Mirroristas/etcd
2
0
Fork 0
mirror of https://github.com/etcd-io/etcd.git synced 2024-09-27 06:25:44 +00:00
Code Issues Packages Projects Releases Wiki Activity
15,840 Commits 15 Branches 491 Tags 148 MiB
Commit Graph

126 Commits

Author SHA1 Message Date
vivekpatani
c0ef7d52e0 server,test: refresh cache on each NewAuthStore 
- permissions were incorrectly loaded on restarts.
- #14355
- Backport of https://github.com/etcd-io/etcd/pull/14358

Signed-off-by: vivekpatani <9080894+vivekpatani@users.noreply.github.com>
 2022-08-31 13:08:11 -07:00
Hitoshi Mitake
ecd91da40d server/auth: protect rangePermCache with a RW lock 
Signed-off-by: Hitoshi Mitake <h.mitake@gmail.com>
 2022-07-19 15:51:48 +09:00
cfz
23e79dbf19
[backport 3.4]: server/auth: enable tokenProvider if recoved store enables auth 
this is a manual backport of #13172
 2022-05-06 12:26:55 +08:00
Gyuho Lee
99e893d285
Merge pull request #12074 from cfc4n/automated-cherry-pick-of-#12005-upstream-release-3.4 
Automated cherry pick of #12005
 2020-06-26 11:30:07 -07:00
cfc4n
4488595e05 auth: Customize simpleTokenTTL settings. 
see https://github.com/etcd-io/etcd/issues/11978 for more detail.
 2020-06-25 19:58:26 +08:00
cfc4n
490c6139ac auth: return incorrect result 'ErrUserNotFound' when client request without username or username was empty. 
Fiexs https://github.com/etcd-io/etcd/issues/12004 .
 2020-06-25 19:48:36 +08:00
Hitoshi Mitake
6f011ce524 auth: a new error code for the case of password auth against no password user 2020-06-21 19:12:55 -04:00
shawwang
f18976f4b8 auth: optimize lock scope for CheckPassword 
to improve authentication performance in concurrent scenarios when enable auth and using authentication based password
 2020-04-25 18:36:18 +08:00
tangcong
b733b22712 auth: ensure RoleGrantPermission is compatible with older versions 2020-04-09 09:33:40 +08:00
tangcong
eb80716532 etcdserver: print warn log when failed to apply request 2020-04-09 09:33:40 +08:00
tangcong
e2abd97659 auth: cleanup saveConsistentIndex in NewAuthStore 2020-04-09 09:33:40 +08:00
tangcong
716821b9b5 auth: print warning log when error is ErrAuthOldRevision 2020-04-09 09:33:40 +08:00
shawwang
63116ffdb4 auth: add new metric 'etcd_debugging_auth_revision' 2020-04-09 09:33:40 +08:00
tangcong
347c8dac3b *: fix auth revision corruption bug 2020-04-09 09:33:36 +08:00
yoyinzyc
4a9247a47e auth: fix NoPassWord check when add user 2019-12-10 12:53:10 -08:00
yoyinzyc
ae5bd3c268 auth: fix user.Options nil pointer 2019-12-02 14:44:15 -08:00
Raphael Westphal
61d6efda4c etcdserver: add check for nil options 2019-08-26 10:48:20 -07:00
Sahdev P. Zala
1cef112a79 etcdserver: do not allow creating empty role 
Like user, we should not allow creating empty role.

Related #10905
 2019-07-24 17:41:24 -04:00
Hitoshi Mitake
5a67dd788d *: support creating a user without password 
This commit adds a feature for creating a user without password. The
purpose of the feature is reducing attack surface by configuring bad
passwords (CN based auth will be allowed for the user).

The feature can be used with `--no-password` of `etcdctl user add`
command.

Fix https://github.com/coreos/etcd/issues/9590
 2019-05-30 21:59:30 +09:00
Gyuho Lee
34bd797e67 *: revert module import paths 
Signed-off-by: Gyuho Lee <leegyuho@amazon.com>
 2019-05-28 15:39:35 -07:00
shivaramr
9150bf52d6 go modules: Fix module path version to include version number 2019-04-26 15:29:50 -07:00
Sam Batschelet
bf9d0d8291 auth: disable CommonName auth for gRPC-gateway 
Signed-off-by: Sam Batschelet <sbatsche@redhat.com>
 2019-01-08 12:31:20 -05:00
Gyuho Lee
fced933294 auth: update Go import paths to "go.etcd.io" 
Signed-off-by: Gyuho Lee <leegyuho@amazon.com>
 2018-08-28 17:47:55 -07:00
Joe LeGasse
a6ddb51c8a auth: Support all JWT algorithms 
This change adds support to etcd for all of the JWT algorithms included
in the underlying JWT library.
 2018-06-26 16:31:01 -04:00
Sam Batschelet
b30a1166e0 auth: fix panic using WithRoot and improve JWT coverage 2018-05-22 12:53:27 -04:00
Jiang Xuan
bf432648ae *: make bcrypt-cost configurable 2018-05-03 11:43:32 -07:00
Gyuho Lee
200401248a
Merge pull request #9665 from gyuho/unconvert 
test: integrate github.com/mdempsky/unconvert
 2018-05-01 09:52:44 -07:00
Gyuho Lee
ae71076579 auth: fix "unconvert" warnings 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-04-30 15:32:16 -07:00
Gyuho Lee
e9d5789dd4 auth: remove "strings.Compare == 0" 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-04-30 15:10:56 -07:00
Gyuho Lee
d398d41ff0 auth: break TLS VerifiedChains for-loop early 
Fix "auth/store.go:1147:4: the surrounding loop is unconditionally terminated (SA4004)"

Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-04-30 10:34:59 -07:00
Gyuho Lee
da4a982b1c auth: support structured logging 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-04-27 14:19:48 -07:00
Gyuho Lee
f57fa6abaf auth: support structured logger 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-04-16 17:36:00 -07:00
Hitoshi Mitake
b1dd19a7aa *: don't use string literals directly in grpc metadata 
Current etcd code uses the string literals ("token", "authorization")
as field names of grpc and swappger metadata for passing token. It is
difficult to maintain so this commit introduces new constants for the
purpose.
 2018-03-15 14:17:34 +09:00
Gyuho Lee
f0eb772963 auth: add "IsAuthEnabled" method 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-02-28 11:16:35 -08:00
Hitoshi Mitake
8eb7cfb296 auth: a new auth token provider nop 
This commit adds a new auth token provider named nop. The nop provider
refuses every Authenticate() request so CN based authentication can
only be allowed. If the tokenOpts parameter of auth.NewTokenProvider()
is empty, the provider will be used.
 2018-02-27 16:21:14 +09:00
Gyuho Lee
8a518b01c4 *: revert "internal/mvcc" change 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-02-26 17:11:40 -08:00
Gyuho Lee
bb95d190c1 *: revert "internal/auth" change 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-02-26 17:11:40 -08:00
Hitoshi Mitake
6c91766490 *: move "auth" to "internal/auth" 2018-01-29 14:57:35 +09:00
Gyuho Lee
80d15948bc *: move "mvcc" to "internal/mvcc" 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-01-26 11:14:41 -08:00
Gyuho Lee
1f191a0e34 auth: use NewIncomingContext for "WithRoot" 
"WithRoot" is only used within local node, and
"AuthInfoFromCtx" expects token from incoming context.
Embed token with "NewIncomingContext" so that token
can be found in "AuthInfoFromCtx".

Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2017-12-14 21:45:16 -08:00
Gyuho Lee
645c7c9a92 auth: use "sort.Strings" instead of StringSlice 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2017-12-04 14:09:27 -08:00
Hitoshi Mitake
f649132a5a auth, etcdserver: follow the correct usage of context 
The keys of context shouldn't be string. They should be a struct of
their own type.

Fix https://github.com/coreos/etcd/issues/8826
 2017-11-21 15:31:19 +09:00
Gyu-Ho Lee
38942a2a51 auth: clean up mutex lock/unlocks 
Only hold locks when needed.

Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
 2017-11-06 13:17:29 -08:00
Gyu-Ho Lee
568b856be8 auth: pre-allocate slices in store 
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
 2017-11-06 09:16:15 -08:00
Hitoshi Mitake
da0a387aac auth: use binary search for checking root permission 
authpb.User.Roles is sorted so we don't need a linear search for
checking the user has a root role or not.
 2017-10-25 13:16:37 +09:00
Gyu-Ho Lee
f65aee0759 *: replace 'golang.org/x/net/context' with 'context' 
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
 2017-09-07 13:39:42 -07:00
Gyu-Ho Lee
35b11bf438 auth: replace NewContext with NewOutgoingContext 
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
 2017-08-17 19:46:19 -07:00
Hitoshi Mitake
e0c33ef881 auth, etcdserver: allow users to know their roles and permissions 
Current UserGet() and RoleGet() RPCs require admin permission. It
means that users cannot know which roles they belong to and what
permissions the roles have. This commit change the semantics and now
users can know their roles and permissions.
 2017-06-26 22:20:41 -07:00
Xiang Li
44a6c2121b Merge pull request #7999 from hexfusion/grpc-gateway-auth 
auth: support "authorization" token for grpc-gateway
 2017-06-15 19:22:00 -07:00
Gyu-Ho Lee
5e059fd8dc *: use metadata Incoming/OutgoingContext 
Fix https://github.com/coreos/etcd/issues/7888.

Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
 2017-06-15 16:41:23 -07:00