etcdserver: respect auth on serialized Range

2024-09-27 06:25:44 +00:00 · 2016-06-10 10:53:40 -07:00 · 2016-06-10 10:53:40 -07:00 · b3a0b0502c
commit b3a0b0502c
parent bdc7035c10
1 changed files with 9 additions and 0 deletions
--- a/etcdserver/v3_server.go
+++ b/etcdserver/v3_server.go
@ -17,6 +17,7 @@ package etcdserver
 import (
 	"time"

+	"github.com/coreos/etcd/auth"
 	pb "github.com/coreos/etcd/etcdserver/etcdserverpb"
 	"github.com/coreos/etcd/lease"
 	"github.com/coreos/etcd/lease/leasehttp"
@ -74,6 +75,14 @@ type Authenticator interface {

 func (s *EtcdServer) Range(ctx context.Context, r *pb.RangeRequest) (*pb.RangeResponse, error) {
 	if r.Serializable {
+		user, err := s.usernameFromCtx(ctx)
+		if err != nil {
+			return nil, err
+		}
+		hdr := &pb.RequestHeader{Username: user}
+		if !s.AuthStore().IsRangePermitted(hdr, string(r.Key), string(r.RangeEnd)) {
+			return nil, auth.ErrPermissionDenied
+		}
 		return s.applyV3.Range(noTxn, r)
 	}