Mirroristas/etcd
2
0
Fork 0
mirror of https://github.com/etcd-io/etcd.git synced 2024-09-27 06:25:44 +00:00
Code Issues Packages Projects Releases Wiki Activity
20,814 Commits 15 Branches 491 Tags 148 MiB
Commit Graph

59 Commits

Author SHA1 Message Date
Wei Fu
4704a5af3a *: fix unused issue 
Signed-off-by: Wei Fu <fuweid89@gmail.com>
 2023-09-25 19:37:18 +08:00
Wei Fu
aa97484166 *: enable goimports in verify-lint 
Signed-off-by: Wei Fu <fuweid89@gmail.com>
 2023-09-21 21:14:09 +08:00
Wei Fu
9c3edfa0af *: fix staticcheck lint 
Changed TraceKey/StartTimeKey/TokenFieldNameGRPCKey to struct{} to
follow the correct usage of context. Similar patch to #8901.

Signed-off-by: Wei Fu <fuweid89@gmail.com>
 2023-09-21 11:24:26 +08:00
chenyahui
c0aa3b613b Use any instead of interface{} 
Signed-off-by: chenyahui <cyhone@qq.com>
 2023-09-17 17:41:58 +08:00
Marek Siarkowicz
53cbd81009 Separate Writer interface from BatchTx interfaces 
Signed-off-by: Marek Siarkowicz <siarkowicz@google.com>
 2023-07-31 10:18:01 +02:00
Marek Siarkowicz
29769984e6 Remove RLock/RUnlock from BatchTx 
Signed-off-by: Marek Siarkowicz <siarkowicz@google.com>
 2023-07-28 11:39:50 +02:00
Tom Wieczorek
a8a9ebd281
auth: Support for EdDSA JWT algorithm 
The golang-jwt library supports this already, so supporting it is just a
matter of wiring things up.

Signed-off-by: Tom Wieczorek <twieczorek@mirantis.com>
 2023-07-05 11:33:08 +02:00
Owayss Kabtoul
1c18c86e18 tests: increases unit test coverage for etcd/server/auth isRangeOpPermitted 
Signed-off-by: Owayss Kabtoul <owayssk@gmail.com>
 2023-04-20 13:39:08 +02:00
ArkaSaha30
a1fa3bfe51 Add test cases for malformed jwt fix 
Signed-off-by: ArkaSaha30 <arkasaha30@gmail.com>
 2023-04-10 09:38:49 +05:30
Lanre Adelowo
386aedef51
[WIP]server/auth:fix panic on identical JWT token generation and auth 
Signed-off-by: ArkaSaha30 <arkasaha30@gmail.com>
 2023-04-04 18:01:55 +05:30
Hitoshi Mitake
4da39e4b1e
Merge pull request #15294 from mitake/range-check 
server/auth: disallow creating empty permission ranges
 2023-04-03 09:03:50 +09:00
tangcong
ad72900dad server/auth: fix auth panic bug when user changes password 
Signed-off-by: tangcong <tangcong506@foxmail.com>
 2023-03-12 20:49:09 +08:00
Hitoshi Mitake
65eeb7ff17 server/auth: disallow creating empty permission ranges 
Signed-off-by: Hitoshi Mitake <h.mitake@gmail.com>
Co-authored-by: Benjamin Wang <wachao@vmware.com>
 2023-02-27 22:55:36 +09:00
Piotr Tabor
9abc895122 Goimports: Apply automated fixing to test files as well. 
Signed-off-by: Piotr Tabor <ptab@google.com>
 2022-12-29 13:04:45 +01:00
Piotr Tabor
9e1abbab6e Fix goimports in all existing files. Execution of ./scripts/fix.sh 
Signed-off-by: Piotr Tabor <ptab@google.com>
 2022-12-29 09:41:31 +01:00
Bhargav Ravuri
2feec4fe68 comments: fix comments as per goword in go test files 
Comments fixed as per goword in go test files that shell
function go_srcs_in_module lists as per changes on #14827

Helps in #14827

Signed-off-by: Bhargav Ravuri <bhargav.ravuri@infracloud.io>
 2022-11-23 23:05:42 +05:30
Hitoshi Mitake
b7146f8f33 server: add a unit test case for authStore.Reocver() with empty rangePermCache 
Signed-off-by: Hitoshi Mitake <h.mitake@gmail.com>
 2022-10-29 12:54:34 +09:00
Oleg Guba
fbed8cb645 etcdserver: call refreshRangePermCache on Recover() in AuthStore 
Signed-off-by: Oleg Guba <oleg@dropbox.com>
 2022-10-27 15:05:05 -07:00
Benjamin Wang
5344085338
Merge pull request #14491 from ahrtr/bump_jwt_4.4.2 
etcd: Bump golang-jwt/jwt/ version to 4.4.2
 2022-09-20 10:18:44 +08:00
Benjamin Wang
09db6ec1d7 etcd: Bump golang-jwt/jwt/ version to 4.4.2 
github.com/golang-jwt/jwt adds go mod support startig from 4.0.0,
and it's backwards-compatible with existing v3.x.y tags.

Signed-off-by: Benjamin Wang <wachao@vmware.com>
 2022-09-20 04:06:47 +08:00
demoManito
72cf0cc04a etcd: modify declaring empty slices 
declare an empty slice to var s []int replace  s :=[]int{}, https://github.com/golang/go/wiki/CodeReviewComments#declaring-empty-slices

Signed-off-by: demoManito <1430482733@qq.com>
 2022-09-16 14:41:14 +08:00
vivekpatani
ae608da7e6 server,test: refresh cache on each NewAuthStore 
- permissions were incorrectly loaded on restarts.
- https://github.com/etcd-io/etcd/issues/14355

Signed-off-by: vivekpatani <9080894+vivekpatani@users.noreply.github.com>
 2022-08-23 20:11:47 -07:00
Chao Chen
ccd4efc3b3 logging RoleGrantPermission key and range end 
Signed-off-by: Chao Chen <chaochn@amazon.com>
 2022-08-10 14:51:25 -07:00
jianfei.zhang
c26d7f5389 fix: code cleanup 
Signed-off-by: jianfei.zhang <jianfei.zhang@daocloud.io>
 2022-07-26 22:07:22 +08:00
Hitoshi Mitake
de09174a3f server/auth: protect rangePermCache with a RW lock 
Signed-off-by: Hitoshi Mitake <h.mitake@gmail.com>
 2022-07-02 23:23:13 +09:00
ahrtr
e155e50886 rename LockWithoutHook to LockOutsideApply and add LockInsideApply 2022-04-07 05:35:13 +08:00
ahrtr
7ac995cdde enhanced authBackend to support authReadTx 2022-04-07 05:35:13 +08:00
Marek Siarkowicz
804fddf921 tests: Use zaptest.NewLogger in tests 2022-04-04 13:03:15 +02:00
Hitoshi Mitake
43e39d362d
Merge pull request #13301 from mitake/jwt-exp-log 
server/auth: avoid logging for JWT token
 2022-03-23 22:39:28 +09:00
AdamKorcz
9d83325db8 server/auth: fix oss-fuzz issue 44478 2022-02-11 10:51:01 +00:00
Hitoshi Mitake
2e74e4d636 server/auth: avoid logging for JWT token for a case of failed parsing 2022-01-27 22:33:03 +09:00
Piotr Tabor
b8c5d44a1d
Merge pull request #13382 from ahrtr/public_key_match_issue 
The public key doesn't match if any field doesn't match
 2022-01-15 17:14:02 +01:00
Piotr Tabor
0285f74aea
Merge pull request #13558 from gfuzz-asplos/main 
fixing goroutine leaks
 2022-01-15 16:58:19 +01:00
Yap Sok Ann
17fd2e7282 Disable auth gracefully without impacting existing watchers 
This attempts to fix a special case of the problem described in #12385,
where trying to do `clientv3.Watch` with an expired token would result
in `ErrGRPCPermissionDenied`, due to the failing authorization check in
`isWatchPermitted`. Furthermore, the client can't auto recover, since
`shouldRefreshToken` rightly returns false for the permission denied
error.

In this case, we would like to have a runbook to dynamically disable
auth, without causing any disruption. Doing so would immediately expire
all existing tokens, which would then cause the behavior described
above. This means existing watchers would still work for a period of
time after disabling auth, until they have to reconnect, e.g. due to a
rolling restart of server nodes.

This commit adds a client-side fix and a server-side fix, either of
which is sufficient to get the added test case to pass. Note that it is
an e2e test case instead of an integration one, as the reconnect only
happens if the server node is stopped via SIGINT or SIGTERM.

A generic fix for the problem described in #12385 would be better, as
that shall also fix this special case. However, the fix would likely be
a lot more involved, as some untangling of authn/authz is required.
 2021-12-31 14:39:46 +07:00
Linhai
98b0d901e8 fixing goroutine leaks 2021-12-24 15:57:38 -05:00
ahrtr
63ff6d403d correct the public key comparison logic 2021-11-25 05:57:55 +08:00
Eng Zer Jun
2a151c8982
*: move from io/ioutil to io and os packages 
The io/ioutil package has been deprecated as of Go 1.16, see
https://golang.org/doc/go1.16#ioutil. This commit replaces the existing
io/ioutil functions with their new definitions in io and os packages.

Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
 2021-10-28 00:05:28 +08:00
Haimantika Mitra
c10d50c4b3 Replace github.com/form3tech-oss/jwt-go with https://github.com/golang-jwt/jwt 
Signed-off-by: Haimantika Mitra <haimantikamitra@gmail.com>

Made required adjustments to the go.sum file

Signed-off-by: Haimantika Mitra <haimantikamitra@gmail.com>

Changed go.sum file in the server directory

Signed-off-by: Haimantika Mitra <haimantikamitra@gmail.com>

Removed the white space

Signed-off-by: Haimantika Mitra <haimantikamitra@gmail.com>

Made required changes

Signed-off-by: Haimantika Mitra <haimantikamitra@gmail.com>

Trying to fix the fails

Signed-off-by: haimantika mitra <haimantikamitra@gmail.com>

Removed error

Signed-off-by: haimantika mitra <haimantikamitra@gmail.com>

Fixed bill-of-materials.json file

Signed-off-by: haimantika mitra <haimantikamitra@gmail.com>

Changed go.mod with recent version

Signed-off-by: haimantika mitra <haimantikamitra@gmail.com>

Newer version changes

Signed-off-by: haimantika mitra <haimantikamitra@gmail.com>

Changes to etcdutl directory

Signed-off-by: haimantika mitra <haimantikamitra@gmail.com>
 2021-08-03 13:49:47 +05:30
Marek Siarkowicz
bc16461995 server: Use zaptest in bucket tests and move backendMock to separate file 2021-07-20 18:12:02 +02:00
Marek Siarkowicz
a0554a6bd3 etcdserver: Create AuthBackend interface 2021-07-20 18:09:53 +02:00
Marek Siarkowicz
a97e48e08d Cleanup references to bucket module 2021-07-20 17:50:47 +02:00
Marek Siarkowicz
5b6f4579fb server: Rename buckets to schema 2021-07-12 15:37:21 +02:00
Marek Siarkowicz
5e40a8b00c server: Create storage package and move mvcc files to it 2021-07-12 15:37:21 +02:00
cfz
b12f8c12ce server/auth: enable tokenProvider if recoved store enables auth 
we found a lease leak issue:
if a new member(by member add) is recovered by snapshot, and then
become leader, the lease will never expire afterwards. leader will
log the revoke failure caused by "invalid auth token", since the
token provider is not functional, and drops all generated token
from upper layer, which in this case, is the lease revoking
routine.
 2021-07-11 01:17:08 +08:00
Piotr Tabor
33b2cdb957
Merge pull request #13162 from serathius/auth 
etcdserver: Move read/update methods on Auth bucket to one place
 2021-07-03 11:33:07 +02:00
Marek Siarkowicz
0c701fb9f3 etcdserver: Move all get/put/delete on AuthUsers and AuthRoles to buckets module 2021-07-01 12:12:15 +02:00
Marek Siarkowicz
b2e08fbfd4 etcdserver: Move read/update methods on Auth bucket to one place 2021-06-29 18:02:11 +02:00
Marek Siarkowicz
f79d09d48b etcdserver: Move all named keys to buckets module 2021-06-28 16:40:50 +02:00
J. David Lowe
115c694af6 etcdserver: don't attempt to grant nil permission to a role 
Prevent etcd from crashing when given a bad grant payload, e.g.:

$ curl -d '{"name": "foo"}' http://localhost:2379/v3/auth/role/add
{"header":{"cluster_id":"14841639068965178418", ...
$ curl -d '{"name": "foo"}' http://localhost:2379/v3/auth/role/grant
curl: (52) Empty reply from server
 2021-06-04 14:20:02 -07:00
赵延
64b01a7a8d
Enhance the root permission, when root role exist, it always return rootPerm. (#13006) 
etcdctl role grant-permission root readwrite foo.
see etcdctl role get root output.
Before:
Role root
KV Read:
        foo
KV Write:
        foo
After:
Role root
KV Read:
        [, <open ended>
KV Write:
        [, <open ended>
 2021-05-24 14:58:00 -07:00