Home Explore Help
Register Sign In
publics
/
etcd-io__etcd
0
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

auth: add getRole

Xiang Li 9 years ago
parent
bdc7035c10
commit
1958598a18
2 changed files with 30 additions and 51 deletions
Unified View Show Diff Stats
  1. 3 11
      auth/range_perm_cache.go
  2. 27 40
      auth/store.go

+ 3 - 11
auth/range_perm_cache.go
View File 

@@ -85,17 +85,9 @@ func (as *authStore) makeUnifiedPerms(tx backend.BatchTx, userName string) *unif
 
 	var readPerms, writePerms []*rangePerm
 
 	var readPerms, writePerms []*rangePerm
 
 
 
 	for _, roleName := range user.Roles {
 
 	for _, roleName := range user.Roles {
 
-		_, vs := tx.UnsafeRange(authRolesBucketName, []byte(roleName), nil, 0)
 
-		if len(vs) != 1 {
 
-			plog.Errorf("invalid role name %s", roleName)
 
-			return nil
 
-		}
 
-
 
-		role := &authpb.Role{}
 
-		err := role.Unmarshal(vs[0])
 
-		if err != nil {
 
-			plog.Errorf("failed to unmarshal a role %s: %s", roleName, err)
 
-			return nil
 
+		role := getRole(tx, roleName)
 
+		if role == nil {
 
+			continue
 
 		}
 
 		}
 
 
 
 		for _, perm := range role.KeyPermission {
 
 		for _, perm := range role.KeyPermission {

+ 27 - 40
auth/store.go
View File 

@@ -400,17 +400,11 @@ func (as *authStore) RoleGet(r *pb.AuthRoleGetRequest) (*pb.AuthRoleGetResponse,
 
 	tx.Lock()
 
 	tx.Lock()
 
 	defer tx.Unlock()
 
 	defer tx.Unlock()
 
 
 
-	_, vs := tx.UnsafeRange(authRolesBucketName, []byte(r.Role), nil, 0)
 
-	if len(vs) != 1 {
 
+	role := getRole(tx, r.Role)
 
+	if role == nil {
 
 		return nil, ErrRoleNotFound
 
 		return nil, ErrRoleNotFound
 
 	}
 
 	}
 
 
 
-	role := &authpb.Role{}
 
-	err := role.Unmarshal(vs[0])
 
-	if err != nil {
 
-		return nil, err
 
-	}
 
-
 
 	var resp pb.AuthRoleGetResponse
 
 	var resp pb.AuthRoleGetResponse
 
 	for _, perm := range role.KeyPermission {
 
 	for _, perm := range role.KeyPermission {
 
 		resp.Perm = append(resp.Perm, perm)
 
 		resp.Perm = append(resp.Perm, perm)
 
@@ -424,17 +418,11 @@ func (as *authStore) RoleRevokePermission(r *pb.AuthRoleRevokePermissionRequest)
 
 	tx.Lock()
 
 	tx.Lock()
 
 	defer tx.Unlock()
 
 	defer tx.Unlock()
 
 
 
-	_, vs := tx.UnsafeRange(authRolesBucketName, []byte(r.Role), nil, 0)
 
-	if len(vs) != 1 {
 
+	role := getRole(tx, r.Role)
 
+	if role == nil {
 
 		return nil, ErrRoleNotFound
 
 		return nil, ErrRoleNotFound
 
 	}
 
 	}
 
 
 
-	role := &authpb.Role{}
 
-	err := role.Unmarshal(vs[0])
 
-	if err != nil {
 
-		return nil, err
 
-	}
 
-
 
 	updatedRole := &authpb.Role{}
 
 	updatedRole := &authpb.Role{}
 
 	updatedRole.Name = role.Name
 
 	updatedRole.Name = role.Name
 
 
 
@@ -483,8 +471,8 @@ func (as *authStore) RoleDelete(r *pb.AuthRoleDeleteRequest) (*pb.AuthRoleDelete
 
 	tx.Lock()
 
 	tx.Lock()
 
 	defer tx.Unlock()
 
 	defer tx.Unlock()
 
 
 
-	_, vs := tx.UnsafeRange(authRolesBucketName, []byte(r.Role), nil, 0)
 
-	if len(vs) != 1 {
 
+	role := getRole(tx, r.Role)
 
+	if role == nil {
 
 		return nil, ErrRoleNotFound
 
 		return nil, ErrRoleNotFound
 
 	}
 
 	}
 
 
 
@@ -499,8 +487,8 @@ func (as *authStore) RoleAdd(r *pb.AuthRoleAddRequest) (*pb.AuthRoleAddResponse,
 
 	tx.Lock()
 
 	tx.Lock()
 
 	defer tx.Unlock()
 
 	defer tx.Unlock()
 
 
 
-	_, vs := tx.UnsafeRange(authRolesBucketName, []byte(r.Name), nil, 0)
 
-	if len(vs) != 0 {
 
+	role := getRole(tx, r.Name)
 
+	if role != nil {
 
 		return nil, ErrRoleAlreadyExist
 
 		return nil, ErrRoleAlreadyExist
 
 	}
 
 	}
 
 
 
@@ -546,18 +534,11 @@ func (as *authStore) RoleGrantPermission(r *pb.AuthRoleGrantPermissionRequest) (
 
 	tx.Lock()
 
 	tx.Lock()
 
 	defer tx.Unlock()
 
 	defer tx.Unlock()
 
 
 
-	_, vs := tx.UnsafeRange(authRolesBucketName, []byte(r.Name), nil, 0)
 
-	if len(vs) != 1 {
 
+	role := getRole(tx, r.Name)
 
+	if role == nil {
 
 		return nil, ErrRoleNotFound
 
 		return nil, ErrRoleNotFound
 
 	}
 
 	}
 
 
 
-	role := &authpb.Role{}
 
-	err := role.Unmarshal(vs[0])
 
-	if err != nil {
 
-		plog.Errorf("failed to unmarshal a role %s: %s", r.Name, err)
 
-		return nil, err
 
-	}
 
-
 
 	idx := sort.Search(len(role.KeyPermission), func(i int) bool {
 
 	idx := sort.Search(len(role.KeyPermission), func(i int) bool {
 
 		return bytes.Compare(role.KeyPermission[i].Key, []byte(r.Perm.Key)) >= 0
 
 		return bytes.Compare(role.KeyPermission[i].Key, []byte(r.Perm.Key)) >= 0
 
 	})
 
 	})
 
@@ -612,17 +593,9 @@ func (as *authStore) isOpPermitted(userName string, key, rangeEnd string, write
 
 
 
 	if strings.Compare(rangeEnd, "") == 0 {
 
 	if strings.Compare(rangeEnd, "") == 0 {
 
 		for _, roleName := range user.Roles {
 
 		for _, roleName := range user.Roles {
 
-			_, vs := tx.UnsafeRange(authRolesBucketName, []byte(roleName), nil, 0)
 
-			if len(vs) != 1 {
 
-				plog.Errorf("invalid role name %s for permission checking", roleName)
 
-				return false
 
-			}
 
-
 
-			role := &authpb.Role{}
 
-			err := role.Unmarshal(vs[0])
 
-			if err != nil {
 
-				plog.Errorf("failed to unmarshal a role %s: %s", roleName, err)
 
-				return false
 
+			role := getRole(tx, roleName)
 
+			if role == nil {
 
+				continue
 
 			}
 
 			}
 
 
 
 			for _, perm := range role.KeyPermission {
 
 			for _, perm := range role.KeyPermission {
 
@@ -691,6 +664,20 @@ func getUser(tx backend.BatchTx, username string) *authpb.User {
 
 	return user
 
 	return user
 
 }
 
 }
 
 
 
+func getRole(tx backend.BatchTx, rolename string) *authpb.Role {
 
+	_, vs := tx.UnsafeRange(authRolesBucketName, []byte(rolename), nil, 0)
 
+	if len(vs) == 0 {
 
+		return nil
 
+	}
 
+
 
+	role := &authpb.Role{}
 
+	err := role.Unmarshal(vs[0])
 
+	if err != nil {
 
+		plog.Panicf("failed to unmarshal role struct (name: %s): %s", rolename, err)
 
+	}
 
+	return role
 
+}
 
+
 
 func (as *authStore) isAuthEnabled() bool {
 
 func (as *authStore) isAuthEnabled() bool {
 
 	as.enabledMu.RLock()
 
 	as.enabledMu.RLock()
 
 	defer as.enabledMu.RUnlock()
 
 	defer as.enabledMu.RUnlock()