Mirroristas/etcd
2
0
Fork 0
mirror of https://github.com/etcd-io/etcd.git synced 2024-09-27 06:25:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

auth, etcdserver: let Authenticate() fail if auth isn't enabled

Browse Source 
Successful Authenticate() would be confusing and make trouble shooting
harder if auth isn't enabled in a cluster.
This commit is contained in:
Hitoshi Mitake 2016-06-20 17:09:13 +09:00 committed by Hitoshi Mitake
parent aab905f7cc
commit 8df37d53d6
4 changed files with 54 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
auth/store.go
View File

@ -51,6 +51,7 @@ var (
ErrPermissionDenied = errors.New("auth: permission denied") ErrPermissionDenied = errors.New("auth: permission denied")
ErrRoleNotGranted = errors.New("auth: role is not granted to the user") ErrRoleNotGranted = errors.New("auth: role is not granted to the user")
ErrPermissionNotGranted = errors.New("auth: permission is not granted to the role") ErrPermissionNotGranted = errors.New("auth: permission is not granted to the role")
ErrAuthNotEnabled = errors.New("auth: authentication is not enabled")
) )
const ( const (
@ -187,6 +188,10 @@ func (as *authStore) AuthDisable() {
} }
func (as *authStore) Authenticate(ctx context.Context, username, password string) (*pb.AuthenticateResponse, error) { func (as *authStore) Authenticate(ctx context.Context, username, password string) (*pb.AuthenticateResponse, error) {
if !as.isAuthEnabled() {
return nil, ErrAuthNotEnabled
}
// TODO(mitake): after adding jwt support, branching based on values of ctx is required // TODO(mitake): after adding jwt support, branching based on values of ctx is required
index := ctx.Value("index").(uint64) index := ctx.Value("index").(uint64)
simpleToken := ctx.Value("simpleToken").(string) simpleToken := ctx.Value("simpleToken").(string)

49
auth/store_test.go
View File

@ -45,6 +45,25 @@ func TestUserAdd(t *testing.T) {
} }
} }
func enableAuthAndCreateRoot(as *authStore) error {
_, err := as.UserAdd(&pb.AuthUserAddRequest{Name: "root", Password: "root"})
if err != nil {
return err
}
_, err = as.RoleAdd(&pb.AuthRoleAddRequest{Name: "root"})
if err != nil {
return err
}
_, err = as.UserGrantRole(&pb.AuthUserGrantRoleRequest{User: "root", Role: "root"})
if err != nil {
return err
}
return as.AuthEnable()
}
func TestAuthenticate(t *testing.T) { func TestAuthenticate(t *testing.T) {
b, tPath := backend.NewDefaultTmpBackend() b, tPath := backend.NewDefaultTmpBackend()
defer func() { defer func() {
@ -53,9 +72,13 @@ func TestAuthenticate(t *testing.T) {
}() }()
as := NewAuthStore(b) as := NewAuthStore(b)
err := enableAuthAndCreateRoot(as)
if err != nil {
t.Fatal(err)
}
ua := &pb.AuthUserAddRequest{Name: "foo", Password: "bar"} ua := &pb.AuthUserAddRequest{Name: "foo", Password: "bar"}
_, err := as.UserAdd(ua) _, err = as.UserAdd(ua)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
@ -96,9 +119,13 @@ func TestUserDelete(t *testing.T) {
}() }()
as := NewAuthStore(b) as := NewAuthStore(b)
err := enableAuthAndCreateRoot(as)
if err != nil {
t.Fatal(err)
}
ua := &pb.AuthUserAddRequest{Name: "foo"} ua := &pb.AuthUserAddRequest{Name: "foo"}
_, err := as.UserAdd(ua) _, err = as.UserAdd(ua)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
@ -128,8 +155,12 @@ func TestUserChangePassword(t *testing.T) {
}() }()
as := NewAuthStore(b) as := NewAuthStore(b)
err := enableAuthAndCreateRoot(as)
if err != nil {
t.Fatal(err)
}
_, err := as.UserAdd(&pb.AuthUserAddRequest{Name: "foo"}) _, err = as.UserAdd(&pb.AuthUserAddRequest{Name: "foo"})
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
@ -169,9 +200,13 @@ func TestRoleAdd(t *testing.T) {
}() }()
as := NewAuthStore(b) as := NewAuthStore(b)
err := enableAuthAndCreateRoot(as)
if err != nil {
t.Fatal(err)
}
// adds a new role // adds a new role
_, err := as.RoleAdd(&pb.AuthRoleAddRequest{Name: "role-test"}) _, err = as.RoleAdd(&pb.AuthRoleAddRequest{Name: "role-test"})
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
@ -185,8 +220,12 @@ func TestUserGrant(t *testing.T) {
}() }()
as := NewAuthStore(b) as := NewAuthStore(b)
err := enableAuthAndCreateRoot(as)
if err != nil {
t.Fatal(err)
}
_, err := as.UserAdd(&pb.AuthUserAddRequest{Name: "foo"}) _, err = as.UserAdd(&pb.AuthUserAddRequest{Name: "foo"})
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }

3
etcdserver/api/v3rpc/rpctypes/error.go
View File

@ -48,6 +48,7 @@ var (
ErrGRPCPermissionDenied = grpc.Errorf(codes.FailedPrecondition, "etcdserver: permission denied") ErrGRPCPermissionDenied = grpc.Errorf(codes.FailedPrecondition, "etcdserver: permission denied")
ErrGRPCRoleNotGranted = grpc.Errorf(codes.FailedPrecondition, "etcdserver: role is not granted to the user") ErrGRPCRoleNotGranted = grpc.Errorf(codes.FailedPrecondition, "etcdserver: role is not granted to the user")
ErrGRPCPermissionNotGranted = grpc.Errorf(codes.FailedPrecondition, "etcdserver: permission is not granted to the role") ErrGRPCPermissionNotGranted = grpc.Errorf(codes.FailedPrecondition, "etcdserver: permission is not granted to the role")
ErrGRPCAuthNotEnabled = grpc.Errorf(codes.FailedPrecondition, "etcdserver: authentication is not enabled")
ErrGRPCNoLeader = grpc.Errorf(codes.Unavailable, "etcdserver: no leader") ErrGRPCNoLeader = grpc.Errorf(codes.Unavailable, "etcdserver: no leader")
ErrGRPCNotCapable = grpc.Errorf(codes.Unavailable, "etcdserver: not capable") ErrGRPCNotCapable = grpc.Errorf(codes.Unavailable, "etcdserver: not capable")
@ -80,6 +81,7 @@ var (
grpc.ErrorDesc(ErrGRPCPermissionDenied): ErrGRPCPermissionDenied, grpc.ErrorDesc(ErrGRPCPermissionDenied): ErrGRPCPermissionDenied,
grpc.ErrorDesc(ErrGRPCRoleNotGranted): ErrGRPCRoleNotGranted, grpc.ErrorDesc(ErrGRPCRoleNotGranted): ErrGRPCRoleNotGranted,
grpc.ErrorDesc(ErrGRPCPermissionNotGranted): ErrGRPCPermissionNotGranted, grpc.ErrorDesc(ErrGRPCPermissionNotGranted): ErrGRPCPermissionNotGranted,
grpc.ErrorDesc(ErrGRPCAuthNotEnabled): ErrGRPCAuthNotEnabled,
grpc.ErrorDesc(ErrGRPCNoLeader): ErrGRPCNoLeader, grpc.ErrorDesc(ErrGRPCNoLeader): ErrGRPCNoLeader,
grpc.ErrorDesc(ErrGRPCNotCapable): ErrGRPCNotCapable, grpc.ErrorDesc(ErrGRPCNotCapable): ErrGRPCNotCapable,
@ -113,6 +115,7 @@ var (
ErrPermissionDenied = Error(ErrGRPCPermissionDenied) ErrPermissionDenied = Error(ErrGRPCPermissionDenied)
ErrRoleNotGranted = Error(ErrGRPCRoleNotGranted) ErrRoleNotGranted = Error(ErrGRPCRoleNotGranted)
ErrPermissionNotGranted = Error(ErrGRPCPermissionNotGranted) ErrPermissionNotGranted = Error(ErrGRPCPermissionNotGranted)
ErrAuthNotEnabled = Error(ErrGRPCAuthNotEnabled)
ErrNoLeader = Error(ErrGRPCNoLeader) ErrNoLeader = Error(ErrGRPCNoLeader)
ErrNotCapable = Error(ErrGRPCNotCapable) ErrNotCapable = Error(ErrGRPCNotCapable)

2
etcdserver/api/v3rpc/util.go
View File

@ -58,6 +58,8 @@ func togRPCError(err error) error {
return rpctypes.ErrGRPCRoleNotGranted return rpctypes.ErrGRPCRoleNotGranted
case auth.ErrPermissionNotGranted: case auth.ErrPermissionNotGranted:
return rpctypes.ErrGRPCPermissionNotGranted return rpctypes.ErrGRPCPermissionNotGranted
case auth.ErrAuthNotEnabled:
return rpctypes.ErrGRPCAuthNotEnabled
default: default:
return grpc.Errorf(codes.Internal, err.Error()) return grpc.Errorf(codes.Internal, err.Error())
} }