Mirroristas/etcd
2
0
Fork 0
mirror of https://github.com/etcd-io/etcd.git synced 2024-09-27 06:25:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #6356 from mitake/root-role

Browse Source 
auth, e2e: the root role should be granted access to every key
This commit is contained in:
Xiang Li 2016-09-06 15:31:20 +08:00 committed by GitHub
commit d36c0a1444
3 changed files with 49 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
auth/store.go
View File

@ -666,6 +666,11 @@ func (as *authStore) isOpPermitted(userName string, revision uint64, key, rangeE
return ErrPermissionDenied return ErrPermissionDenied
} }
// root role should have permission on all ranges
if hasRootRole(user) {
return nil
}
if as.isRangeOpPermitted(tx, userName, key, rangeEnd, permTyp) { if as.isRangeOpPermitted(tx, userName, key, rangeEnd, permTyp) {
return nil return nil
} }

53
clientv3/example_auth_test.go
View File

@ -35,22 +35,32 @@ func ExampleAuth() {
if _, err = cli.RoleAdd(context.TODO(), "root"); err != nil { if _, err = cli.RoleAdd(context.TODO(), "root"); err != nil {
log.Fatal(err) log.Fatal(err)
} }
if _, err = cli.RoleGrantPermission(
context.TODO(),
"root", // role name
"foo", // key
"zoo", // range end
clientv3.PermissionType(clientv3.PermReadWrite),
); err != nil {
log.Fatal(err)
}
if _, err = cli.UserAdd(context.TODO(), "root", "123"); err != nil { if _, err = cli.UserAdd(context.TODO(), "root", "123"); err != nil {
log.Fatal(err) log.Fatal(err)
} }
if _, err = cli.UserGrantRole(context.TODO(), "root", "root"); err != nil { if _, err = cli.UserGrantRole(context.TODO(), "root", "root"); err != nil {
log.Fatal(err) log.Fatal(err)
} }
if _, err = cli.RoleAdd(context.TODO(), "r"); err != nil {
log.Fatal(err)
}
if _, err = cli.RoleGrantPermission(
context.TODO(),
"r", // role name
"foo", // key
"zoo", // range end
clientv3.PermissionType(clientv3.PermReadWrite),
); err != nil {
log.Fatal(err)
}
if _, err = cli.UserAdd(context.TODO(), "u", "123"); err != nil {
log.Fatal(err)
}
if _, err = cli.UserGrantRole(context.TODO(), "u", "r"); err != nil {
log.Fatal(err)
}
if _, err = cli.AuthEnable(context.TODO()); err != nil { if _, err = cli.AuthEnable(context.TODO()); err != nil {
log.Fatal(err) log.Fatal(err)
} }
@ -58,7 +68,7 @@ func ExampleAuth() {
cliAuth, err := clientv3.New(clientv3.Config{ cliAuth, err := clientv3.New(clientv3.Config{
Endpoints: endpoints, Endpoints: endpoints,
DialTimeout: dialTimeout, DialTimeout: dialTimeout,
Username: "root", Username: "u",
Password: "123", Password: "123",
}) })
if err != nil { if err != nil {
@ -77,16 +87,27 @@ func ExampleAuth() {
Commit() Commit()
fmt.Println(err) fmt.Println(err)
// now check the permission // now check the permission with the root account
resp, err := cliAuth.RoleGet(context.TODO(), "root") rootCli, err := clientv3.New(clientv3.Config{
Endpoints: endpoints,
DialTimeout: dialTimeout,
Username: "root",
Password: "123",
})
if err != nil { if err != nil {
log.Fatal(err) log.Fatal(err)
} }
fmt.Printf("root user permission: key %q, range end %q\n", resp.Perm[0].Key, resp.Perm[0].RangeEnd) defer rootCli.Close()
if _, err = cliAuth.AuthDisable(context.TODO()); err != nil { resp, err := rootCli.RoleGet(context.TODO(), "r")
if err != nil {
log.Fatal(err)
}
fmt.Printf("user u permission: key %q, range end %q\n", resp.Perm[0].Key, resp.Perm[0].RangeEnd)
if _, err = rootCli.AuthDisable(context.TODO()); err != nil {
log.Fatal(err) log.Fatal(err)
} }
// Output: etcdserver: permission denied // Output: etcdserver: permission denied
// root user permission: key "foo", range end "zoo" // user u permission: key "foo", range end "zoo"
} }

14
e2e/ctl_v3_auth_test.go
View File

@ -111,11 +111,11 @@ func authCredWriteKeyTest(cx ctlCtx) {
cx.user, cx.pass = "root", "root" cx.user, cx.pass = "root", "root"
authSetupTestUser(cx) authSetupTestUser(cx)
// confirm root role doesn't grant access to all keys // confirm root role can access to all keys
if err := ctlV3PutFailPerm(cx, "foo", "bar"); err != nil { if err := ctlV3Put(cx, "foo", "bar", ""); err != nil {
cx.t.Fatal(err) cx.t.Fatal(err)
} }
if err := ctlV3GetFailPerm(cx, "foo"); err != nil { if err := ctlV3Get(cx, []string{"foo"}, []kv{{"foo", "bar"}}...); err != nil {
cx.t.Fatal(err) cx.t.Fatal(err)
} }
@ -126,17 +126,17 @@ func authCredWriteKeyTest(cx ctlCtx) {
} }
// confirm put failed // confirm put failed
cx.user, cx.pass = "test-user", "pass" cx.user, cx.pass = "test-user", "pass"
if err := ctlV3Get(cx, []string{"foo"}, []kv{{"foo", "a"}}...); err != nil { if err := ctlV3Get(cx, []string{"foo"}, []kv{{"foo", "bar"}}...); err != nil {
cx.t.Fatal(err) cx.t.Fatal(err)
} }
// try good user // try good user
cx.user, cx.pass = "test-user", "pass" cx.user, cx.pass = "test-user", "pass"
if err := ctlV3Put(cx, "foo", "bar", ""); err != nil { if err := ctlV3Put(cx, "foo", "bar2", ""); err != nil {
cx.t.Fatal(err) cx.t.Fatal(err)
} }
// confirm put succeeded // confirm put succeeded
if err := ctlV3Get(cx, []string{"foo"}, []kv{{"foo", "bar"}}...); err != nil { if err := ctlV3Get(cx, []string{"foo"}, []kv{{"foo", "bar2"}}...); err != nil {
cx.t.Fatal(err) cx.t.Fatal(err)
} }
@ -147,7 +147,7 @@ func authCredWriteKeyTest(cx ctlCtx) {
} }
// confirm put failed // confirm put failed
cx.user, cx.pass = "test-user", "pass" cx.user, cx.pass = "test-user", "pass"
if err := ctlV3Get(cx, []string{"foo"}, []kv{{"foo", "bar"}}...); err != nil { if err := ctlV3Get(cx, []string{"foo"}, []kv{{"foo", "bar2"}}...); err != nil {
cx.t.Fatal(err) cx.t.Fatal(err)
} }
} }