Home Explore Help
Register Sign In
publics
/
etcd-io__etcd
0
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

auth: separate the role create and update path

Giving both permission and grant/revoke is not allowed.
Creating an existing role is not allowed.
Updating a non-existing is not allowed.
Xiang Li 10 years ago
parent
bc61056912
commit
c8628c8fe5
2 changed files with 26 additions and 17 deletions
Split View Show Diff Stats
  1. 4 10
      etcdserver/auth/auth.go
  2. 22 7
      etcdserver/etcdhttp/client_auth.go

+ 4 - 10
etcdserver/auth/auth.go
View File 

@@ -97,6 +97,10 @@ type Permissions struct {
 
 	KV rwPermission `json:"kv"`
 
 }
 
 
+func (p *Permissions) IsEmpty() bool {
 
+	return p == nil || (len(p.KV.Read) == 0 && len(p.KV.Write) == 0)
 
+}
 
+
 
 type rwPermission struct {
 
 	Read  []string `json:"read"`
 
 	Write []string `json:"write"`
 
@@ -297,16 +301,6 @@ func (s *Store) GetRole(name string) (Role, error) {
 
 	return r, nil
 
 }
 
 
-func (s *Store) CreateOrUpdateRole(r Role) (role Role, created bool, err error) {
 
-	_, err = s.GetRole(r.Role)
 
-	if err == nil {
 
-		role, err = s.UpdateRole(r)
 
-		created = false
 
-		return
 
-	}
 
-	return r, true, s.CreateRole(r)
 
-}
 
-
 
 func (s *Store) CreateRole(role Role) error {
 
 	if role.Role == RootRoleName {
 
 		return authErr(http.StatusForbidden, "Cannot modify role %s: is root role.", role.Role)

+ 22 - 7
etcdserver/etcdhttp/client_auth.go
View File 

@@ -211,17 +211,32 @@ func (sh *authHandler) forRole(w http.ResponseWriter, r *http.Request, role stri
 
 			writeError(w, httptypes.NewHTTPError(http.StatusBadRequest, "Role JSON name does not match the name in the URL"))
 
 			return
 
 		}
 
-		newrole, created, err := sh.sec.CreateOrUpdateRole(in)
 
-		if err != nil {
 
-			writeError(w, err)
 
-			return
 
-		}
 
-		if created {
 
+
 
+		var out auth.Role
 
+
 
+		// create
 
+		if in.Grant.IsEmpty() && in.Revoke.IsEmpty() {
 
+			err = sh.sec.CreateRole(in)
 
+			if err != nil {
 
+				writeError(w, err)
 
+				return
 
+			}
 
 			w.WriteHeader(http.StatusCreated)
 
+			out = in
 
 		} else {
 
+			if !in.Permissions.IsEmpty() {
 
+				writeError(w, httptypes.NewHTTPError(http.StatusBadRequest, "Role JSON contains both permissions and grant/revoke"))
 
+				return
 
+			}
 
+			out, err = sh.sec.UpdateRole(in)
 
+			if err != nil {
 
+				writeError(w, err)
 
+				return
 
+			}
 
 			w.WriteHeader(http.StatusOK)
 
 		}
 
-		err = json.NewEncoder(w).Encode(newrole)
 
+
 
+		err = json.NewEncoder(w).Encode(out)
 
 		if err != nil {
 
 			plog.Warningf("forRole error encoding on %s", r.URL)
 
 			return