From 030d1bbf2d9939577f29aa3e270d776474f8bde1 Mon Sep 17 00:00:00 2001
From: Xiang Li <xiangli.cs@gmail.com>
Date: Tue, 23 Jun 2015 20:12:18 -0700
Subject: [PATCH] auth: do not allow update root role

---
 etcdserver/auth/auth.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/etcdserver/auth/auth.go b/etcdserver/auth/auth.go
index 4885b2a07..07c9ea1f4 100644
--- a/etcdserver/auth/auth.go
+++ b/etcdserver/auth/auth.go
@@ -338,6 +338,9 @@ func (s *Store) DeleteRole(name string) error {
 }
 
 func (s *Store) UpdateRole(role Role) (Role, error) {
+	if role.Role == RootRoleName {
+		return Role{}, authErr(http.StatusForbidden, "Cannot modify role %s: is root role.", role.Role)
+	}
 	old, err := s.GetRole(role.Role)
 	if err != nil {
 		if e, ok := err.(*etcderr.Error); ok {