From 5144318af060b098b265f162c2ebf0a33ea98fc3 Mon Sep 17 00:00:00 2001 From: Hitoshi Mitake Date: Mon, 30 May 2016 13:18:07 +0900 Subject: [PATCH] etcdserver, auth: not return grpc error code directly in the apply phase Current permission checking mechanism doesn't return its error code well. The internal error (code = 13) is returned to client and the retry mechanism doesn't work well. This commit fixes the problem. --- auth/store.go | 1 + etcdserver/api/v3rpc/rpctypes/error.go | 2 ++ etcdserver/api/v3rpc/util.go | 2 ++ etcdserver/apply.go | 6 +++--- 4 files changed, 8 insertions(+), 3 deletions(-) diff --git a/auth/store.go b/auth/store.go index 20b60adee..283b8d9c5 100644 --- a/auth/store.go +++ b/auth/store.go @@ -42,6 +42,7 @@ var ( ErrRoleAlreadyExist = errors.New("auth: role already exists") ErrRoleNotFound = errors.New("auth: role not found") ErrAuthFailed = errors.New("auth: authentication failed, invalid user ID or password") + ErrPermissionDenied = errors.New("auth: permission denied") ) type AuthStore interface { diff --git a/etcdserver/api/v3rpc/rpctypes/error.go b/etcdserver/api/v3rpc/rpctypes/error.go index 67e0134f0..42c8c5a13 100644 --- a/etcdserver/api/v3rpc/rpctypes/error.go +++ b/etcdserver/api/v3rpc/rpctypes/error.go @@ -71,6 +71,7 @@ var ( grpc.ErrorDesc(ErrGRPCRoleAlreadyExist): ErrGRPCRoleAlreadyExist, grpc.ErrorDesc(ErrGRPCRoleNotFound): ErrGRPCRoleNotFound, grpc.ErrorDesc(ErrGRPCAuthFailed): ErrGRPCAuthFailed, + grpc.ErrorDesc(ErrGRPCPermissionDenied): ErrGRPCPermissionDenied, grpc.ErrorDesc(ErrGRPCNoLeader): ErrGRPCNoLeader, grpc.ErrorDesc(ErrGRPCNotCapable): ErrGRPCNotCapable, @@ -99,6 +100,7 @@ var ( ErrRoleAlreadyExist = Error(ErrGRPCRoleAlreadyExist) ErrRoleNotFound = Error(ErrGRPCRoleNotFound) ErrAuthFailed = Error(ErrGRPCAuthFailed) + ErrPermissionDenied = Error(ErrGRPCPermissionDenied) ErrNoLeader = Error(ErrGRPCNoLeader) ErrNotCapable = Error(ErrGRPCNotCapable) diff --git a/etcdserver/api/v3rpc/util.go b/etcdserver/api/v3rpc/util.go index cfc0962c0..8d5bda6a0 100644 --- a/etcdserver/api/v3rpc/util.go +++ b/etcdserver/api/v3rpc/util.go @@ -47,6 +47,8 @@ func togRPCError(err error) error { return rpctypes.ErrGRPCRoleNotFound case auth.ErrAuthFailed: return rpctypes.ErrGRPCAuthFailed + case auth.ErrPermissionDenied: + return rpctypes.ErrGRPCPermissionDenied default: return grpc.Errorf(codes.Internal, err.Error()) } diff --git a/etcdserver/apply.go b/etcdserver/apply.go index 2a5a315eb..e001ddd17 100644 --- a/etcdserver/apply.go +++ b/etcdserver/apply.go @@ -19,7 +19,7 @@ import ( "fmt" "sort" - "github.com/coreos/etcd/etcdserver/api/v3rpc/rpctypes" + "github.com/coreos/etcd/auth" pb "github.com/coreos/etcd/etcdserver/etcdserverpb" "github.com/coreos/etcd/lease" "github.com/coreos/etcd/mvcc" @@ -76,13 +76,13 @@ func (s *EtcdServer) applyV3Request(r *pb.InternalRaftRequest) *applyResult { if s.AuthStore().IsRangePermitted(r.Header, string(r.Range.Key)) { ar.resp, ar.err = s.applyV3.Range(noTxn, r.Range) } else { - ar.err = rpctypes.ErrGRPCPermissionDenied + ar.err = auth.ErrPermissionDenied } case r.Put != nil: if s.AuthStore().IsPutPermitted(r.Header, string(r.Put.Key)) { ar.resp, ar.err = s.applyV3.Put(noTxn, r.Put) } else { - ar.err = rpctypes.ErrGRPCPermissionDenied + ar.err = auth.ErrPermissionDenied } case r.DeleteRange != nil: ar.resp, ar.err = s.applyV3.DeleteRange(noTxn, r.DeleteRange)