etcdctl: add a new option --from-key for unlimited range permission

This commit adds a new option --from-key to the command etcdctl role
grant-permission. If the option is passed, an open ended permission
will be granted to a role e.g. from start-key to any keys those are
larger than start-key.

Example:
$ ETCDCTL_API=3 bin/etcdctl --user root:p role grant r1 readwrite a b
$ ETCDCTL_API=3 bin/etcdctl --user root:p role grant --from-key r1 readwrite c
$ ETCDCTL_API=3 bin/etcdctl --user root:p role get r1
Role r1
KV Read:
        [a, b) (prefix a)
        [c, <open ended>
KV Write:
        [a, b) (prefix a)
        [c, <open ended>

Note that a closed parenthesis doesn't follow the above <open ended>
for indicating that the role has an open ended permission ("<open
ended>" is a valid range end).

Fixes https://github.com/coreos/etcd/issues/7468

auth/range_perm_cache.go

@@ -38,11 +38,18 @@ func getMergedPerms(tx backend.BatchTx, userName string) *unifiedRangePermission
 
 		for _, perm := range role.KeyPermission {
 			var ivl adt.Interval
+			var rangeEnd string
+
+			if len(perm.RangeEnd) == 1 && perm.RangeEnd[0] == 0 {
+				rangeEnd = ""
+			} else {
+				rangeEnd = string(perm.RangeEnd)
+			}
 
 			if len(perm.RangeEnd) != 0 {
-				ivl = adt.NewStringInterval(string(perm.Key), string(perm.RangeEnd))
+				ivl = adt.NewStringAffineInterval(string(perm.Key), string(rangeEnd))
 			} else {
-				ivl = adt.NewStringPoint(string(perm.Key))
+				ivl = adt.NewStringAffinePoint(string(perm.Key))
 			}
 
 			switch perm.PermType {
@@ -66,7 +73,11 @@ func getMergedPerms(tx backend.BatchTx, userName string) *unifiedRangePermission
 }
 
 func checkKeyInterval(cachedPerms *unifiedRangePermissions, key, rangeEnd string, permtyp authpb.Permission_Type) bool {
-	ivl := adt.NewStringInterval(key, rangeEnd)
+	if len(rangeEnd) == 1 && rangeEnd[0] == '\x00' {
+		rangeEnd = ""
+	}
+
+	ivl := adt.NewStringAffineInterval(key, rangeEnd)
 	switch permtyp {
 	case authpb.READ:
 		return cachedPerms.readPerms.Contains(ivl)
@@ -79,7 +90,7 @@ func checkKeyInterval(cachedPerms *unifiedRangePermissions, key, rangeEnd string
 }
 
 func checkKeyPoint(cachedPerms *unifiedRangePermissions, key string, permtyp authpb.Permission_Type) bool {
-	pt := adt.NewStringPoint(key)
+	pt := adt.NewStringAffinePoint(key)
 	switch permtyp {
 	case authpb.READ:
 		return cachedPerms.readPerms.Intersects(pt)

auth/range_perm_cache_test.go

@@ -29,17 +29,17 @@ func TestRangePermission(t *testing.T) {
 		want  bool
 	}{
 		{
-			[]adt.Interval{adt.NewStringInterval("a", "c"), adt.NewStringInterval("x", "z")},
+			[]adt.Interval{adt.NewStringAffineInterval("a", "c"), adt.NewStringAffineInterval("x", "z")},
 			"a", "z",
 			false,
 		},
 		{
-			[]adt.Interval{adt.NewStringInterval("a", "f"), adt.NewStringInterval("c", "d"), adt.NewStringInterval("f", "z")},
+			[]adt.Interval{adt.NewStringAffineInterval("a", "f"), adt.NewStringAffineInterval("c", "d"), adt.NewStringAffineInterval("f", "z")},
 			"a", "z",
 			true,
 		},
 		{
-			[]adt.Interval{adt.NewStringInterval("a", "d"), adt.NewStringInterval("a", "b"), adt.NewStringInterval("c", "f")},
+			[]adt.Interval{adt.NewStringAffineInterval("a", "d"), adt.NewStringAffineInterval("a", "b"), adt.NewStringAffineInterval("c", "f")},
 			"a", "f",
 			true,
 		},

etcdctl/ctlv3/command/printer_simple.go

@@ -141,7 +141,11 @@ func (s *simplePrinter) RoleGet(role string, r v3.AuthRoleGetResponse) {
 	printRange := func(perm *v3.Permission) {
 		sKey := string(perm.Key)
 		sRangeEnd := string(perm.RangeEnd)
-		fmt.Printf("\t[%s, %s)", sKey, sRangeEnd)
+		if strings.Compare(sRangeEnd, "\x00") != 0 {
+			fmt.Printf("\t[%s, %s)", sKey, sRangeEnd)
+		} else {
+			fmt.Printf("\t[%s, <open ended>", sKey)
+		}
 		if strings.Compare(v3.GetPrefixRangeEnd(sKey), sRangeEnd) == 0 {
 			fmt.Printf(" (prefix %s)", sKey)
 		}
@@ -188,7 +192,11 @@ func (s *simplePrinter) RoleRevokePermission(role string, key string, end string
 		fmt.Printf("Permission of key %s is revoked from role %s\n", key, role)
 		return
 	}
-	fmt.Printf("Permission of range [%s, %s) is revoked from role %s\n", key, end, role)
+	if strings.Compare(end, "\x00") != 0 {
+		fmt.Printf("Permission of range [%s, %s) is revoked from role %s\n", key, end, role)
+	} else {
+		fmt.Printf("Permission of range [%s, <open ended> is revoked from role %s\n", key, role)
+	}
 }
 
 func (s *simplePrinter) UserAdd(name string, r v3.AuthUserAddResponse) {

etcdctl/ctlv3/command/role_command.go

@@ -24,6 +24,7 @@ import (
 
 var (
 	grantPermissionPrefix bool
+	permFromKey           bool
 )
 
 // NewRoleCommand returns the cobra command for "role".
@@ -83,16 +84,21 @@ func newRoleGrantPermissionCommand() *cobra.Command {
 	}
 
 	cmd.Flags().BoolVar(&grantPermissionPrefix, "prefix", false, "grant a prefix permission")
+	cmd.Flags().BoolVar(&permFromKey, "from-key", false, "grant a permission of keys that are greater than or equal to the given key using byte compare")
 
 	return cmd
 }
 
 func newRoleRevokePermissionCommand() *cobra.Command {
-	return &cobra.Command{
+	cmd := &cobra.Command{
 		Use:   "revoke-permission <role name> <key> [endkey]",
 		Short: "Revokes a key from a role",
 		Run:   roleRevokePermissionCommandFunc,
 	}
+
+	cmd.Flags().BoolVar(&permFromKey, "from-key", false, "grant a permission of keys that are greater than or equal to the given key using byte compare")
+
+	return cmd
 }
 
 // roleAddCommandFunc executes the "role add" command.
@@ -168,9 +174,20 @@ func roleGrantPermissionCommandFunc(cmd *cobra.Command, args []string) {
 		if grantPermissionPrefix {
 			ExitWithError(ExitBadArgs, fmt.Errorf("don't pass both of --prefix option and range end to grant permission command"))
 		}
+
+		if permFromKey {
+			ExitWithError(ExitBadArgs, fmt.Errorf("don't pass both of --from-key option and range end to grant permission command"))
+		}
+
 		rangeEnd = args[3]
 	} else if grantPermissionPrefix {
+		if permFromKey {
+			ExitWithError(ExitBadArgs, fmt.Errorf("don't pass both of --from-key option and --prefix option to grant permission command"))
+		}
+
 		rangeEnd = clientv3.GetPrefixRangeEnd(args[2])
+	} else if permFromKey {
+		rangeEnd = "\x00"
 	}
 
 	resp, err := mustClientFromCmd(cmd).Auth.RoleGrantPermission(context.TODO(), args[0], args[2], rangeEnd, perm)
@@ -190,6 +207,8 @@ func roleRevokePermissionCommandFunc(cmd *cobra.Command, args []string) {
 	rangeEnd := ""
 	if 3 <= len(args) {
 		rangeEnd = args[2]
+	} else if permFromKey {
+		rangeEnd = "\x00"
 	}
 
 	resp, err := mustClientFromCmd(cmd).Auth.RoleRevokePermission(context.TODO(), args[0], args[1], rangeEnd)