|
|
@@ -970,7 +970,7 @@ func (as *authStore) Revision() uint64 {
|
|
|
return atomic.LoadUint64(&as.revision)
|
|
|
}
|
|
|
|
|
|
-func (as *authStore) AuthInfoFromTLS(ctx context.Context) *AuthInfo {
|
|
|
+func (as *authStore) AuthInfoFromTLS(ctx context.Context) (ai *AuthInfo) {
|
|
|
peer, ok := peer.FromContext(ctx)
|
|
|
if !ok || peer == nil || peer.AuthInfo == nil {
|
|
|
return nil
|
|
|
@@ -982,10 +982,23 @@ func (as *authStore) AuthInfoFromTLS(ctx context.Context) *AuthInfo {
|
|
|
cn := chain.Subject.CommonName
|
|
|
plog.Debugf("found common name %s", cn)
|
|
|
|
|
|
- return &AuthInfo{
|
|
|
+ ai = &AuthInfo{
|
|
|
Username: cn,
|
|
|
Revision: as.Revision(),
|
|
|
}
|
|
|
+ md, ok := metadata.FromIncomingContext(ctx)
|
|
|
+ if !ok {
|
|
|
+ return nil
|
|
|
+ }
|
|
|
+
|
|
|
+ // gRPC-gateway proxy request to etcd server includes Grpcgateway-Accept
|
|
|
+ // header. The proxy uses etcd client server certificate. If the certificate
|
|
|
+ // has a CommonName we should never use this for authentication.
|
|
|
+ if gw := md["grpcgateway-accept"]; len(gw) > 0 {
|
|
|
+ plog.Warningf("ignoring common name in gRPC-gateway proxy request %s", ai.Username)
|
|
|
+ return nil
|
|
|
+ }
|
|
|
+ return ai
|
|
|
}
|
|
|
}
|
|
|
|
Sam Batschelet