From 1296281b27c8fec9a89ba02e104298dec9e4464a Mon Sep 17 00:00:00 2001
From: Hitoshi Mitake <mitake.hitoshi@lab.ntt.co.jp>
Date: Fri, 22 Sep 2017 14:17:57 +0900
Subject: [PATCH] etcdserver: swap priority of cert CN and username + password

---
 Documentation/op-guide/authentication.md |  2 +-
 etcdserver/v3_server.go                  | 14 ++++++++------
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/Documentation/op-guide/authentication.md b/Documentation/op-guide/authentication.md
index b8ab33ff7..a528a8d04 100644
--- a/Documentation/op-guide/authentication.md
+++ b/Documentation/op-guide/authentication.md
@@ -161,4 +161,4 @@ Otherwise, all `etcdctl` commands remain the same. Users and roles can still be
 
 ## Using TLS Common Name
 
-If an etcd server is launched with the option `--client-cert-auth=true`, the field of Common Name (CN) in the client's TLS cert will be used as an etcd user. In this case, the common name authenticates the user and the client does not need a password.
+If an etcd server is launched with the option `--client-cert-auth=true`, the field of Common Name (CN) in the client's TLS cert will be used as an etcd user. In this case, the common name authenticates the user and the client does not need a password. Note that if both of 1. `--client-cert-auth=true` is passed and CN is provided by the client, and 2. username and password are provided by the client, the username and password based authentication is prioritized.
diff --git a/etcdserver/v3_server.go b/etcdserver/v3_server.go
index 451d3de41..1f24f272f 100644
--- a/etcdserver/v3_server.go
+++ b/etcdserver/v3_server.go
@@ -686,12 +686,14 @@ func (s *EtcdServer) linearizableReadNotify(ctx context.Context) error {
 }
 
 func (s *EtcdServer) AuthInfoFromCtx(ctx context.Context) (*auth.AuthInfo, error) {
-	if s.Cfg.ClientCertAuthEnabled {
-		authInfo := s.AuthStore().AuthInfoFromTLS(ctx)
-		if authInfo != nil {
-			return authInfo, nil
-		}
+	authInfo, err := s.AuthStore().AuthInfoFromCtx(ctx)
+	if authInfo != nil || err != nil {
+		return authInfo, err
 	}
+	if !s.Cfg.ClientCertAuthEnabled {
+		return nil, nil
+	}
+	authInfo = s.AuthStore().AuthInfoFromTLS(ctx)
+	return authInfo, nil
 
-	return s.AuthStore().AuthInfoFromCtx(ctx)
 }