auth: Adding support for "auth disable" command.

Added support for the auth disable command in the server, added the
etcdctl command and a respective testcase.

auth/store.go

@@ -47,6 +47,9 @@ type AuthStore interface {
 	// AuthEnable turns on the authentication feature
 	AuthEnable()
 
+	// AuthDisable turns off the authentication feature
+	AuthDisable()
+
 	// Authenticate does authentication based on given user name and password,
 	// and returns a token for successful case.
 	// Note that the generated token is valid only for the member the client
@@ -92,6 +95,19 @@ func (as *authStore) AuthEnable() {
 	plog.Noticef("Authentication enabled")
 }
 
+func (as *authStore) AuthDisable() {
+	value := []byte{0}
+
+	b := as.be
+	tx := b.BatchTx()
+	tx.Lock()
+	tx.UnsafePut(authBucketName, enableFlagKey, value)
+	tx.Unlock()
+	b.ForceCommit()
+
+	plog.Noticef("Authentication disabled")
+}
+
 func (as *authStore) Authenticate(name string, password string) (*pb.AuthenticateResponse, error) {
 	tx := as.be.BatchTx()
 	tx.Lock()

clientv3/auth.go

@@ -27,6 +27,7 @@ import (
 
 type (
 	AuthEnableResponse             pb.AuthEnableResponse
+	AuthDisableResponse            pb.AuthDisableResponse
 	AuthenticateResponse           pb.AuthenticateResponse
 	AuthUserAddResponse            pb.AuthUserAddResponse
 	AuthUserDeleteResponse         pb.AuthUserDeleteResponse
@@ -48,6 +49,9 @@ type Auth interface {
 	// AuthEnable enables auth of an etcd cluster.
 	AuthEnable(ctx context.Context) (*AuthEnableResponse, error)
 
+	// AuthDisable disables auth of an etcd cluster.
+	AuthDisable(ctx context.Context) (*AuthDisableResponse, error)
+
 	// Authenticate does authenticate with given user name and password.
 	Authenticate(ctx context.Context, name string, password string) (*AuthenticateResponse, error)
 
@@ -91,6 +95,11 @@ func (auth *auth) AuthEnable(ctx context.Context) (*AuthEnableResponse, error) {
 	return (*AuthEnableResponse)(resp), rpctypes.Error(err)
 }
 
+func (auth *auth) AuthDisable(ctx context.Context) (*AuthDisableResponse, error) {
+	resp, err := auth.remote.AuthDisable(ctx, &pb.AuthDisableRequest{})
+	return (*AuthDisableResponse)(resp), rpctypes.Error(err)
+}
+
 func (auth *auth) Authenticate(ctx context.Context, name string, password string) (*AuthenticateResponse, error) {
 	resp, err := auth.remote.Authenticate(ctx, &pb.AuthenticateRequest{Name: name, Password: password})
 	return (*AuthenticateResponse)(resp), rpctypes.Error(err)

e2e/ctl_v3_auth_test.go

@@ -16,9 +16,8 @@ package e2e
 
 import "testing"
 
-func TestCtlV3AuthEnable(t *testing.T) { testCtl(t, authEnableTest) }
-
-// TODO: test auth disable
+func TestCtlV3AuthEnable(t *testing.T)  { testCtl(t, authEnableTest) }
+func TestCtlV3AuthDisable(t *testing.T) { testCtl(t, authDisableTest) }
 
 func authEnableTest(cx ctlCtx) {
 	if err := ctlV3AuthEnable(cx); err != nil {
@@ -30,3 +29,14 @@ func ctlV3AuthEnable(cx ctlCtx) error {
 	cmdArgs := append(cx.PrefixArgs(), "auth", "enable")
 	return spawnWithExpect(cmdArgs, "Authentication Enabled")
 }
+
+func authDisableTest(cx ctlCtx) {
+	if err := ctlV3AuthDisable(cx); err != nil {
+		cx.t.Fatalf("authDisableTest ctlV3AuthDisable error (%v)", err)
+	}
+}
+
+func ctlV3AuthDisable(cx ctlCtx) error {
+	cmdArgs := append(cx.PrefixArgs(), "auth", "disable")
+	return spawnWithExpect(cmdArgs, "Authentication Disabled")
+}

etcdctl/ctlv3/command/auth_command.go

@@ -28,6 +28,7 @@ func NewAuthCommand() *cobra.Command {
 	}
 
 	ac.AddCommand(newAuthEnableCommand())
+	ac.AddCommand(newAuthDisableCommand())
 
 	return ac
 }
@@ -43,7 +44,7 @@ func newAuthEnableCommand() *cobra.Command {
 // authEnableCommandFunc executes the "auth enable" command.
 func authEnableCommandFunc(cmd *cobra.Command, args []string) {
 	if len(args) != 0 {
-		ExitWithError(ExitBadArgs, fmt.Errorf("auth enable command does not accept argument."))
+		ExitWithError(ExitBadArgs, fmt.Errorf("auth enable command does not accept any arguments."))
 	}
 
 	ctx, cancel := commandCtx(cmd)
@@ -55,3 +56,27 @@ func authEnableCommandFunc(cmd *cobra.Command, args []string) {
 
 	fmt.Println("Authentication Enabled")
 }
+
+func newAuthDisableCommand() *cobra.Command {
+	return &cobra.Command{
+		Use:   "disable",
+		Short: "disable authentication",
+		Run:   authDisableCommandFunc,
+	}
+}
+
+// authDisableCommandFunc executes the "auth disable" command.
+func authDisableCommandFunc(cmd *cobra.Command, args []string) {
+	if len(args) != 0 {
+		ExitWithError(ExitBadArgs, fmt.Errorf("auth disable command does not accept any arguments."))
+	}
+
+	ctx, cancel := commandCtx(cmd)
+	_, err := mustClientFromCmd(cmd).Auth.AuthDisable(ctx)
+	cancel()
+	if err != nil {
+		ExitWithError(ExitError, err)
+	}
+
+	fmt.Println("Authentication Disabled")
+}

etcdserver/api/v3rpc/auth.go

@@ -37,8 +37,11 @@ func (as *AuthServer) AuthEnable(ctx context.Context, r *pb.AuthEnableRequest) (
 }
 
 func (as *AuthServer) AuthDisable(ctx context.Context, r *pb.AuthDisableRequest) (*pb.AuthDisableResponse, error) {
-	plog.Info("not implemented yet")
-	return nil, nil
+	resp, err := as.authenticator.AuthDisable(ctx, r)
+	if err != nil {
+		return nil, togRPCError(err)
+	}
+	return resp, nil
 }
 
 func (as *AuthServer) Authenticate(ctx context.Context, r *pb.AuthenticateRequest) (*pb.AuthenticateResponse, error) {

etcdserver/apply.go

@@ -54,6 +54,7 @@ type applierV3 interface {
 	LeaseRevoke(lc *pb.LeaseRevokeRequest) (*pb.LeaseRevokeResponse, error)
 	Alarm(*pb.AlarmRequest) (*pb.AlarmResponse, error)
 	AuthEnable() (*pb.AuthEnableResponse, error)
+	AuthDisable() (*pb.AuthDisableResponse, error)
 	Authenticate(r *pb.AuthenticateRequest) (*pb.AuthenticateResponse, error)
 	UserAdd(ua *pb.AuthUserAddRequest) (*pb.AuthUserAddResponse, error)
 	UserDelete(ua *pb.AuthUserDeleteRequest) (*pb.AuthUserDeleteResponse, error)
@@ -88,6 +89,8 @@ func (s *EtcdServer) applyV3Request(r *pb.InternalRaftRequest) *applyResult {
 		ar.resp, ar.err = s.applyV3.Alarm(r.Alarm)
 	case r.AuthEnable != nil:
 		ar.resp, ar.err = s.applyV3.AuthEnable()
+	case r.AuthDisable != nil:
+		ar.resp, ar.err = s.applyV3.AuthDisable()
 	case r.Authenticate != nil:
 		ar.resp, ar.err = s.applyV3.Authenticate(r.Authenticate)
 	case r.AuthUserAdd != nil:
@@ -495,6 +498,11 @@ func (a *applierV3backend) AuthEnable() (*pb.AuthEnableResponse, error) {
 	return &pb.AuthEnableResponse{}, nil
 }
 
+func (a *applierV3backend) AuthDisable() (*pb.AuthDisableResponse, error) {
+	a.s.AuthStore().AuthDisable()
+	return &pb.AuthDisableResponse{}, nil
+}
+
 func (a *applierV3backend) Authenticate(r *pb.AuthenticateRequest) (*pb.AuthenticateResponse, error) {
 	return a.s.AuthStore().Authenticate(r.Name, r.Password)
 }

etcdserver/etcdserverpb/raft_internal.pb.go

@@ -32,14 +32,15 @@ type InternalRaftRequest struct {
 	LeaseGrant             *LeaseGrantRequest             `protobuf:"bytes,8,opt,name=lease_grant,json=leaseGrant" json:"lease_grant,omitempty"`
 	LeaseRevoke            *LeaseRevokeRequest            `protobuf:"bytes,9,opt,name=lease_revoke,json=leaseRevoke" json:"lease_revoke,omitempty"`
 	AuthEnable             *AuthEnableRequest             `protobuf:"bytes,10,opt,name=auth_enable,json=authEnable" json:"auth_enable,omitempty"`
-	AuthUserAdd            *AuthUserAddRequest            `protobuf:"bytes,11,opt,name=auth_user_add,json=authUserAdd" json:"auth_user_add,omitempty"`
-	AuthUserDelete         *AuthUserDeleteRequest         `protobuf:"bytes,12,opt,name=auth_user_delete,json=authUserDelete" json:"auth_user_delete,omitempty"`
-	AuthUserChangePassword *AuthUserChangePasswordRequest `protobuf:"bytes,13,opt,name=auth_user_change_password,json=authUserChangePassword" json:"auth_user_change_password,omitempty"`
-	AuthUserGrant          *AuthUserGrantRequest          `protobuf:"bytes,14,opt,name=auth_user_grant,json=authUserGrant" json:"auth_user_grant,omitempty"`
-	AuthRoleAdd            *AuthRoleAddRequest            `protobuf:"bytes,15,opt,name=auth_role_add,json=authRoleAdd" json:"auth_role_add,omitempty"`
-	AuthRoleGrant          *AuthRoleGrantRequest          `protobuf:"bytes,16,opt,name=auth_role_grant,json=authRoleGrant" json:"auth_role_grant,omitempty"`
-	Authenticate           *AuthenticateRequest           `protobuf:"bytes,17,opt,name=authenticate" json:"authenticate,omitempty"`
-	Alarm                  *AlarmRequest                  `protobuf:"bytes,18,opt,name=alarm" json:"alarm,omitempty"`
+	AuthDisable            *AuthDisableRequest            `protobuf:"bytes,11,opt,name=auth_disable,json=authDisable" json:"auth_disable,omitempty"`
+	AuthUserAdd            *AuthUserAddRequest            `protobuf:"bytes,12,opt,name=auth_user_add,json=authUserAdd" json:"auth_user_add,omitempty"`
+	AuthUserDelete         *AuthUserDeleteRequest         `protobuf:"bytes,13,opt,name=auth_user_delete,json=authUserDelete" json:"auth_user_delete,omitempty"`
+	AuthUserChangePassword *AuthUserChangePasswordRequest `protobuf:"bytes,14,opt,name=auth_user_change_password,json=authUserChangePassword" json:"auth_user_change_password,omitempty"`
+	AuthUserGrant          *AuthUserGrantRequest          `protobuf:"bytes,15,opt,name=auth_user_grant,json=authUserGrant" json:"auth_user_grant,omitempty"`
+	AuthRoleAdd            *AuthRoleAddRequest            `protobuf:"bytes,16,opt,name=auth_role_add,json=authRoleAdd" json:"auth_role_add,omitempty"`
+	AuthRoleGrant          *AuthRoleGrantRequest          `protobuf:"bytes,17,opt,name=auth_role_grant,json=authRoleGrant" json:"auth_role_grant,omitempty"`
+	Authenticate           *AuthenticateRequest           `protobuf:"bytes,18,opt,name=authenticate" json:"authenticate,omitempty"`
+	Alarm                  *AlarmRequest                  `protobuf:"bytes,19,opt,name=alarm" json:"alarm,omitempty"`
 }
 
 func (m *InternalRaftRequest) Reset()                    { *m = InternalRaftRequest{} }
@@ -169,92 +170,104 @@ func (m *InternalRaftRequest) MarshalTo(data []byte) (int, error) {
 		}
 		i += n9
 	}
-	if m.AuthUserAdd != nil {
+	if m.AuthDisable != nil {
 		data[i] = 0x5a
 		i++
-		i = encodeVarintRaftInternal(data, i, uint64(m.AuthUserAdd.Size()))
-		n10, err := m.AuthUserAdd.MarshalTo(data[i:])
+		i = encodeVarintRaftInternal(data, i, uint64(m.AuthDisable.Size()))
+		n10, err := m.AuthDisable.MarshalTo(data[i:])
 		if err != nil {
 			return 0, err
 		}
 		i += n10
 	}
-	if m.AuthUserDelete != nil {
+	if m.AuthUserAdd != nil {
 		data[i] = 0x62
 		i++
-		i = encodeVarintRaftInternal(data, i, uint64(m.AuthUserDelete.Size()))
-		n11, err := m.AuthUserDelete.MarshalTo(data[i:])
+		i = encodeVarintRaftInternal(data, i, uint64(m.AuthUserAdd.Size()))
+		n11, err := m.AuthUserAdd.MarshalTo(data[i:])
 		if err != nil {
 			return 0, err
 		}
 		i += n11
 	}
-	if m.AuthUserChangePassword != nil {
+	if m.AuthUserDelete != nil {
 		data[i] = 0x6a
 		i++
-		i = encodeVarintRaftInternal(data, i, uint64(m.AuthUserChangePassword.Size()))
-		n12, err := m.AuthUserChangePassword.MarshalTo(data[i:])
+		i = encodeVarintRaftInternal(data, i, uint64(m.AuthUserDelete.Size()))
+		n12, err := m.AuthUserDelete.MarshalTo(data[i:])
 		if err != nil {
 			return 0, err
 		}
 		i += n12
 	}
-	if m.AuthUserGrant != nil {
+	if m.AuthUserChangePassword != nil {
 		data[i] = 0x72
 		i++
-		i = encodeVarintRaftInternal(data, i, uint64(m.AuthUserGrant.Size()))
-		n13, err := m.AuthUserGrant.MarshalTo(data[i:])
+		i = encodeVarintRaftInternal(data, i, uint64(m.AuthUserChangePassword.Size()))
+		n13, err := m.AuthUserChangePassword.MarshalTo(data[i:])
 		if err != nil {
 			return 0, err
 		}
 		i += n13
 	}
-	if m.AuthRoleAdd != nil {
+	if m.AuthUserGrant != nil {
 		data[i] = 0x7a
 		i++
-		i = encodeVarintRaftInternal(data, i, uint64(m.AuthRoleAdd.Size()))
-		n14, err := m.AuthRoleAdd.MarshalTo(data[i:])
+		i = encodeVarintRaftInternal(data, i, uint64(m.AuthUserGrant.Size()))
+		n14, err := m.AuthUserGrant.MarshalTo(data[i:])
 		if err != nil {
 			return 0, err
 		}
 		i += n14
 	}
-	if m.AuthRoleGrant != nil {
+	if m.AuthRoleAdd != nil {
 		data[i] = 0x82
 		i++
 		data[i] = 0x1
 		i++
-		i = encodeVarintRaftInternal(data, i, uint64(m.AuthRoleGrant.Size()))
-		n15, err := m.AuthRoleGrant.MarshalTo(data[i:])
+		i = encodeVarintRaftInternal(data, i, uint64(m.AuthRoleAdd.Size()))
+		n15, err := m.AuthRoleAdd.MarshalTo(data[i:])
 		if err != nil {
 			return 0, err
 		}
 		i += n15
 	}
-	if m.Authenticate != nil {
+	if m.AuthRoleGrant != nil {
 		data[i] = 0x8a
 		i++
 		data[i] = 0x1
 		i++
-		i = encodeVarintRaftInternal(data, i, uint64(m.Authenticate.Size()))
-		n16, err := m.Authenticate.MarshalTo(data[i:])
+		i = encodeVarintRaftInternal(data, i, uint64(m.AuthRoleGrant.Size()))
+		n16, err := m.AuthRoleGrant.MarshalTo(data[i:])
 		if err != nil {
 			return 0, err
 		}
 		i += n16
 	}
-	if m.Alarm != nil {
+	if m.Authenticate != nil {
 		data[i] = 0x92
 		i++
 		data[i] = 0x1
 		i++
-		i = encodeVarintRaftInternal(data, i, uint64(m.Alarm.Size()))
-		n17, err := m.Alarm.MarshalTo(data[i:])
+		i = encodeVarintRaftInternal(data, i, uint64(m.Authenticate.Size()))
+		n17, err := m.Authenticate.MarshalTo(data[i:])
 		if err != nil {
 			return 0, err
 		}
 		i += n17
 	}
+	if m.Alarm != nil {
+		data[i] = 0x9a
+		i++
+		data[i] = 0x1
+		i++
+		i = encodeVarintRaftInternal(data, i, uint64(m.Alarm.Size()))
+		n18, err := m.Alarm.MarshalTo(data[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n18
+	}
 	return i, nil
 }
 
@@ -345,6 +358,10 @@ func (m *InternalRaftRequest) Size() (n int) {
 		l = m.AuthEnable.Size()
 		n += 1 + l + sovRaftInternal(uint64(l))
 	}
+	if m.AuthDisable != nil {
+		l = m.AuthDisable.Size()
+		n += 1 + l + sovRaftInternal(uint64(l))
+	}
 	if m.AuthUserAdd != nil {
 		l = m.AuthUserAdd.Size()
 		n += 1 + l + sovRaftInternal(uint64(l))
@@ -363,7 +380,7 @@ func (m *InternalRaftRequest) Size() (n int) {
 	}
 	if m.AuthRoleAdd != nil {
 		l = m.AuthRoleAdd.Size()
-		n += 1 + l + sovRaftInternal(uint64(l))
+		n += 2 + l + sovRaftInternal(uint64(l))
 	}
 	if m.AuthRoleGrant != nil {
 		l = m.AuthRoleGrant.Size()
@@ -745,6 +762,39 @@ func (m *InternalRaftRequest) Unmarshal(data []byte) error {
 			}
 			iNdEx = postIndex
 		case 11:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AuthDisable", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowRaftInternal
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := data[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthRaftInternal
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.AuthDisable == nil {
+				m.AuthDisable = &AuthDisableRequest{}
+			}
+			if err := m.AuthDisable.Unmarshal(data[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 12:
 			if wireType != 2 {
 				return fmt.Errorf("proto: wrong wireType = %d for field AuthUserAdd", wireType)
 			}
@@ -777,7 +827,7 @@ func (m *InternalRaftRequest) Unmarshal(data []byte) error {
 				return err
 			}
 			iNdEx = postIndex
-		case 12:
+		case 13:
 			if wireType != 2 {
 				return fmt.Errorf("proto: wrong wireType = %d for field AuthUserDelete", wireType)
 			}
@@ -810,7 +860,7 @@ func (m *InternalRaftRequest) Unmarshal(data []byte) error {
 				return err
 			}
 			iNdEx = postIndex
-		case 13:
+		case 14:
 			if wireType != 2 {
 				return fmt.Errorf("proto: wrong wireType = %d for field AuthUserChangePassword", wireType)
 			}
@@ -843,7 +893,7 @@ func (m *InternalRaftRequest) Unmarshal(data []byte) error {
 				return err
 			}
 			iNdEx = postIndex
-		case 14:
+		case 15:
 			if wireType != 2 {
 				return fmt.Errorf("proto: wrong wireType = %d for field AuthUserGrant", wireType)
 			}
@@ -876,7 +926,7 @@ func (m *InternalRaftRequest) Unmarshal(data []byte) error {
 				return err
 			}
 			iNdEx = postIndex
-		case 15:
+		case 16:
 			if wireType != 2 {
 				return fmt.Errorf("proto: wrong wireType = %d for field AuthRoleAdd", wireType)
 			}
@@ -909,7 +959,7 @@ func (m *InternalRaftRequest) Unmarshal(data []byte) error {
 				return err
 			}
 			iNdEx = postIndex
-		case 16:
+		case 17:
 			if wireType != 2 {
 				return fmt.Errorf("proto: wrong wireType = %d for field AuthRoleGrant", wireType)
 			}
@@ -942,7 +992,7 @@ func (m *InternalRaftRequest) Unmarshal(data []byte) error {
 				return err
 			}
 			iNdEx = postIndex
-		case 17:
+		case 18:
 			if wireType != 2 {
 				return fmt.Errorf("proto: wrong wireType = %d for field Authenticate", wireType)
 			}
@@ -975,7 +1025,7 @@ func (m *InternalRaftRequest) Unmarshal(data []byte) error {
 				return err
 			}
 			iNdEx = postIndex
-		case 18:
+		case 19:
 			if wireType != 2 {
 				return fmt.Errorf("proto: wrong wireType = %d for field Alarm", wireType)
 			}
@@ -1185,39 +1235,40 @@ var (
 )
 
 var fileDescriptorRaftInternal = []byte{
-	// 534 bytes of a gzipped FileDescriptorProto
+	// 550 bytes of a gzipped FileDescriptorProto
 	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x09, 0x6e, 0x88, 0x02, 0xff, 0x74, 0x94, 0xdf, 0x6e, 0xd3, 0x30,
-	0x14, 0xc6, 0x69, 0xf7, 0x87, 0xcd, 0xfd, 0x8b, 0x07, 0xc8, 0xf4, 0x62, 0x8c, 0x22, 0x24, 0x04,
-	0x52, 0x41, 0xe3, 0x01, 0xa0, 0xb4, 0x15, 0x1a, 0x02, 0x69, 0x8a, 0xe0, 0x3a, 0x72, 0x93, 0xb3,
-	0xae, 0x22, 0x8d, 0x83, 0xe3, 0x94, 0xf1, 0x86, 0xbb, 0xe4, 0x11, 0x80, 0xb7, 0xe0, 0x0e, 0xfb,
-	0x24, 0x71, 0x9a, 0xcd, 0xbd, 0xa8, 0x94, 0x7c, 0xe7, 0x3b, 0xbf, 0xf3, 0xc5, 0x47, 0x2e, 0x39,
-	0x92, 0xfc, 0x42, 0xf9, 0xcb, 0x58, 0x81, 0x8c, 0x79, 0x34, 0x4a, 0xa4, 0x50, 0x82, 0xb6, 0x41,
-	0x05, 0x61, 0x0a, 0x72, 0x0d, 0x32, 0x99, 0x0f, 0xee, 0x2f, 0xc4, 0x42, 0x60, 0xe1, 0x95, 0x79,
-	0xca, 0x3d, 0x83, 0x7e, 0xe5, 0x29, 0x94, 0x43, 0x99, 0x04, 0xf9, 0xe3, 0xf0, 0xdf, 0x01, 0x39,
-	0x3a, 0x2b, 0x98, 0x9e, 0x1e, 0xe0, 0xc1, 0xf7, 0x0c, 0x52, 0x45, 0xbb, 0xa4, 0x79, 0x36, 0x65,
-	0x8d, 0x93, 0xc6, 0xf3, 0x5d, 0xaf, 0xb9, 0x9c, 0xd2, 0x67, 0xa4, 0xb9, 0x3e, 0x65, 0x4d, 0xfd,
-	0xde, 0x3a, 0x7d, 0x30, 0xda, 0x9c, 0x3a, 0x2a, 0x5a, 0x3c, 0x6d, 0xa0, 0xaf, 0xc9, 0x9e, 0xe4,
-	0xf1, 0x02, 0xd8, 0x0e, 0x3a, 0x07, 0x37, 0x9c, 0xa6, 0x54, 0xda, 0x73, 0x23, 0x7d, 0x41, 0x76,
-	0x92, 0x4c, 0xb1, 0x5d, 0xf4, 0xb3, 0xba, 0xff, 0x3c, 0x2b, 0xf3, 0x78, 0xc6, 0x44, 0x27, 0xa4,
-	0x1d, 0x42, 0x04, 0x0a, 0xfc, 0x7c, 0xc8, 0x1e, 0x36, 0x9d, 0xd4, 0x9b, 0xa6, 0xe8, 0xa8, 0x8d,
-	0x6a, 0x85, 0x95, 0x66, 0x06, 0xaa, 0xab, 0x98, 0xed, 0xbb, 0x06, 0x7e, 0xb9, 0x8a, 0xed, 0x40,
-	0x6d, 0xa2, 0x6f, 0x09, 0x09, 0xc4, 0x2a, 0xe1, 0x81, 0x5a, 0x8a, 0x98, 0xdd, 0xc5, 0x96, 0xc7,
-	0xf5, 0x96, 0x89, 0xad, 0x97, 0x9d, 0x1b, 0x2d, 0xf4, 0x1d, 0x69, 0x45, 0xc0, 0x53, 0xf0, 0x17,
-	0x3a, 0xb1, 0x62, 0x07, 0x2e, 0xc2, 0x27, 0x63, 0xf8, 0x60, 0xea, 0x96, 0x10, 0x59, 0xc9, 0x7c,
-	0x73, 0x4e, 0x90, 0xb0, 0x16, 0xdf, 0x80, 0x1d, 0xba, 0xbe, 0x19, 0x11, 0x1e, 0x1a, 0xec, 0x37,
-	0x47, 0x95, 0x66, 0x62, 0xf0, 0x4c, 0x5d, 0xfa, 0x10, 0xf3, 0x79, 0x04, 0x8c, 0xb8, 0x62, 0x8c,
-	0xb5, 0x61, 0x86, 0x75, 0x1b, 0x83, 0x5b, 0x89, 0x4e, 0x49, 0x07, 0x09, 0x99, 0xf6, 0xfb, 0x3c,
-	0x0c, 0x59, 0xcb, 0x95, 0xc3, 0x30, 0xbe, 0xea, 0xb7, 0x71, 0x18, 0xda, 0x1c, 0xbc, 0xd2, 0xe8,
-	0x67, 0xd2, 0xaf, 0x28, 0xf9, 0x52, 0x58, 0x1b, 0x41, 0x4f, 0xdd, 0xa0, 0x62, 0x99, 0x05, 0xab,
-	0xcb, 0x6b, 0x32, 0xbd, 0x20, 0x8f, 0x2a, 0x5c, 0x70, 0x69, 0xd6, 0xeb, 0x27, 0x3c, 0x4d, 0x7f,
-	0x08, 0x19, 0xb2, 0x0e, 0x72, 0x5f, 0xba, 0xb9, 0x13, 0x34, 0x9f, 0x17, 0xde, 0x92, 0xff, 0x90,
-	0x3b, 0xcb, 0xf4, 0x23, 0xe9, 0x55, 0x73, 0xf2, 0x4d, 0x76, 0x91, 0x3e, 0x74, 0xd3, 0x6b, 0xcb,
-	0xec, 0xf0, 0x4d, 0xd5, 0x1e, 0xa4, 0x14, 0x11, 0xe0, 0x41, 0xf6, 0xb6, 0x1d, 0xa4, 0xa7, 0x1d,
-	0x37, 0x0f, 0xb2, 0xd0, 0x6c, 0x22, 0xa4, 0xe4, 0x89, 0xfa, 0xdb, 0x12, 0x99, 0x9e, 0xdb, 0x89,
-	0xac, 0x4a, 0x67, 0xa4, 0x6d, 0x04, 0x88, 0xd5, 0x32, 0xe0, 0x7a, 0x21, 0xf7, 0x10, 0xf4, 0xe4,
-	0x36, 0xa8, 0x74, 0x94, 0x9c, 0x5a, 0x9b, 0xb9, 0xfa, 0x3c, 0xe2, 0x72, 0xc5, 0xa8, 0xeb, 0xea,
-	0x8f, 0x4d, 0xc9, 0x5e, 0x7d, 0x34, 0x0e, 0x7b, 0xa4, 0x33, 0x5b, 0x25, 0xea, 0xa7, 0x07, 0x69,
-	0x22, 0xe2, 0x14, 0xde, 0xf7, 0xaf, 0xff, 0x1c, 0xdf, 0xb9, 0xfe, 0x7b, 0xdc, 0xf8, 0xa5, 0x7f,
-	0xbf, 0xf5, 0x6f, 0xbe, 0x8f, 0xff, 0x52, 0x6f, 0xfe, 0x07, 0x00, 0x00, 0xff, 0xff, 0xee, 0xd7,
-	0xc5, 0x26, 0xfd, 0x04, 0x00, 0x00,
+	0x14, 0xc6, 0x69, 0xf7, 0x07, 0xea, 0xfe, 0xc5, 0x05, 0x64, 0x7a, 0x31, 0x46, 0x11, 0x12, 0x02,
+	0xa9, 0xa0, 0xf1, 0x00, 0x50, 0xda, 0x0a, 0x0d, 0x81, 0x34, 0x45, 0x70, 0x1d, 0xb9, 0xc9, 0x59,
+	0x57, 0x91, 0x26, 0xc1, 0x71, 0xcb, 0x78, 0x39, 0xae, 0x77, 0xc9, 0x23, 0x00, 0x4f, 0x32, 0xfb,
+	0x38, 0x71, 0x9a, 0xcd, 0xbd, 0x88, 0x94, 0x7c, 0xe7, 0x3b, 0xbf, 0xf3, 0xd9, 0xb1, 0x4c, 0xfa,
+	0x82, 0x9f, 0x4b, 0x7f, 0x19, 0x4b, 0x10, 0x31, 0x8f, 0x46, 0xa9, 0x48, 0x64, 0x42, 0x5b, 0x20,
+	0x83, 0x30, 0x03, 0xb1, 0x01, 0x91, 0xce, 0x07, 0x0f, 0x16, 0xc9, 0x22, 0xc1, 0xc2, 0x6b, 0xfd,
+	0x66, 0x3c, 0x83, 0x5e, 0xe9, 0xc9, 0x95, 0x86, 0x48, 0x03, 0xf3, 0x3a, 0xfc, 0xdd, 0x20, 0xfd,
+	0xd3, 0x9c, 0xe9, 0xa9, 0x01, 0x1e, 0xfc, 0x58, 0x43, 0x26, 0x69, 0x87, 0xd4, 0x4f, 0xa7, 0xac,
+	0x76, 0x5c, 0x7b, 0xb1, 0xef, 0xd5, 0x97, 0x53, 0xfa, 0x9c, 0xd4, 0x37, 0x27, 0xac, 0xae, 0xbe,
+	0x9b, 0x27, 0x0f, 0x47, 0xdb, 0x53, 0x47, 0x79, 0x8b, 0xa7, 0x0c, 0xf4, 0x0d, 0x39, 0x10, 0x3c,
+	0x5e, 0x00, 0xdb, 0x43, 0xe7, 0xe0, 0x86, 0x53, 0x97, 0x0a, 0xbb, 0x31, 0xd2, 0x97, 0x64, 0x2f,
+	0x5d, 0x4b, 0xb6, 0x8f, 0x7e, 0x56, 0xf5, 0x9f, 0xad, 0x8b, 0x3c, 0x9e, 0x36, 0xd1, 0x09, 0x69,
+	0x85, 0x10, 0x81, 0x04, 0xdf, 0x0c, 0x39, 0xc0, 0xa6, 0xe3, 0x6a, 0xd3, 0x14, 0x1d, 0x95, 0x51,
+	0xcd, 0xb0, 0xd4, 0xf4, 0x40, 0x79, 0x19, 0xb3, 0x43, 0xd7, 0xc0, 0xaf, 0x97, 0xb1, 0x1d, 0xa8,
+	0x4c, 0xf4, 0x1d, 0x21, 0x41, 0xb2, 0x4a, 0x79, 0x20, 0x97, 0x49, 0xcc, 0xee, 0x62, 0xcb, 0x93,
+	0x6a, 0xcb, 0xc4, 0xd6, 0x8b, 0xce, 0xad, 0x16, 0xfa, 0x9e, 0x34, 0x23, 0xe0, 0x19, 0xf8, 0x0b,
+	0x95, 0x58, 0xb2, 0x7b, 0x2e, 0xc2, 0x67, 0x6d, 0xf8, 0xa8, 0xeb, 0x96, 0x10, 0x59, 0x49, 0xaf,
+	0xd9, 0x10, 0x04, 0x6c, 0x92, 0xef, 0xc0, 0x1a, 0xae, 0x35, 0x23, 0xc2, 0x43, 0x83, 0x5d, 0x73,
+	0x54, 0x6a, 0x3a, 0x06, 0x5f, 0xcb, 0x0b, 0x1f, 0x62, 0x3e, 0x8f, 0x80, 0x11, 0x57, 0x8c, 0xb1,
+	0x32, 0xcc, 0xb0, 0x6e, 0x63, 0x70, 0x2b, 0xe9, 0x18, 0x48, 0x08, 0x97, 0x19, 0x22, 0x9a, 0xae,
+	0x18, 0x1a, 0x31, 0x35, 0x06, 0x1b, 0x83, 0x97, 0x1a, 0x9d, 0x92, 0x36, 0x42, 0xd6, 0xaa, 0xc3,
+	0xe7, 0x61, 0xc8, 0x5a, 0xbb, 0x28, 0xdf, 0xd4, 0xd7, 0x38, 0x0c, 0x2b, 0x94, 0x5c, 0xa3, 0x5f,
+	0x48, 0xaf, 0xa4, 0x98, 0x3f, 0xcb, 0xda, 0x08, 0x7a, 0xe6, 0x06, 0xe5, 0x27, 0x22, 0x67, 0x75,
+	0x78, 0x45, 0xa6, 0xe7, 0xe4, 0x71, 0x89, 0x0b, 0x2e, 0xf4, 0x19, 0xf1, 0x53, 0x9e, 0x65, 0x3f,
+	0x13, 0x11, 0xb2, 0x0e, 0x72, 0x5f, 0xb9, 0xb9, 0x13, 0x34, 0x9f, 0xe5, 0xde, 0x82, 0xff, 0x88,
+	0x3b, 0xcb, 0xf4, 0x13, 0xe9, 0x96, 0x73, 0xcc, 0x71, 0xe8, 0x22, 0x7d, 0xe8, 0xa6, 0x57, 0x4e,
+	0x44, 0x9b, 0x6f, 0xab, 0x76, 0x23, 0x45, 0x12, 0x01, 0x6e, 0x64, 0x6f, 0xd7, 0x46, 0x7a, 0xca,
+	0x71, 0x73, 0x23, 0x73, 0xcd, 0x26, 0x42, 0x8a, 0x49, 0x74, 0x7f, 0x57, 0x22, 0xdd, 0x73, 0x3b,
+	0x91, 0x55, 0xe9, 0xcc, 0x9c, 0x0f, 0x88, 0xe5, 0x32, 0xe0, 0xea, 0x87, 0x50, 0x04, 0x3d, 0xbd,
+	0x0d, 0x2a, 0x1c, 0x05, 0xa7, 0xd2, 0xa6, 0xef, 0x0f, 0x1e, 0x71, 0xb1, 0x62, 0x7d, 0xd7, 0xfd,
+	0x31, 0xd6, 0x25, 0x7b, 0x7f, 0xa0, 0x71, 0xd8, 0x25, 0xed, 0xd9, 0x2a, 0x95, 0xbf, 0x3c, 0xc8,
+	0xd2, 0x24, 0xce, 0xe0, 0x43, 0xef, 0xea, 0xdf, 0xd1, 0x9d, 0xab, 0xff, 0x47, 0xb5, 0x3f, 0xea,
+	0xf9, 0xab, 0x9e, 0xf9, 0x21, 0x5e, 0x75, 0x6f, 0xaf, 0x03, 0x00, 0x00, 0xff, 0xff, 0xe8, 0x6d,
+	0xd8, 0x5b, 0x42, 0x05, 0x00, 0x00,
 }

etcdserver/etcdserverpb/raft_internal.proto

@@ -26,15 +26,16 @@ message InternalRaftRequest {
   LeaseRevokeRequest lease_revoke = 9;
 
   AuthEnableRequest auth_enable = 10;
-  AuthUserAddRequest auth_user_add = 11;
-  AuthUserDeleteRequest auth_user_delete = 12;
-  AuthUserChangePasswordRequest auth_user_change_password = 13;
-  AuthUserGrantRequest auth_user_grant = 14;
-  AuthRoleAddRequest auth_role_add = 15;
-  AuthRoleGrantRequest auth_role_grant = 16;
-  AuthenticateRequest authenticate = 17;
-
-  AlarmRequest alarm = 18;
+  AuthDisableRequest auth_disable = 11;
+  AuthUserAddRequest auth_user_add = 12;
+  AuthUserDeleteRequest auth_user_delete = 13;
+  AuthUserChangePasswordRequest auth_user_change_password = 14;
+  AuthUserGrantRequest auth_user_grant = 15;
+  AuthRoleAddRequest auth_role_add = 16;
+  AuthRoleGrantRequest auth_role_grant = 17;
+  AuthenticateRequest authenticate = 18;
+
+  AlarmRequest alarm = 19;
 }
 
 message EmptyResponse {

etcdserver/v3_server.go

@@ -56,6 +56,7 @@ type Lessor interface {
 
 type Authenticator interface {
 	AuthEnable(ctx context.Context, r *pb.AuthEnableRequest) (*pb.AuthEnableResponse, error)
+	AuthDisable(ctx context.Context, r *pb.AuthDisableRequest) (*pb.AuthDisableResponse, error)
 	Authenticate(ctx context.Context, r *pb.AuthenticateRequest) (*pb.AuthenticateResponse, error)
 	UserAdd(ctx context.Context, r *pb.AuthUserAddRequest) (*pb.AuthUserAddResponse, error)
 	UserDelete(ctx context.Context, r *pb.AuthUserDeleteRequest) (*pb.AuthUserDeleteResponse, error)
@@ -216,6 +217,14 @@ func (s *EtcdServer) AuthEnable(ctx context.Context, r *pb.AuthEnableRequest) (*
 	return result.resp.(*pb.AuthEnableResponse), result.err
 }
 
+func (s *EtcdServer) AuthDisable(ctx context.Context, r *pb.AuthDisableRequest) (*pb.AuthDisableResponse, error) {
+	result, err := s.processInternalRaftRequest(ctx, pb.InternalRaftRequest{AuthDisable: r})
+	if err != nil {
+		return nil, err
+	}
+	return result.resp.(*pb.AuthDisableResponse), result.err
+}
+
 func (s *EtcdServer) Authenticate(ctx context.Context, r *pb.AuthenticateRequest) (*pb.AuthenticateResponse, error) {
 	result, err := s.processInternalRaftRequest(ctx, pb.InternalRaftRequest{Authenticate: r})
 	if err != nil {