filter.UserID != nil {
+		// find urms for orgs with this user
+		urms, _, err := s.FindUserResourceMappings(ctx, influxdb.UserResourceMappingFilter{
+			UserID:       *filter.UserID,
+			ResourceType: influxdb.OrgsResourceType,
+		}, opt...)
+
+		if err != nil {
+			return nil, 0, err
+		}
+		// find orgs by the urm's resource ids.
+		for _, urm := range urms {
+			o, err := s.FindOrganizationByID(ctx, urm.ResourceID)
+			if err == nil {
+				// if there is an error then this is a crufty urm and we should just move on
+				os = append(os, o)
+			}
+		}
+
+		return os, len(os), nil
+	}
+
 	filterFn := filterOrganizationsFn(filter)
 	err := s.kv.View(ctx, func(tx Tx) error {
 		return forEachOrganization(ctx, tx, func(o *influxdb.Organization) bool {

organization.go

@@ -71,8 +71,9 @@ var ErrInvalidOrgFilter = &Error{
 
 // OrganizationFilter represents a set of filter that restrict the returned results.
 type OrganizationFilter struct {
-	Name *string
-	ID   *ID
+	Name   *string
+	ID     *ID
+	UserID *ID
 }
 
 func ErrInternalOrgServiceError(op string, err error) *Error {

tenant/http_server_org.go

@@ -142,6 +142,13 @@ func (h *OrgHandler) handleGetOrgs(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
+	if id := qp.Get("userID"); id != "" {
+		i, err := influxdb.IDFromString(id)
+		if err == nil {
+			filter.UserID = i
+		}
+	}
+
 	orgs, _, err := h.orgSvc.FindOrganizations(r.Context(), filter)
 	if err != nil {
 		h.api.Err(w, err)

tenant/middleware_org_auth.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/influxdata/influxdb/v2"
 	"github.com/influxdata/influxdb/v2/authorizer"
+	icontext "github.com/influxdata/influxdb/v2/context"
 )
 
 var _ influxdb.OrganizationService = (*AuthedOrgService)(nil)
@@ -46,8 +47,18 @@ func (s *AuthedOrgService) FindOrganization(ctx context.Context, filter influxdb
 
 // FindOrganizations retrieves all organizations that match the provided filter and then filters the list down to only the resources that are authorized.
 func (s *AuthedOrgService) FindOrganizations(ctx context.Context, filter influxdb.OrganizationFilter, opt ...influxdb.FindOptions) ([]*influxdb.Organization, int, error) {
-	// TODO: we'll likely want to push this operation into the database eventually since fetching the whole list of data
-	// will likely be expensive.
+	if filter.Name == nil && filter.ID == nil && filter.UserID == nil {
+		// if the user doesnt have permission to look up all orgs we need to add this users id to the filter to save lookup time
+		auth, err := icontext.GetAuthorizer(ctx)
+		if err != nil {
+			return nil, 0, err
+		}
+		if _, _, err := authorizer.AuthorizeReadGlobal(ctx, influxdb.OrgsResourceType); err != nil {
+			userid := auth.GetUserID()
+			filter.UserID = &userid
+		}
+	}
+
 	os, _, err := s.s.FindOrganizations(ctx, filter, opt...)
 	if err != nil {
 		return nil, 0, err

tenant/service_org.go

@@ -67,6 +67,28 @@ func (s *Service) FindOrganizations(ctx context.Context, filter influxdb.Organiz
 	}
 
 	var orgs []*influxdb.Organization
+
+	if filter.UserID != nil {
+		// find urms for orgs with this user
+		urms, _, err := s.FindUserResourceMappings(ctx, influxdb.UserResourceMappingFilter{
+			UserID:       *filter.UserID,
+			ResourceType: influxdb.OrgsResourceType,
+		}, opt...)
+		if err != nil {
+			return nil, 0, err
+		}
+		// find orgs by the urm's resource ids.
+		for _, urm := range urms {
+			o, err := s.FindOrganizationByID(ctx, urm.ResourceID)
+			if err == nil {
+				// if there is an error then this is a crufty urm and we should just move on
+				orgs = append(orgs, o)
+			}
+		}
+
+		return orgs, len(orgs), nil
+	}
+
 	err := s.store.View(ctx, func(tx kv.Tx) error {
 		os, err := s.store.ListOrgs(ctx, tx, opt...)
 		if err != nil {