etcdserver: move "etcdserver/auth" to "etcdserver/v2auth"

Signed-off-by: Gyuho Lee <gyuhox@gmail.com>

CHANGELOG-3.4.md

@@ -35,6 +35,7 @@
   - Move `"github.com/coreos/etcd/snap"` to [`"github.com/coreos/etcd/internal/raftsnap"`](https://github.com/coreos/etcd/pull/9211).
   - Move `"github.com/coreos/etcd/store"` to [`"github.com/coreos/etcd/internal/store"`](https://github.com/coreos/etcd/pull/9238).
   - Move `"github.com/coreos/etcd/version"` to [`"github.com/coreos/etcd/internal/version"`](https://github.com/coreos/etcd/pull/9244).
+- Move `"github.com/coreos/etcd/etcdserver/auth"` to [`"github.com/coreos/etcd/etcdserver/v2auth"`](https://github.com/coreos/etcd/pull/9275).
 
 ### Added(`etcd`)
 

etcdserver/api/v2http/client.go

@@ -32,10 +32,10 @@ import (
 	"github.com/coreos/etcd/etcdserver/api"
 	"github.com/coreos/etcd/etcdserver/api/etcdhttp"
 	"github.com/coreos/etcd/etcdserver/api/v2http/httptypes"
-	"github.com/coreos/etcd/etcdserver/auth"
 	"github.com/coreos/etcd/etcdserver/etcdserverpb"
 	"github.com/coreos/etcd/etcdserver/membership"
 	"github.com/coreos/etcd/etcdserver/stats"
+	"github.com/coreos/etcd/etcdserver/v2auth"
 	"github.com/coreos/etcd/internal/store"
 	"github.com/coreos/etcd/pkg/types"
 
@@ -59,7 +59,7 @@ func NewClientHandler(server etcdserver.ServerPeer, timeout time.Duration) http.
 }
 
 func handleV2(mux *http.ServeMux, server etcdserver.ServerV2, timeout time.Duration) {
-	sec := auth.NewStore(server, timeout)
+	sec := v2auth.NewStore(server, timeout)
 	kh := &keysHandler{
 		sec:                   sec,
 		server:                server,
@@ -101,7 +101,7 @@ func handleV2(mux *http.ServeMux, server etcdserver.ServerV2, timeout time.Durat
 }
 
 type keysHandler struct {
-	sec                   auth.Store
+	sec                   v2auth.Store
 	server                etcdserver.ServerV2
 	cluster               api.Cluster
 	timeout               time.Duration
@@ -168,7 +168,7 @@ func (h *machinesHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 }
 
 type membersHandler struct {
-	sec                   auth.Store
+	sec                   v2auth.Store
 	server                etcdserver.ServerV2
 	cluster               api.Cluster
 	timeout               time.Duration

etcdserver/api/v2http/client_auth.go

@@ -22,23 +22,23 @@ import (
 
 	"github.com/coreos/etcd/etcdserver/api"
 	"github.com/coreos/etcd/etcdserver/api/v2http/httptypes"
-	"github.com/coreos/etcd/etcdserver/auth"
+	"github.com/coreos/etcd/etcdserver/v2auth"
 )
 
 type authHandler struct {
-	sec                   auth.Store
+	sec                   v2auth.Store
 	cluster               api.Cluster
 	clientCertAuthEnabled bool
 }
 
-func hasWriteRootAccess(sec auth.Store, r *http.Request, clientCertAuthEnabled bool) bool {
+func hasWriteRootAccess(sec v2auth.Store, r *http.Request, clientCertAuthEnabled bool) bool {
 	if r.Method == "GET" || r.Method == "HEAD" {
 		return true
 	}
 	return hasRootAccess(sec, r, clientCertAuthEnabled)
 }
 
-func userFromBasicAuth(sec auth.Store, r *http.Request) *auth.User {
+func userFromBasicAuth(sec v2auth.Store, r *http.Request) *v2auth.User {
 	username, password, ok := r.BasicAuth()
 	if !ok {
 		plog.Warningf("auth: malformed basic auth encoding")
@@ -57,7 +57,7 @@ func userFromBasicAuth(sec auth.Store, r *http.Request) *auth.User {
 	return &user
 }
 
-func userFromClientCertificate(sec auth.Store, r *http.Request) *auth.User {
+func userFromClientCertificate(sec v2auth.Store, r *http.Request) *v2auth.User {
 	if r.TLS == nil {
 		return nil
 	}
@@ -75,7 +75,7 @@ func userFromClientCertificate(sec auth.Store, r *http.Request) *auth.User {
 	return nil
 }
 
-func hasRootAccess(sec auth.Store, r *http.Request, clientCertAuthEnabled bool) bool {
+func hasRootAccess(sec v2auth.Store, r *http.Request, clientCertAuthEnabled bool) bool {
 	if sec == nil {
 		// No store means no auth available, eg, tests.
 		return true
@@ -84,7 +84,7 @@ func hasRootAccess(sec auth.Store, r *http.Request, clientCertAuthEnabled bool)
 		return true
 	}
 
-	var rootUser *auth.User
+	var rootUser *v2auth.User
 	if r.Header.Get("Authorization") == "" && clientCertAuthEnabled {
 		rootUser = userFromClientCertificate(sec, r)
 		if rootUser == nil {
@@ -98,15 +98,15 @@ func hasRootAccess(sec auth.Store, r *http.Request, clientCertAuthEnabled bool)
 	}
 
 	for _, role := range rootUser.Roles {
-		if role == auth.RootRoleName {
+		if role == v2auth.RootRoleName {
 			return true
 		}
 	}
-	plog.Warningf("auth: user %s does not have the %s role for resource %s.", rootUser.User, auth.RootRoleName, r.URL.Path)
+	plog.Warningf("auth: user %s does not have the %s role for resource %s.", rootUser.User, v2auth.RootRoleName, r.URL.Path)
 	return false
 }
 
-func hasKeyPrefixAccess(sec auth.Store, r *http.Request, key string, recursive, clientCertAuthEnabled bool) bool {
+func hasKeyPrefixAccess(sec v2auth.Store, r *http.Request, key string, recursive, clientCertAuthEnabled bool) bool {
 	if sec == nil {
 		// No store means no auth available, eg, tests.
 		return true
@@ -115,7 +115,7 @@ func hasKeyPrefixAccess(sec auth.Store, r *http.Request, key string, recursive,
 		return true
 	}
 
-	var user *auth.User
+	var user *v2auth.User
 	if r.Header.Get("Authorization") == "" {
 		if clientCertAuthEnabled {
 			user = userFromClientCertificate(sec, r)
@@ -148,9 +148,9 @@ func hasKeyPrefixAccess(sec auth.Store, r *http.Request, key string, recursive,
 	return false
 }
 
-func hasGuestAccess(sec auth.Store, r *http.Request, key string) bool {
+func hasGuestAccess(sec v2auth.Store, r *http.Request, key string) bool {
 	writeAccess := r.Method != "GET" && r.Method != "HEAD"
-	role, err := sec.GetRole(auth.GuestRoleName)
+	role, err := sec.GetRole(v2auth.GuestRoleName)
 	if err != nil {
 		return false
 	}
@@ -204,10 +204,10 @@ func (sh *authHandler) baseRoles(w http.ResponseWriter, r *http.Request) {
 	}
 
 	var rolesCollections struct {
-		Roles []auth.Role `json:"roles"`
+		Roles []v2auth.Role `json:"roles"`
 	}
 	for _, roleName := range roles {
-		var role auth.Role
+		var role v2auth.Role
 		role, err = sh.sec.GetRole(roleName)
 		if err != nil {
 			writeError(w, r, err)
@@ -265,7 +265,7 @@ func (sh *authHandler) forRole(w http.ResponseWriter, r *http.Request, role stri
 		}
 		return
 	case "PUT":
-		var in auth.Role
+		var in v2auth.Role
 		err := json.NewDecoder(r.Body).Decode(&in)
 		if err != nil {
 			writeError(w, r, httptypes.NewHTTPError(http.StatusBadRequest, "Invalid JSON in request body."))
@@ -276,7 +276,7 @@ func (sh *authHandler) forRole(w http.ResponseWriter, r *http.Request, role stri
 			return
 		}
 
-		var out auth.Role
+		var out v2auth.Role
 
 		// create
 		if in.Grant.IsEmpty() && in.Revoke.IsEmpty() {
@@ -316,8 +316,8 @@ func (sh *authHandler) forRole(w http.ResponseWriter, r *http.Request, role stri
 }
 
 type userWithRoles struct {
-	User  string      `json:"user"`
-	Roles []auth.Role `json:"roles,omitempty"`
+	User  string        `json:"user"`
+	Roles []v2auth.Role `json:"roles,omitempty"`
 }
 
 type usersCollections struct {
@@ -352,7 +352,7 @@ func (sh *authHandler) baseUsers(w http.ResponseWriter, r *http.Request) {
 
 	ucs := usersCollections{}
 	for _, userName := range users {
-		var user auth.User
+		var user v2auth.User
 		user, err = sh.sec.GetUser(userName)
 		if err != nil {
 			writeError(w, r, err)
@@ -361,7 +361,7 @@ func (sh *authHandler) baseUsers(w http.ResponseWriter, r *http.Request) {
 
 		uwr := userWithRoles{User: user.User}
 		for _, roleName := range user.Roles {
-			var role auth.Role
+			var role v2auth.Role
 			role, err = sh.sec.GetRole(roleName)
 			if err != nil {
 				continue
@@ -423,7 +423,7 @@ func (sh *authHandler) forUser(w http.ResponseWriter, r *http.Request, user stri
 
 		uwr := userWithRoles{User: u.User}
 		for _, roleName := range u.Roles {
-			var role auth.Role
+			var role v2auth.Role
 			role, err = sh.sec.GetRole(roleName)
 			if err != nil {
 				writeError(w, r, err)
@@ -439,7 +439,7 @@ func (sh *authHandler) forUser(w http.ResponseWriter, r *http.Request, user stri
 		}
 		return
 	case "PUT":
-		var u auth.User
+		var u v2auth.User
 		err := json.NewDecoder(r.Body).Decode(&u)
 		if err != nil {
 			writeError(w, r, httptypes.NewHTTPError(http.StatusBadRequest, "Invalid JSON in request body."))
@@ -451,7 +451,7 @@ func (sh *authHandler) forUser(w http.ResponseWriter, r *http.Request, user stri
 		}
 
 		var (
-			out     auth.User
+			out     v2auth.User
 			created bool
 		)
 

etcdserver/api/v2http/client_auth_test.go

@@ -31,7 +31,7 @@ import (
 	"testing"
 
 	"github.com/coreos/etcd/etcdserver/api"
-	"github.com/coreos/etcd/etcdserver/auth"
+	"github.com/coreos/etcd/etcdserver/v2auth"
 )
 
 const goodPassword = "good"
@@ -46,8 +46,8 @@ func mustJSONRequest(t *testing.T, method string, p string, body string) *http.R
 }
 
 type mockAuthStore struct {
-	users   map[string]*auth.User
-	roles   map[string]*auth.Role
+	users   map[string]*v2auth.User
+	roles   map[string]*v2auth.Role
 	err     error
 	enabled bool
 }
@@ -60,14 +60,14 @@ func (s *mockAuthStore) AllUsers() ([]string, error) {
 	sort.Strings(us)
 	return us, s.err
 }
-func (s *mockAuthStore) GetUser(name string) (auth.User, error) {
+func (s *mockAuthStore) GetUser(name string) (v2auth.User, error) {
 	u, ok := s.users[name]
 	if !ok {
-		return auth.User{}, s.err
+		return v2auth.User{}, s.err
 	}
 	return *u, s.err
 }
-func (s *mockAuthStore) CreateOrUpdateUser(user auth.User) (out auth.User, created bool, err error) {
+func (s *mockAuthStore) CreateOrUpdateUser(user v2auth.User) (out v2auth.User, created bool, err error) {
 	if s.users == nil {
 		out, err = s.CreateUser(user)
 		return out, true, err
@@ -75,31 +75,31 @@ func (s *mockAuthStore) CreateOrUpdateUser(user auth.User) (out auth.User, creat
 	out, err = s.UpdateUser(user)
 	return out, false, err
 }
-func (s *mockAuthStore) CreateUser(user auth.User) (auth.User, error) { return user, s.err }
-func (s *mockAuthStore) DeleteUser(name string) error                 { return s.err }
-func (s *mockAuthStore) UpdateUser(user auth.User) (auth.User, error) {
+func (s *mockAuthStore) CreateUser(user v2auth.User) (v2auth.User, error) { return user, s.err }
+func (s *mockAuthStore) DeleteUser(name string) error                     { return s.err }
+func (s *mockAuthStore) UpdateUser(user v2auth.User) (v2auth.User, error) {
 	return *s.users[user.User], s.err
 }
 func (s *mockAuthStore) AllRoles() ([]string, error) {
 	return []string{"awesome", "guest", "root"}, s.err
 }
-func (s *mockAuthStore) GetRole(name string) (auth.Role, error) {
+func (s *mockAuthStore) GetRole(name string) (v2auth.Role, error) {
 	r, ok := s.roles[name]
 	if ok {
 		return *r, s.err
 	}
-	return auth.Role{}, fmt.Errorf("%q does not exist (%v)", name, s.err)
+	return v2auth.Role{}, fmt.Errorf("%q does not exist (%v)", name, s.err)
 }
-func (s *mockAuthStore) CreateRole(role auth.Role) error { return s.err }
-func (s *mockAuthStore) DeleteRole(name string) error    { return s.err }
-func (s *mockAuthStore) UpdateRole(role auth.Role) (auth.Role, error) {
+func (s *mockAuthStore) CreateRole(role v2auth.Role) error { return s.err }
+func (s *mockAuthStore) DeleteRole(name string) error      { return s.err }
+func (s *mockAuthStore) UpdateRole(role v2auth.Role) (v2auth.Role, error) {
 	return *s.roles[role.Role], s.err
 }
 func (s *mockAuthStore) AuthEnabled() bool  { return s.enabled }
 func (s *mockAuthStore) EnableAuth() error  { return s.err }
 func (s *mockAuthStore) DisableAuth() error { return s.err }
 
-func (s *mockAuthStore) CheckPassword(user auth.User, password string) bool {
+func (s *mockAuthStore) CheckPassword(user v2auth.User, password string) bool {
 	return user.Password == password
 }
 
@@ -132,7 +132,7 @@ func TestAuthFlow(t *testing.T) {
 		{
 			req: mustJSONRequest(t, "GET", "users", ""),
 			store: mockAuthStore{
-				users: map[string]*auth.User{
+				users: map[string]*v2auth.User{
 					"alice": {
 						User:     "alice",
 						Roles:    []string{"alicerole", "guest"},
@@ -149,7 +149,7 @@ func TestAuthFlow(t *testing.T) {
 						Password: "wheeee",
 					},
 				},
-				roles: map[string]*auth.Role{
+				roles: map[string]*v2auth.Role{
 					"alicerole": {
 						Role: "alicerole",
 					},
@@ -173,14 +173,14 @@ func TestAuthFlow(t *testing.T) {
 		{
 			req: mustJSONRequest(t, "GET", "users/alice", ""),
 			store: mockAuthStore{
-				users: map[string]*auth.User{
+				users: map[string]*v2auth.User{
 					"alice": {
 						User:     "alice",
 						Roles:    []string{"alicerole"},
 						Password: "wheeee",
 					},
 				},
-				roles: map[string]*auth.Role{
+				roles: map[string]*v2auth.Role{
 					"alicerole": {
 						Role: "alicerole",
 					},
@@ -204,7 +204,7 @@ func TestAuthFlow(t *testing.T) {
 		{
 			req: mustJSONRequest(t, "PUT", "users/alice", `{"user": "alice", "password": "goodpassword"}`),
 			store: mockAuthStore{
-				users: map[string]*auth.User{
+				users: map[string]*v2auth.User{
 					"alice": {
 						User:     "alice",
 						Roles:    []string{"alicerole", "guest"},
@@ -218,7 +218,7 @@ func TestAuthFlow(t *testing.T) {
 		{
 			req: mustJSONRequest(t, "PUT", "users/alice", `{"user": "alice", "grant": ["alicerole"]}`),
 			store: mockAuthStore{
-				users: map[string]*auth.User{
+				users: map[string]*v2auth.User{
 					"alice": {
 						User:     "alice",
 						Roles:    []string{"alicerole", "guest"},
@@ -232,8 +232,8 @@ func TestAuthFlow(t *testing.T) {
 		{
 			req: mustJSONRequest(t, "GET", "users/alice", ``),
 			store: mockAuthStore{
-				users: map[string]*auth.User{},
-				err:   auth.Error{Status: http.StatusNotFound, Errmsg: "auth: User alice doesn't exist."},
+				users: map[string]*v2auth.User{},
+				err:   v2auth.Error{Status: http.StatusNotFound, Errmsg: "auth: User alice doesn't exist."},
 			},
 			wcode: http.StatusNotFound,
 			wbody: `{"message":"auth: User alice doesn't exist."}`,
@@ -241,7 +241,7 @@ func TestAuthFlow(t *testing.T) {
 		{
 			req: mustJSONRequest(t, "GET", "roles/manager", ""),
 			store: mockAuthStore{
-				roles: map[string]*auth.Role{
+				roles: map[string]*v2auth.Role{
 					"manager": {
 						Role: "manager",
 					},
@@ -265,7 +265,7 @@ func TestAuthFlow(t *testing.T) {
 		{
 			req: mustJSONRequest(t, "PUT", "roles/manager", `{"role":"manager","revoke":{"kv":{"read":["foo"],"write":[]}}}`),
 			store: mockAuthStore{
-				roles: map[string]*auth.Role{
+				roles: map[string]*v2auth.Role{
 					"manager": {
 						Role: "manager",
 					},
@@ -277,7 +277,7 @@ func TestAuthFlow(t *testing.T) {
 		{
 			req: mustJSONRequest(t, "GET", "roles", ""),
 			store: mockAuthStore{
-				roles: map[string]*auth.Role{
+				roles: map[string]*v2auth.Role{
 					"awesome": {
 						Role: "awesome",
 					},
@@ -318,14 +318,14 @@ func TestAuthFlow(t *testing.T) {
 			})(),
 			store: mockAuthStore{
 				enabled: true,
-				users: map[string]*auth.User{
+				users: map[string]*v2auth.User{
 					"root": {
 						User:     "root",
 						Password: goodPassword,
 						Roles:    []string{"root"},
 					},
 				},
-				roles: map[string]*auth.Role{
+				roles: map[string]*v2auth.Role{
 					"root": {
 						Role: "root",
 					},
@@ -342,14 +342,14 @@ func TestAuthFlow(t *testing.T) {
 			})(),
 			store: mockAuthStore{
 				enabled: true,
-				users: map[string]*auth.User{
+				users: map[string]*v2auth.User{
 					"root": {
 						User:     "root",
 						Password: goodPassword,
 						Roles:    []string{"root"},
 					},
 				},
-				roles: map[string]*auth.Role{
+				roles: map[string]*v2auth.Role{
 					"root": {
 						Role: "guest",
 					},
@@ -383,13 +383,13 @@ func TestAuthFlow(t *testing.T) {
 func TestGetUserGrantedWithNonexistingRole(t *testing.T) {
 	sh := &authHandler{
 		sec: &mockAuthStore{
-			users: map[string]*auth.User{
+			users: map[string]*v2auth.User{
 				"root": {
 					User:  "root",
 					Roles: []string{"root", "foo"},
 				},
 			},
-			roles: map[string]*auth.Role{
+			roles: map[string]*v2auth.Role{
 				"root": {
 					Role: "root",
 				},
@@ -483,14 +483,14 @@ func TestPrefixAccess(t *testing.T) {
 			key: "/foo",
 			req: mustAuthRequest("GET", "root", "good"),
 			store: &mockAuthStore{
-				users: map[string]*auth.User{
+				users: map[string]*v2auth.User{
 					"root": {
 						User:     "root",
 						Password: goodPassword,
 						Roles:    []string{"root"},
 					},
 				},
-				roles: map[string]*auth.Role{
+				roles: map[string]*v2auth.Role{
 					"root": {
 						Role: "root",
 					},
@@ -505,18 +505,18 @@ func TestPrefixAccess(t *testing.T) {
 			key: "/foo",
 			req: mustAuthRequest("GET", "user", "good"),
 			store: &mockAuthStore{
-				users: map[string]*auth.User{
+				users: map[string]*v2auth.User{
 					"user": {
 						User:     "user",
 						Password: goodPassword,
 						Roles:    []string{"foorole"},
 					},
 				},
-				roles: map[string]*auth.Role{
+				roles: map[string]*v2auth.Role{
 					"foorole": {
 						Role: "foorole",
-						Permissions: auth.Permissions{
-							KV: auth.RWPermission{
+						Permissions: v2auth.Permissions{
+							KV: v2auth.RWPermission{
 								Read:  []string{"/foo"},
 								Write: []string{"/foo"},
 							},
@@ -533,18 +533,18 @@ func TestPrefixAccess(t *testing.T) {
 			key: "/foo",
 			req: mustAuthRequest("GET", "user", "good"),
 			store: &mockAuthStore{
-				users: map[string]*auth.User{
+				users: map[string]*v2auth.User{
 					"user": {
 						User:     "user",
 						Password: goodPassword,
 						Roles:    []string{"foorole"},
 					},
 				},
-				roles: map[string]*auth.Role{
+				roles: map[string]*v2auth.Role{
 					"foorole": {
 						Role: "foorole",
-						Permissions: auth.Permissions{
-							KV: auth.RWPermission{
+						Permissions: v2auth.Permissions{
+							KV: v2auth.RWPermission{
 								Read:  []string{"/foo*"},
 								Write: []string{"/foo*"},
 							},
@@ -561,18 +561,18 @@ func TestPrefixAccess(t *testing.T) {
 			key: "/foo",
 			req: mustAuthRequest("GET", "user", "bad"),
 			store: &mockAuthStore{
-				users: map[string]*auth.User{
+				users: map[string]*v2auth.User{
 					"user": {
 						User:     "user",
 						Password: goodPassword,
 						Roles:    []string{"foorole"},
 					},
 				},
-				roles: map[string]*auth.Role{
+				roles: map[string]*v2auth.Role{
 					"foorole": {
 						Role: "foorole",
-						Permissions: auth.Permissions{
-							KV: auth.RWPermission{
+						Permissions: v2auth.Permissions{
+							KV: v2auth.RWPermission{
 								Read:  []string{"/foo*"},
 								Write: []string{"/foo*"},
 							},
@@ -589,7 +589,7 @@ func TestPrefixAccess(t *testing.T) {
 			key: "/foo",
 			req: mustAuthRequest("GET", "user", "good"),
 			store: &mockAuthStore{
-				users:   map[string]*auth.User{},
+				users:   map[string]*v2auth.User{},
 				err:     errors.New("Not the user"),
 				enabled: true,
 			},
@@ -601,18 +601,18 @@ func TestPrefixAccess(t *testing.T) {
 			key: "/foo",
 			req: mustJSONRequest(t, "GET", "somepath", ""),
 			store: &mockAuthStore{
-				users: map[string]*auth.User{
+				users: map[string]*v2auth.User{
 					"user": {
 						User:     "user",
 						Password: goodPassword,
 						Roles:    []string{"foorole"},
 					},
 				},
-				roles: map[string]*auth.Role{
+				roles: map[string]*v2auth.Role{
 					"guest": {
 						Role: "guest",
-						Permissions: auth.Permissions{
-							KV: auth.RWPermission{
+						Permissions: v2auth.Permissions{
+							KV: v2auth.RWPermission{
 								Read:  []string{"/foo*"},
 								Write: []string{"/foo*"},
 							},
@@ -629,18 +629,18 @@ func TestPrefixAccess(t *testing.T) {
 			key: "/bar",
 			req: mustJSONRequest(t, "GET", "somepath", ""),
 			store: &mockAuthStore{
-				users: map[string]*auth.User{
+				users: map[string]*v2auth.User{
 					"user": {
 						User:     "user",
 						Password: goodPassword,
 						Roles:    []string{"foorole"},
 					},
 				},
-				roles: map[string]*auth.Role{
+				roles: map[string]*v2auth.Role{
 					"guest": {
 						Role: "guest",
-						Permissions: auth.Permissions{
-							KV: auth.RWPermission{
+						Permissions: v2auth.Permissions{
+							KV: v2auth.RWPermission{
 								Read:  []string{"/foo*"},
 								Write: []string{"/foo*"},
 							},
@@ -658,21 +658,21 @@ func TestPrefixAccess(t *testing.T) {
 			key: "/foo",
 			req: mustAuthRequest("GET", "user", "good"),
 			store: &mockAuthStore{
-				users: map[string]*auth.User{
+				users: map[string]*v2auth.User{
 					"user": {
 						User:     "user",
 						Password: goodPassword,
 						Roles:    []string{"role1", "role2"},
 					},
 				},
-				roles: map[string]*auth.Role{
+				roles: map[string]*v2auth.Role{
 					"role1": {
 						Role: "role1",
 					},
 					"role2": {
 						Role: "role2",
-						Permissions: auth.Permissions{
-							KV: auth.RWPermission{
+						Permissions: v2auth.Permissions{
+							KV: v2auth.RWPermission{
 								Read:  []string{"/foo"},
 								Write: []string{"/foo"},
 							},
@@ -694,18 +694,18 @@ func TestPrefixAccess(t *testing.T) {
 			})(),
 			store: &mockAuthStore{
 				enabled: true,
-				users: map[string]*auth.User{
+				users: map[string]*v2auth.User{
 					"root": {
 						User:     "root",
 						Password: goodPassword,
 						Roles:    []string{"root"},
 					},
 				},
-				roles: map[string]*auth.Role{
+				roles: map[string]*v2auth.Role{
 					"guest": {
 						Role: "guest",
-						Permissions: auth.Permissions{
-							KV: auth.RWPermission{
+						Permissions: v2auth.Permissions{
+							KV: v2auth.RWPermission{
 								Read:  []string{"/foo*"},
 								Write: []string{"/foo*"},
 							},
@@ -724,18 +724,18 @@ func TestPrefixAccess(t *testing.T) {
 			})(),
 			store: &mockAuthStore{
 				enabled: true,
-				users: map[string]*auth.User{
+				users: map[string]*v2auth.User{
 					"root": {
 						User:     "root",
 						Password: goodPassword,
 						Roles:    []string{"root"},
 					},
 				},
-				roles: map[string]*auth.Role{
+				roles: map[string]*v2auth.Role{
 					"guest": {
 						Role: "guest",
-						Permissions: auth.Permissions{
-							KV: auth.RWPermission{
+						Permissions: v2auth.Permissions{
+							KV: v2auth.RWPermission{
 								Read:  []string{"/foo*"},
 								Write: []string{"/foo*"},
 							},
@@ -764,7 +764,7 @@ func TestPrefixAccess(t *testing.T) {
 
 func TestUserFromClientCertificate(t *testing.T) {
 	witherror := &mockAuthStore{
-		users: map[string]*auth.User{
+		users: map[string]*v2auth.User{
 			"user": {
 				User:     "user",
 				Roles:    []string{"root"},
@@ -776,7 +776,7 @@ func TestUserFromClientCertificate(t *testing.T) {
 				Password: "password",
 			},
 		},
-		roles: map[string]*auth.Role{
+		roles: map[string]*v2auth.Role{
 			"root": {
 				Role: "root",
 			},
@@ -785,7 +785,7 @@ func TestUserFromClientCertificate(t *testing.T) {
 	}
 
 	noerror := &mockAuthStore{
-		users: map[string]*auth.User{
+		users: map[string]*v2auth.User{
 			"user": {
 				User:     "user",
 				Roles:    []string{"root"},
@@ -797,7 +797,7 @@ func TestUserFromClientCertificate(t *testing.T) {
 				Password: "password",
 			},
 		},
-		roles: map[string]*auth.Role{
+		roles: map[string]*v2auth.Role{
 			"root": {
 				Role: "root",
 			},
@@ -807,7 +807,7 @@ func TestUserFromClientCertificate(t *testing.T) {
 	var table = []struct {
 		req        *http.Request
 		userExists bool
-		store      auth.Store
+		store      v2auth.Store
 		username   string
 	}{
 		{
@@ -846,14 +846,14 @@ func TestUserFromClientCertificate(t *testing.T) {
 
 func TestUserFromBasicAuth(t *testing.T) {
 	sec := &mockAuthStore{
-		users: map[string]*auth.User{
+		users: map[string]*v2auth.User{
 			"user": {
 				User:     "user",
 				Roles:    []string{"root"},
 				Password: "password",
 			},
 		},
-		roles: map[string]*auth.Role{
+		roles: map[string]*v2auth.Role{
 			"root": {
 				Role: "root",
 			},

etcdserver/api/v2http/http.go

@@ -22,7 +22,7 @@ import (
 
 	"github.com/coreos/etcd/etcdserver/api/etcdhttp"
 	"github.com/coreos/etcd/etcdserver/api/v2http/httptypes"
-	"github.com/coreos/etcd/etcdserver/auth"
+	"github.com/coreos/etcd/etcdserver/v2auth"
 	"github.com/coreos/etcd/pkg/logutil"
 
 	"github.com/coreos/pkg/capnslog"
@@ -42,7 +42,7 @@ func writeError(w http.ResponseWriter, r *http.Request, err error) {
 	if err == nil {
 		return
 	}
-	if e, ok := err.(auth.Error); ok {
+	if e, ok := err.(v2auth.Error); ok {
 		herr := httptypes.NewHTTPError(e.HTTPStatus(), e.Error())
 		if et := herr.WriteTo(w); et != nil {
 			plog.Debugf("error writing HTTPError (%v) to %s", et, r.RemoteAddr)

etcdserver/auth/auth.go → etcdserver/v2auth/auth.go

@@ -12,8 +12,8 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-// Package auth implements etcd authentication.
-package auth
+// Package v2auth implements etcd authentication.
+package v2auth
 
 import (
 	"context"

etcdserver/auth/auth_requests.go → etcdserver/v2auth/auth_requests.go

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package auth
+package v2auth
 
 import (
 	"context"

etcdserver/auth/auth_test.go → etcdserver/v2auth/auth_test.go

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package auth
+package v2auth
 
 import (
 	"context"