Home Explore Help
Register Sign In
publics
/
etcd-io__etcd
0
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge pull request #6356 from mitake/root-role

auth, e2e: the root role should be granted access to every key
Xiang Li 9 years ago
parent
271df0dd71 bc5d7bbe03
commit
d36c0a1444
3 changed files with 44 additions and 18 deletions
Split View Show Diff Stats
  1. 5 0
      auth/store.go
  2. 32 11
      clientv3/example_auth_test.go
  3. 7 7
      e2e/ctl_v3_auth_test.go

+ 5 - 0
auth/store.go
View File 

@@ -666,6 +666,11 @@ func (as *authStore) isOpPermitted(userName string, revision uint64, key, rangeE
 
 		return ErrPermissionDenied
 
 	}
 
 
+	// root role should have permission on all ranges
 
+	if hasRootRole(user) {
 
+		return nil
 
+	}
 
+
 
 	if as.isRangeOpPermitted(tx, userName, key, rangeEnd, permTyp) {
 
 		return nil
 
 	}

+ 32 - 11
clientv3/example_auth_test.go
View File 

@@ -35,20 +35,30 @@ func ExampleAuth() {
 
 	if _, err = cli.RoleAdd(context.TODO(), "root"); err != nil {
 
 		log.Fatal(err)
 
 	}
 
+	if _, err = cli.UserAdd(context.TODO(), "root", "123"); err != nil {
 
+		log.Fatal(err)
 
+	}
 
+	if _, err = cli.UserGrantRole(context.TODO(), "root", "root"); err != nil {
 
+		log.Fatal(err)
 
+	}
 
+
 
+	if _, err = cli.RoleAdd(context.TODO(), "r"); err != nil {
 
+		log.Fatal(err)
 
+	}
 
 
 	if _, err = cli.RoleGrantPermission(
 
 		context.TODO(),
 
-		"root", // role name
 
-		"foo",  // key
 
-		"zoo",  // range end
 
+		"r",   // role name
 
+		"foo", // key
 
+		"zoo", // range end
 
 		clientv3.PermissionType(clientv3.PermReadWrite),
 
 	); err != nil {
 
 		log.Fatal(err)
 
 	}
 
-	if _, err = cli.UserAdd(context.TODO(), "root", "123"); err != nil {
 
+	if _, err = cli.UserAdd(context.TODO(), "u", "123"); err != nil {
 
 		log.Fatal(err)
 
 	}
 
-	if _, err = cli.UserGrantRole(context.TODO(), "root", "root"); err != nil {
 
+	if _, err = cli.UserGrantRole(context.TODO(), "u", "r"); err != nil {
 
 		log.Fatal(err)
 
 	}
 
 	if _, err = cli.AuthEnable(context.TODO()); err != nil {
 
@@ -58,7 +68,7 @@ func ExampleAuth() {
 
 	cliAuth, err := clientv3.New(clientv3.Config{
 
 		Endpoints:   endpoints,
 
 		DialTimeout: dialTimeout,
 
-		Username:    "root",
 
+		Username:    "u",
 
 		Password:    "123",
 
 	})
 
 	if err != nil {
 
@@ -77,16 +87,27 @@ func ExampleAuth() {
 
 		Commit()
 
 	fmt.Println(err)
 
 
-	// now check the permission
 
-	resp, err := cliAuth.RoleGet(context.TODO(), "root")
 
+	// now check the permission with the root account
 
+	rootCli, err := clientv3.New(clientv3.Config{
 
+		Endpoints:   endpoints,
 
+		DialTimeout: dialTimeout,
 
+		Username:    "root",
 
+		Password:    "123",
 
+	})
 
+	if err != nil {
 
+		log.Fatal(err)
 
+	}
 
+	defer rootCli.Close()
 
+
 
+	resp, err := rootCli.RoleGet(context.TODO(), "r")
 
 	if err != nil {
 
 		log.Fatal(err)
 
 	}
 
-	fmt.Printf("root user permission: key %q, range end %q\n", resp.Perm[0].Key, resp.Perm[0].RangeEnd)
 
+	fmt.Printf("user u permission: key %q, range end %q\n", resp.Perm[0].Key, resp.Perm[0].RangeEnd)
 
 
-	if _, err = cliAuth.AuthDisable(context.TODO()); err != nil {
 
+	if _, err = rootCli.AuthDisable(context.TODO()); err != nil {
 
 		log.Fatal(err)
 
 	}
 
 	// Output: etcdserver: permission denied
 
-	// root user permission: key "foo", range end "zoo"
 
+	// user u permission: key "foo", range end "zoo"
 
 }

+ 7 - 7
e2e/ctl_v3_auth_test.go
View File 

@@ -111,11 +111,11 @@ func authCredWriteKeyTest(cx ctlCtx) {
 
 	cx.user, cx.pass = "root", "root"
 
 	authSetupTestUser(cx)
 
 
-	// confirm root role doesn't grant access to all keys
 
-	if err := ctlV3PutFailPerm(cx, "foo", "bar"); err != nil {
 
+	// confirm root role can access to all keys
 
+	if err := ctlV3Put(cx, "foo", "bar", ""); err != nil {
 
 		cx.t.Fatal(err)
 
 	}
 
-	if err := ctlV3GetFailPerm(cx, "foo"); err != nil {
 
+	if err := ctlV3Get(cx, []string{"foo"}, []kv{{"foo", "bar"}}...); err != nil {
 
 		cx.t.Fatal(err)
 
 	}
 
 
@@ -126,17 +126,17 @@ func authCredWriteKeyTest(cx ctlCtx) {
 
 	}
 
 	// confirm put failed
 
 	cx.user, cx.pass = "test-user", "pass"
 
-	if err := ctlV3Get(cx, []string{"foo"}, []kv{{"foo", "a"}}...); err != nil {
 
+	if err := ctlV3Get(cx, []string{"foo"}, []kv{{"foo", "bar"}}...); err != nil {
 
 		cx.t.Fatal(err)
 
 	}
 
 
 	// try good user
 
 	cx.user, cx.pass = "test-user", "pass"
 
-	if err := ctlV3Put(cx, "foo", "bar", ""); err != nil {
 
+	if err := ctlV3Put(cx, "foo", "bar2", ""); err != nil {
 
 		cx.t.Fatal(err)
 
 	}
 
 	// confirm put succeeded
 
-	if err := ctlV3Get(cx, []string{"foo"}, []kv{{"foo", "bar"}}...); err != nil {
 
+	if err := ctlV3Get(cx, []string{"foo"}, []kv{{"foo", "bar2"}}...); err != nil {
 
 		cx.t.Fatal(err)
 
 	}
 
 
@@ -147,7 +147,7 @@ func authCredWriteKeyTest(cx ctlCtx) {
 
 	}
 
 	// confirm put failed
 
 	cx.user, cx.pass = "test-user", "pass"
 
-	if err := ctlV3Get(cx, []string{"foo"}, []kv{{"foo", "bar"}}...); err != nil {
 
+	if err := ctlV3Get(cx, []string{"foo"}, []kv{{"foo", "bar2"}}...); err != nil {
 
 		cx.t.Fatal(err)
 
 	}
 
 }