diff --git a/etcdserver/apply.go b/etcdserver/apply.go
index de296b331..b25ce917a 100644
--- a/etcdserver/apply.go
+++ b/etcdserver/apply.go
@@ -92,13 +92,13 @@ func (s *EtcdServer) applyV3Request(r *pb.InternalRaftRequest) *applyResult {
 
 	switch {
 	case r.Range != nil:
-		if s.AuthStore().IsRangePermitted(r.Header, string(r.Range.Key), string(r.Range.RangeEnd)) {
+		if s.AuthStore().IsRangePermitted(r.Header, r.Range.Key, r.Range.RangeEnd) {
 			ar.resp, ar.err = s.applyV3.Range(noTxn, r.Range)
 		} else {
 			ar.err = auth.ErrPermissionDenied
 		}
 	case r.Put != nil:
-		if s.AuthStore().IsPutPermitted(r.Header, string(r.Put.Key)) {
+		if s.AuthStore().IsPutPermitted(r.Header, r.Put.Key) {
 			ar.resp, ar.err = s.applyV3.Put(noTxn, r.Put)
 		} else {
 			ar.err = auth.ErrPermissionDenied
diff --git a/etcdserver/v3_server.go b/etcdserver/v3_server.go
index a057b5549..0df019af4 100644
--- a/etcdserver/v3_server.go
+++ b/etcdserver/v3_server.go
@@ -82,7 +82,7 @@ func (s *EtcdServer) Range(ctx context.Context, r *pb.RangeRequest) (*pb.RangeRe
 			return nil, err
 		}
 		hdr := &pb.RequestHeader{Username: user}
-		if !s.AuthStore().IsRangePermitted(hdr, string(r.Key), string(r.RangeEnd)) {
+		if !s.AuthStore().IsRangePermitted(hdr, r.Key, r.RangeEnd) {
 			return nil, auth.ErrPermissionDenied
 		}
 		return s.applyV3.Range(noTxn, r)