Mirroristas/etcd
2
0
Fork 0
mirror of https://github.com/etcd-io/etcd.git synced 2024-09-27 06:25:44 +00:00
Code Issues Packages Projects Releases Wiki Activity
16,203 Commits 15 Branches 491 Tags 148 MiB
Commit Graph

190 Commits

Author SHA1 Message Date
Lan Liang
47cef60ac4 Backport #13577 
Disable auth gracefully without impacting existing watchers.

Signed-off-by: Lan Liang <gcslyp@gmail.com>
 2023-07-14 12:48:22 +08:00
Benjamin Wang
b000f15049 etcdserver: verify field 'username' and 'revision' present when decoding a JWT token 
Signed-off-by: Benjamin Wang <wachao@vmware.com>
 2023-04-10 08:26:12 +08:00
Hitoshi Mitake
442de314a2 server/auth: disallow creating empty permission ranges 
Signed-off-by: Hitoshi Mitake <h.mitake@gmail.com>
Co-authored-by: Benjamin Wang <wachao@vmware.com>
 2023-04-04 21:41:04 +09:00
J. David Lowe
cee78aca75 etcdserver: don't attempt to grant nil permission to a role 
Prevent etcd from crashing when given a bad grant payload, e.g.:

$ curl -d '{"name": "foo"}' http://localhost:2379/v3/auth/role/add
{"header":{"cluster_id":"14841639068965178418", ...
$ curl -d '{"name": "foo"}' http://localhost:2379/v3/auth/role/grant
curl: (52) Empty reply from server

Signed-off-by: Gyuho Lee <leegyuho@amazon.com>
Signed-off-by: J. David Lowe <j.david.lowe@gmail.com>
 2023-04-04 21:40:54 +09:00
James Blair
a91bacf567
Formatted source code for go 1.19.6. 
Signed-off-by: James Blair <mail@jamesblair.net>
 2023-02-20 12:44:14 +13:00
Hitoshi Mitake
b7a23311e6 etcdserver: call refreshRangePermCache on Recover() in AuthStore 
Signed-off-by: Oleg Guba <oleg@dropbox.com>
Signed-off-by: Hitoshi Mitake <h.mitake@gmail.com>
 2022-10-29 13:55:06 +09:00
Hitoshi Mitake
0b3ff06868 server: add a unit test case for authStore.Reocver() with empty rangePermCache 
Signed-off-by: Hitoshi Mitake <h.mitake@gmail.com>
 2022-10-29 13:27:53 +09:00
vivekpatani
c0ef7d52e0 server,test: refresh cache on each NewAuthStore 
- permissions were incorrectly loaded on restarts.
- #14355
- Backport of https://github.com/etcd-io/etcd/pull/14358

Signed-off-by: vivekpatani <9080894+vivekpatani@users.noreply.github.com>
 2022-08-31 13:08:11 -07:00
Hitoshi Mitake
ecd91da40d server/auth: protect rangePermCache with a RW lock 
Signed-off-by: Hitoshi Mitake <h.mitake@gmail.com>
 2022-07-19 15:51:48 +09:00
cfz
23e79dbf19
[backport 3.4]: server/auth: enable tokenProvider if recoved store enables auth 
this is a manual backport of #13172
 2022-05-06 12:26:55 +08:00
Yusuke Suzuki
1558ede7f8 go.mod,go.sum: Replace github.com/dgrijalva/jwt-go with github.com/golang-jwt/jwt 
github.com/dgrijalva/jwt-go has CVE https://github.com/advisories/GHSA-w73w-5m7g-f7qc
and is already archived. etcd v3.4 should use a community maintained fork
github.com/golang-jwt/jwt which provides the fixed version of the CVE.

Signed-off-by: Yusuke Suzuki <yusuke-suzuki@cybozu.co.jp>
 2021-10-02 10:01:52 +09:00
Gyuho Lee
99e893d285
Merge pull request #12074 from cfc4n/automated-cherry-pick-of-#12005-upstream-release-3.4 
Automated cherry pick of #12005
 2020-06-26 11:30:07 -07:00
cfc4n
4488595e05 auth: Customize simpleTokenTTL settings. 
see https://github.com/etcd-io/etcd/issues/11978 for more detail.
 2020-06-25 19:58:26 +08:00
cfc4n
490c6139ac auth: return incorrect result 'ErrUserNotFound' when client request without username or username was empty. 
Fiexs https://github.com/etcd-io/etcd/issues/12004 .
 2020-06-25 19:48:36 +08:00
Hitoshi Mitake
6f011ce524 auth: a new error code for the case of password auth against no password user 2020-06-21 19:12:55 -04:00
shawwang
f18976f4b8 auth: optimize lock scope for CheckPassword 
to improve authentication performance in concurrent scenarios when enable auth and using authentication based password
 2020-04-25 18:36:18 +08:00
tangcong
b733b22712 auth: ensure RoleGrantPermission is compatible with older versions 2020-04-09 09:33:40 +08:00
tangcong
eb80716532 etcdserver: print warn log when failed to apply request 2020-04-09 09:33:40 +08:00
tangcong
e2abd97659 auth: cleanup saveConsistentIndex in NewAuthStore 2020-04-09 09:33:40 +08:00
tangcong
716821b9b5 auth: print warning log when error is ErrAuthOldRevision 2020-04-09 09:33:40 +08:00
shawwang
63116ffdb4 auth: add new metric 'etcd_debugging_auth_revision' 2020-04-09 09:33:40 +08:00
tangcong
347c8dac3b *: fix auth revision corruption bug 2020-04-09 09:33:36 +08:00
jingyih
50e12328ac auth: correct logging level 2020-02-04 05:38:58 -08:00
yoyinzyc
4a9247a47e auth: fix NoPassWord check when add user 2019-12-10 12:53:10 -08:00
yoyinzyc
ae5bd3c268 auth: fix user.Options nil pointer 2019-12-02 14:44:15 -08:00
Raphael Westphal
61d6efda4c etcdserver: add check for nil options 2019-08-26 10:48:20 -07:00
Gyuho Lee
6a0811a949 *: use new adt.IntervalTree interface 
Signed-off-by: Gyuho Lee <leegyuho@amazon.com>
 2019-07-31 22:23:13 -07:00
Sahdev P. Zala
1cef112a79 etcdserver: do not allow creating empty role 
Like user, we should not allow creating empty role.

Related #10905
 2019-07-24 17:41:24 -04:00
Gyuho Lee
1caaa9ed4a test: test update for Go 1.12.5 and related changes 
Update to Go 1.12.5 testing. Remove deprecated unused and gosimple
pacakges, and mask staticcheck 1006. Also, fix unconvert errors related
to unnecessary type conversions and following staticcheck errors:
- remove redundant return statements
- use for range instead of for select
- use time.Since instead of time.Now().Sub
- omit comparison to bool constant
- replace T.Fatal and T.Fatalf in tests with T.Error and T.Fatalf respectively because the goroutine calls T.Fatal must be called in the same goroutine as the test
- fix error strings that should not be capitalized
- use sort.Strings(...) instead of sort.Sort(sort.StringSlice(...))
- use he status code of Canceled instead of grpc.ErrClientConnClosing which is deprecated
- use use status.Errorf instead of grpc.Errorf which is deprecated

Related #10528 #10438
 2019-06-05 17:02:05 -04:00
Hitoshi Mitake
54b09d4f87 auth: add a unit test for creating a user with no password 2019-05-30 21:59:30 +09:00
Hitoshi Mitake
5a67dd788d *: support creating a user without password 
This commit adds a feature for creating a user without password. The
purpose of the feature is reducing attack surface by configuring bad
passwords (CN based auth will be allowed for the user).

The feature can be used with `--no-password` of `etcdctl user add`
command.

Fix https://github.com/coreos/etcd/issues/9590
 2019-05-30 21:59:30 +09:00
Gyuho Lee
34bd797e67 *: revert module import paths 
Signed-off-by: Gyuho Lee <leegyuho@amazon.com>
 2019-05-28 15:39:35 -07:00
shivaramr
9150bf52d6 go modules: Fix module path version to include version number 2019-04-26 15:29:50 -07:00
zhoulin xie
5effa154b4 auth/simple_token.go: fix plog.Panicf error message 
Signed-off-by: zhoulin xie <zhoulin.xie@daocloud.io>
 2019-02-24 19:34:02 -05:00
Sam Batschelet
bf9d0d8291 auth: disable CommonName auth for gRPC-gateway 
Signed-off-by: Sam Batschelet <sbatsche@redhat.com>
 2019-01-08 12:31:20 -05:00
Gyuho Lee
c58f5cfeda test: disable "unparam" for now 
Signed-off-by: Gyuho Lee <leegyuho@amazon.com>
 2018-12-17 11:30:28 -08:00
Essam A. Hassan
ffbdb458a4 Auth: improve auth coverage 
adds tests for uncovered auth funcs

Issue #9734
 2018-10-01 10:25:38 +02:00
Gyuho Lee
fced933294 auth: update Go import paths to "go.etcd.io" 
Signed-off-by: Gyuho Lee <leegyuho@amazon.com>
 2018-08-28 17:47:55 -07:00
Joe LeGasse
a6ddb51c8a auth: Support all JWT algorithms 
This change adds support to etcd for all of the JWT algorithms included
in the underlying JWT library.
 2018-06-26 16:31:01 -04:00
Sam Batschelet
b30a1166e0 auth: fix panic using WithRoot and improve JWT coverage 2018-05-22 12:53:27 -04:00
Jiang Xuan
bf432648ae *: make bcrypt-cost configurable 2018-05-03 11:43:32 -07:00
Gyuho Lee
200401248a
Merge pull request #9665 from gyuho/unconvert 
test: integrate github.com/mdempsky/unconvert
 2018-05-01 09:52:44 -07:00
Gyuho Lee
ae71076579 auth: fix "unconvert" warnings 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-04-30 15:32:16 -07:00
Gyuho Lee
e9d5789dd4 auth: remove "strings.Compare == 0" 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-04-30 15:10:56 -07:00
Gyuho Lee
d398d41ff0 auth: break TLS VerifiedChains for-loop early 
Fix "auth/store.go:1147:4: the surrounding loop is unconditionally terminated (SA4004)"

Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-04-30 10:34:59 -07:00
Gyuho Lee
da4a982b1c auth: support structured logging 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-04-27 14:19:48 -07:00
Gyuho Lee
f57fa6abaf auth: support structured logger 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-04-16 17:36:00 -07:00
Hitoshi Mitake
b1dd19a7aa *: don't use string literals directly in grpc metadata 
Current etcd code uses the string literals ("token", "authorization")
as field names of grpc and swappger metadata for passing token. It is
difficult to maintain so this commit introduces new constants for the
purpose.
 2018-03-15 14:17:34 +09:00
Hitoshi Mitake
752963beea *: unify type of key and rangeEnd in AuthRoleRevokePermissionRequest 
Fix https://github.com/coreos/etcd/issues/9424
 2018-03-14 14:38:20 +09:00
Gyuho Lee
f0eb772963 auth: add "IsAuthEnabled" method 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-02-28 11:16:35 -08:00