10 years ago · 37933cffa4
--- a/etcdserver/auth/auth.go
+++ b/etcdserver/auth/auth.go
@@ -97,6 +97,10 @@ type Permissions struct {
 
				 	KV rwPermission `json:"kv"`
			
 
				 }
			
 
				 
			
 
				+func (p *Permissions) IsEmpty() bool {
			
 
				+	return p == nil || (len(p.KV.Read) == 0 && len(p.KV.Write) == 0)
			
 
				+}
			
 
				+
			
 
				 type rwPermission struct {
			
 
				 	Read  []string `json:"read"`
			
 
				 	Write []string `json:"write"`
			
@@ -297,16 +301,6 @@ func (s *Store) GetRole(name string) (Role, error) {
 
				 	return r, nil
			
 
				 }
			
 
				 
			
 
				-func (s *Store) CreateOrUpdateRole(r Role) (role Role, created bool, err error) {
			
 
				-	_, err = s.GetRole(r.Role)
			
 
				-	if err == nil {
			
 
				-		role, err = s.UpdateRole(r)
			
 
				-		created = false
			
 
				-		return
			
 
				-	}
			
 
				-	return r, true, s.CreateRole(r)
			
 
				-}
			
 
				-
			
 
				 func (s *Store) CreateRole(role Role) error {
			
 
				 	if role.Role == RootRoleName {
			
 
				 		return authErr(http.StatusForbidden, "Cannot modify role %s: is root role.", role.Role)
			
--- a/etcdserver/etcdhttp/client_auth.go
+++ b/etcdserver/etcdhttp/client_auth.go
@@ -208,20 +208,35 @@ func (sh *authHandler) forRole(w http.ResponseWriter, r *http.Request, role stri
 
				 			return
			
 
				 		}
			
 
				 		if in.Role != role {
			
 
				-			writeError(w, httptypes.NewHTTPError(401, "Role JSON name does not match the name in the URL"))
			
 
				+			writeError(w, httptypes.NewHTTPError(http.StatusBadRequest, "Role JSON name does not match the name in the URL"))
			
 
				 			return
			
 
				 		}
			
 
				-		newrole, created, err := sh.sec.CreateOrUpdateRole(in)
			
 
				-		if err != nil {
			
 
				-			writeError(w, err)
			
 
				-			return
			
 
				-		}
			
 
				-		if created {
			
 
				+
			
 
				+		var out auth.Role
			
 
				+
			
 
				+		// create
			
 
				+		if in.Grant.IsEmpty() && in.Revoke.IsEmpty() {
			
 
				+			err = sh.sec.CreateRole(in)
			
 
				+			if err != nil {
			
 
				+				writeError(w, err)
			
 
				+				return
			
 
				+			}
			
 
				 			w.WriteHeader(http.StatusCreated)
			
 
				+			out = in
			
 
				 		} else {
			
 
				+			if !in.Permissions.IsEmpty() {
			
 
				+				writeError(w, httptypes.NewHTTPError(http.StatusBadRequest, "Role JSON contains both permissions and grant/revoke"))
			
 
				+				return
			
 
				+			}
			
 
				+			out, err = sh.sec.UpdateRole(in)
			
 
				+			if err != nil {
			
 
				+				writeError(w, err)
			
 
				+				return
			
 
				+			}
			
 
				 			w.WriteHeader(http.StatusOK)
			
 
				 		}
			
 
				-		err = json.NewEncoder(w).Encode(newrole)
			
 
				+
			
 
				+		err = json.NewEncoder(w).Encode(out)
			
 
				 		if err != nil {
			
 
				 			plog.Warningf("forRole error encoding on %s", r.URL)
			
 
				 			return
			
@@ -315,7 +330,7 @@ func (sh *authHandler) forUser(w http.ResponseWriter, r *http.Request, user stri
 
				 			return
			
 
				 		}
			
 
				 		if u.User != user {
			
 
				-			writeError(w, httptypes.NewHTTPError(400, "User JSON name does not match the name in the URL"))
			
 
				+			writeError(w, httptypes.NewHTTPError(http.StatusBadRequest, "User JSON name does not match the name in the URL"))
			
 
				 			return
			
 
				 		}
			
 
				 		newuser, created, err := sh.sec.CreateOrUpdateUser(u)