Mirroristas/etcd
2
0
Fork 0
mirror of https://github.com/etcd-io/etcd.git synced 2024-09-27 06:25:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #15656 from mitake/lease-timetolive-auth

Browse Source 
protect LeaseTimeToLive with RBAC
This commit is contained in:
Hitoshi Mitake 2023-05-02 23:02:29 +09:00 committed by GitHub
commit 49b59cc8e5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 193 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
server/etcdserver/v3_server.go
View File

@ -317,7 +317,32 @@ func (s *EtcdServer) LeaseRenew(ctx context.Context, id lease.LeaseID) (int64, e
return -1, errors.ErrCanceled return -1, errors.ErrCanceled
} }
func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) { func (s *EtcdServer) checkLeaseTimeToLive(ctx context.Context, leaseID lease.LeaseID) (error, uint64) {
rev := s.AuthStore().Revision()
if !s.AuthStore().IsAuthEnabled() {
return nil, rev
}
authInfo, err := s.AuthInfoFromCtx(ctx)
if err != nil {
return err, rev
}
if authInfo == nil {
return auth.ErrUserEmpty, rev
}
l := s.lessor.Lookup(leaseID)
if l != nil {
for _, key := range l.Keys() {
if err := s.AuthStore().IsRangePermitted(authInfo, []byte(key), []byte{}); err != nil {
return err, 0
}
}
}
return nil, rev
}
func (s *EtcdServer) leaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) {
if s.isLeader() { if s.isLeader() {
if err := s.waitAppliedIndex(); err != nil { if err := s.waitAppliedIndex(); err != nil {
return nil, err return nil, err
@ -367,6 +392,30 @@ func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveR
return nil, errors.ErrCanceled return nil, errors.ErrCanceled
} }
func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) {
var rev uint64
var err error
if r.Keys {
// check RBAC permission only if Keys is true
err, rev = s.checkLeaseTimeToLive(ctx, lease.LeaseID(r.ID))
if err != nil {
return nil, err
}
}
resp, err := s.leaseTimeToLive(ctx, r)
if err != nil {
return nil, err
}
if r.Keys {
if s.AuthStore().IsAuthEnabled() && rev != s.AuthStore().Revision() {
return nil, auth.ErrAuthOldRevision
}
}
return resp, nil
}
func (s *EtcdServer) newHeader() *pb.ResponseHeader { func (s *EtcdServer) newHeader() *pb.ResponseHeader {
return &pb.ResponseHeader{ return &pb.ResponseHeader{
ClusterId: uint64(s.cluster.ID()), ClusterId: uint64(s.cluster.ID()),

49
tests/e2e/ctl_v3_auth_test.go
View File

@ -47,6 +47,7 @@ func TestCtlV3AuthJWTExpire(t *testing.T) {
} }
func TestCtlV3AuthRevisionConsistency(t *testing.T) { testCtl(t, authTestRevisionConsistency) } func TestCtlV3AuthRevisionConsistency(t *testing.T) { testCtl(t, authTestRevisionConsistency) }
func TestCtlV3AuthTestCacheReload(t *testing.T) { testCtl(t, authTestCacheReload) } func TestCtlV3AuthTestCacheReload(t *testing.T) { testCtl(t, authTestCacheReload) }
func TestCtlV3AuthLeaseTimeToLive(t *testing.T) { testCtl(t, authTestLeaseTimeToLive) }
func authEnable(cx ctlCtx) error { func authEnable(cx ctlCtx) error {
// create root user with root role // create root user with root role
@ -634,3 +635,51 @@ func authTestCacheReload(cx ctlCtx) {
cx.t.Fatal(err) cx.t.Fatal(err)
} }
} }
func authTestLeaseTimeToLive(cx ctlCtx) {
if err := authEnable(cx); err != nil {
cx.t.Fatal(err)
}
cx.user, cx.pass = "root", "root"
authSetupTestUser(cx)
cx.user = "test-user"
cx.pass = "pass"
leaseID, err := ctlV3LeaseGrant(cx, 10)
if err != nil {
cx.t.Fatal(err)
}
err = ctlV3Put(cx, "foo", "val", leaseID)
if err != nil {
cx.t.Fatal(err)
}
err = ctlV3LeaseTimeToLive(cx, leaseID, true)
if err != nil {
cx.t.Fatal(err)
}
cx.user = "root"
cx.pass = "root"
err = ctlV3Put(cx, "bar", "val", leaseID)
if err != nil {
cx.t.Fatal(err)
}
cx.user = "test-user"
cx.pass = "pass"
// the lease is attached to bar, which test-user cannot access
err = ctlV3LeaseTimeToLive(cx, leaseID, true)
if err == nil {
cx.t.Fatal("test-user must not be able to access to the lease, because it's attached to the key bar")
}
// without --keys, access should be allowed
err = ctlV3LeaseTimeToLive(cx, leaseID, false)
if err != nil {
cx.t.Fatal(err)
}
}

8
tests/e2e/ctl_v3_lease_test.go
View File

@ -95,3 +95,11 @@ func ctlV3LeaseRevoke(cx ctlCtx, leaseID string) error {
cmdArgs := append(cx.PrefixArgs(), "lease", "revoke", leaseID) cmdArgs := append(cx.PrefixArgs(), "lease", "revoke", leaseID)
return e2e.SpawnWithExpectWithEnv(cmdArgs, cx.envMap, fmt.Sprintf("lease %s revoked", leaseID)) return e2e.SpawnWithExpectWithEnv(cmdArgs, cx.envMap, fmt.Sprintf("lease %s revoked", leaseID))
} }
func ctlV3LeaseTimeToLive(cx ctlCtx, leaseID string, withKeys bool) error {
cmdArgs := append(cx.PrefixArgs(), "lease", "timetolive", leaseID)
if withKeys {
cmdArgs = append(cmdArgs, "--keys")
}
return e2e.SpawnWithExpectWithEnv(cmdArgs, cx.envMap, fmt.Sprintf("lease %s granted with", leaseID))
}

91
tests/integration/v3_auth_test.go
View File

@ -178,12 +178,10 @@ func testV3AuthWithLeaseRevokeWithRoot(t *testing.T, ccfg integration.ClusterCon
// wait for lease expire // wait for lease expire
time.Sleep(3 * time.Second) time.Sleep(3 * time.Second)
tresp, terr := api.Lease.LeaseTimeToLive( tresp, terr := rootc.TimeToLive(
context.TODO(), context.TODO(),
&pb.LeaseTimeToLiveRequest{ leaseID,
ID: int64(leaseID), clientv3.WithAttachedKeys(),
Keys: true,
},
) )
if terr != nil { if terr != nil {
t.Error(terr) t.Error(terr)
@ -585,3 +583,86 @@ func TestV3AuthWatchErrorAndWatchId0(t *testing.T) {
<-watchEndCh <-watchEndCh
} }
func TestV3AuthWithLeaseTimeToLive(t *testing.T) {
integration.BeforeTest(t)
clus := integration.NewCluster(t, &integration.ClusterConfig{Size: 1})
defer clus.Terminate(t)
users := []user{
{
name: "user1",
password: "user1-123",
role: "role1",
key: "k1",
end: "k3",
},
{
name: "user2",
password: "user2-123",
role: "role2",
key: "k2",
end: "k4",
},
}
authSetupUsers(t, integration.ToGRPC(clus.Client(0)).Auth, users)
authSetupRoot(t, integration.ToGRPC(clus.Client(0)).Auth)
user1c, cerr := integration.NewClient(t, clientv3.Config{Endpoints: clus.Client(0).Endpoints(), Username: "user1", Password: "user1-123"})
if cerr != nil {
t.Fatal(cerr)
}
defer user1c.Close()
user2c, cerr := integration.NewClient(t, clientv3.Config{Endpoints: clus.Client(0).Endpoints(), Username: "user2", Password: "user2-123"})
if cerr != nil {
t.Fatal(cerr)
}
defer user2c.Close()
leaseResp, err := user1c.Grant(context.TODO(), 90)
if err != nil {
t.Fatal(err)
}
leaseID := leaseResp.ID
_, err = user1c.Put(context.TODO(), "k1", "val", clientv3.WithLease(leaseID))
if err != nil {
t.Fatal(err)
}
// k2 can be accessed from both user1 and user2
_, err = user1c.Put(context.TODO(), "k2", "val", clientv3.WithLease(leaseID))
if err != nil {
t.Fatal(err)
}
_, err = user1c.TimeToLive(context.TODO(), leaseID)
if err != nil {
t.Fatal(err)
}
_, err = user2c.TimeToLive(context.TODO(), leaseID)
if err != nil {
t.Fatal(err)
}
_, err = user2c.TimeToLive(context.TODO(), leaseID, clientv3.WithAttachedKeys())
if err == nil {
t.Fatal("timetolive from user2 should be failed with permission denied")
}
rootc, cerr := integration.NewClient(t, clientv3.Config{Endpoints: clus.Client(0).Endpoints(), Username: "root", Password: "123"})
if cerr != nil {
t.Fatal(cerr)
}
defer rootc.Close()
if _, err := rootc.RoleRevokePermission(context.TODO(), "role1", "k1", "k3"); err != nil {
t.Fatal(err)
}
_, err = user1c.TimeToLive(context.TODO(), leaseID, clientv3.WithAttachedKeys())
if err == nil {
t.Fatal("timetolive from user2 should be failed with permission denied")
}
}