9 лет назад · c40b86bcde
--- a/auth/store.go
+++ b/auth/store.go
@@ -61,6 +61,7 @@ var (
 
															 	ErrAuthOldRevision      = errors.New("auth: revision in header is old")
														
 
															 	ErrInvalidAuthToken     = errors.New("auth: invalid auth token")
														
 
															 	ErrInvalidAuthOpts      = errors.New("auth: invalid auth options")
														
 
															+	ErrInvalidAuthMgmt      = errors.New("auth: invalid auth management")
														
 
															 	// BcryptCost is the algorithm cost / strength for hashing auth passwords
														
 
															 	BcryptCost = bcrypt.DefaultCost
														
@@ -352,6 +353,11 @@ func (as *authStore) UserAdd(r *pb.AuthUserAddRequest) (*pb.AuthUserAddResponse,
 
															 }
														
 
															 func (as *authStore) UserDelete(r *pb.AuthUserDeleteRequest) (*pb.AuthUserDeleteResponse, error) {
														
 
															+	if as.enabled && strings.Compare(r.Name, rootUser) == 0 {
														
 
															+		plog.Errorf("the user root must not be deleted")
														
 
															+		return nil, ErrInvalidAuthMgmt
														
 
															+	}
														
 
															+
														
 
															 	tx := as.be.BatchTx()
														
 
															 	tx.Lock()
														
 
															 	defer tx.Unlock()
														
@@ -477,6 +483,11 @@ func (as *authStore) UserList(r *pb.AuthUserListRequest) (*pb.AuthUserListRespon
 
															 }
														
 
															 func (as *authStore) UserRevokeRole(r *pb.AuthUserRevokeRoleRequest) (*pb.AuthUserRevokeRoleResponse, error) {
														
 
															+	if as.enabled && strings.Compare(r.Name, rootUser) == 0 && strings.Compare(r.Role, rootRole) == 0 {
														
 
															+		plog.Errorf("the role root must not be revoked from the user root")
														
 
															+		return nil, ErrInvalidAuthMgmt
														
 
															+	}
														
 
															+
														
 
															 	tx := as.be.BatchTx()
														
 
															 	tx.Lock()
														
 
															 	defer tx.Unlock()
														
@@ -579,6 +590,11 @@ func (as *authStore) RoleRevokePermission(r *pb.AuthRoleRevokePermissionRequest)
 
															 }
														
 
															 func (as *authStore) RoleDelete(r *pb.AuthRoleDeleteRequest) (*pb.AuthRoleDeleteResponse, error) {
														
 
															+	if as.enabled && strings.Compare(r.Role, rootRole) == 0 {
														
 
															+		plog.Errorf("the role root must not be deleted")
														
 
															+		return nil, ErrInvalidAuthMgmt
														
 
															+	}
														
 
															+
														
 
															 	tx := as.be.BatchTx()
														
 
															 	tx.Lock()
														
 
															 	defer tx.Unlock()
														
--- a/etcdserver/api/v3rpc/rpctypes/error.go
+++ b/etcdserver/api/v3rpc/rpctypes/error.go
@@ -56,6 +56,7 @@ var (
 
															 	ErrGRPCPermissionNotGranted = grpc.Errorf(codes.FailedPrecondition, "etcdserver: permission is not granted to the role")
														
 
															 	ErrGRPCAuthNotEnabled       = grpc.Errorf(codes.FailedPrecondition, "etcdserver: authentication is not enabled")
														
 
															 	ErrGRPCInvalidAuthToken     = grpc.Errorf(codes.Unauthenticated, "etcdserver: invalid auth token")
														
 
															+	ErrGRPCInvalidAuthMgmt      = grpc.Errorf(codes.InvalidArgument, "etcdserver: invalid auth management")
														
 
															 	ErrGRPCNoLeader                   = grpc.Errorf(codes.Unavailable, "etcdserver: no leader")
														
 
															 	ErrGRPCNotCapable                 = grpc.Errorf(codes.Unavailable, "etcdserver: not capable")
														
@@ -102,6 +103,7 @@ var (
 
															 		grpc.ErrorDesc(ErrGRPCPermissionNotGranted): ErrGRPCPermissionNotGranted,
														
 
															 		grpc.ErrorDesc(ErrGRPCAuthNotEnabled):       ErrGRPCAuthNotEnabled,
														
 
															 		grpc.ErrorDesc(ErrGRPCInvalidAuthToken):     ErrGRPCInvalidAuthToken,
														
 
															+		grpc.ErrorDesc(ErrGRPCInvalidAuthMgmt):      ErrGRPCInvalidAuthMgmt,
														
 
															 		grpc.ErrorDesc(ErrGRPCNoLeader):                   ErrGRPCNoLeader,
														
 
															 		grpc.ErrorDesc(ErrGRPCNotCapable):                 ErrGRPCNotCapable,
														
@@ -148,6 +150,7 @@ var (
 
															 	ErrPermissionNotGranted = Error(ErrGRPCPermissionNotGranted)
														
 
															 	ErrAuthNotEnabled       = Error(ErrGRPCAuthNotEnabled)
														
 
															 	ErrInvalidAuthToken     = Error(ErrGRPCInvalidAuthToken)
														
 
															+	ErrInvalidAuthMgmt      = Error(ErrGRPCInvalidAuthMgmt)
														
 
															 	ErrNoLeader                   = Error(ErrGRPCNoLeader)
														
 
															 	ErrNotCapable                 = Error(ErrGRPCNotCapable)
														
--- a/etcdserver/api/v3rpc/util.go
+++ b/etcdserver/api/v3rpc/util.go
@@ -97,6 +97,8 @@ func togRPCError(err error) error {
 
															 		return rpctypes.ErrGRPCAuthNotEnabled
														
 
															 	case auth.ErrInvalidAuthToken:
														
 
															 		return rpctypes.ErrGRPCInvalidAuthToken
														
 
															+	case auth.ErrInvalidAuthMgmt:
														
 
															+		return rpctypes.ErrGRPCInvalidAuthMgmt
														
 
															 	default:
														
 
															 		return grpc.Errorf(codes.Unknown, err.Error())
														
 
															 	}