Accueil Explorer Aide
S'inscrire Connexion
publics
/
etcd-io__etcd
0
0
Fork 0
Fichiers Tickets 0 Pull Requests 0 Wiki
Aborescence: 62f8ec25c0
Branches Tags
etcd-io__etcd
/
clientv3
/
auth.go

auth.go 8.1 KB
Historique Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210 
  1. // Copyright 2016 The etcd Authors
    2. 

  2. //
    3. 

  3. // Licensed under the Apache License, Version 2.0 (the "License");
    4. 

  4. // you may not use this file except in compliance with the License.
    5. 

  5. // You may obtain a copy of the License at
    6. 

  6. //
    7. 

  7. //     http://www.apache.org/licenses/LICENSE-2.0
    8. 

  8. //
    9. 

  9. // Unless required by applicable law or agreed to in writing, software
    10. 

  10. // distributed under the License is distributed on an "AS IS" BASIS,
    11. 

  11. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12. 

  12. // See the License for the specific language governing permissions and
    13. 

  13. // limitations under the License.
    14. 

  14. 

  15. package clientv3
    16. 

  16. 

  17. import (
    18. 

  18. 	"fmt"
    19. 

  19. 	"strings"
    20. 

  20. 

  21. 	"github.com/coreos/etcd/auth/authpb"
    22. 

  22. 	pb "github.com/coreos/etcd/etcdserver/etcdserverpb"
    23. 

  23. 	"golang.org/x/net/context"
    24. 

  24. 	"google.golang.org/grpc"
    25. 

  25. )
    26. 

  26. 

  27. type (
    28. 

  28. 	AuthEnableResponse               pb.AuthEnableResponse
    29. 

  29. 	AuthDisableResponse              pb.AuthDisableResponse
    30. 

  30. 	AuthenticateResponse             pb.AuthenticateResponse
    31. 

  31. 	AuthUserAddResponse              pb.AuthUserAddResponse
    32. 

  32. 	AuthUserDeleteResponse           pb.AuthUserDeleteResponse
    33. 

  33. 	AuthUserChangePasswordResponse   pb.AuthUserChangePasswordResponse
    34. 

  34. 	AuthUserGrantRoleResponse        pb.AuthUserGrantRoleResponse
    35. 

  35. 	AuthUserGetResponse              pb.AuthUserGetResponse
    36. 

  36. 	AuthUserRevokeRoleResponse       pb.AuthUserRevokeRoleResponse
    37. 

  37. 	AuthRoleAddResponse              pb.AuthRoleAddResponse
    38. 

  38. 	AuthRoleGrantPermissionResponse  pb.AuthRoleGrantPermissionResponse
    39. 

  39. 	AuthRoleGetResponse              pb.AuthRoleGetResponse
    40. 

  40. 	AuthRoleRevokePermissionResponse pb.AuthRoleRevokePermissionResponse
    41. 

  41. 	AuthRoleDeleteResponse           pb.AuthRoleDeleteResponse
    42. 

  42. 

  43. 	PermissionType authpb.Permission_Type
    44. 

  44. )
    45. 

  45. 

  46. const (
    47. 

  47. 	PermRead      = authpb.READ
    48. 

  48. 	PermWrite     = authpb.WRITE
    49. 

  49. 	PermReadWrite = authpb.READWRITE
    50. 

  50. )
    51. 

  51. 

  52. type Auth interface {
    53. 

  53. 	// AuthEnable enables auth of an etcd cluster.
    54. 

  54. 	AuthEnable(ctx context.Context) (*AuthEnableResponse, error)
    55. 

  55. 

  56. 	// AuthDisable disables auth of an etcd cluster.
    57. 

  57. 	AuthDisable(ctx context.Context) (*AuthDisableResponse, error)
    58. 

  58. 

  59. 	// UserAdd adds a new user to an etcd cluster.
    60. 

  60. 	UserAdd(ctx context.Context, name string, password string) (*AuthUserAddResponse, error)
    61. 

  61. 

  62. 	// UserDelete deletes a user from an etcd cluster.
    63. 

  63. 	UserDelete(ctx context.Context, name string) (*AuthUserDeleteResponse, error)
    64. 

  64. 

  65. 	// UserChangePassword changes a password of a user.
    66. 

  66. 	UserChangePassword(ctx context.Context, name string, password string) (*AuthUserChangePasswordResponse, error)
    67. 

  67. 

  68. 	// UserGrantRole grants a role to a user.
    69. 

  69. 	UserGrantRole(ctx context.Context, user string, role string) (*AuthUserGrantRoleResponse, error)
    70. 

  70. 

  71. 	// UserGet gets a detailed information of a user.
    72. 

  72. 	UserGet(ctx context.Context, name string) (*AuthUserGetResponse, error)
    73. 

  73. 

  74. 	// UserRevokeRole revokes a role of a user.
    75. 

  75. 	UserRevokeRole(ctx context.Context, name string, role string) (*AuthUserRevokeRoleResponse, error)
    76. 

  76. 

  77. 	// RoleAdd adds a new role to an etcd cluster.
    78. 

  78. 	RoleAdd(ctx context.Context, name string) (*AuthRoleAddResponse, error)
    79. 

  79. 

  80. 	// RoleGrantPermission grants a permission to a role.
    81. 

  81. 	RoleGrantPermission(ctx context.Context, name string, key string, permType PermissionType) (*AuthRoleGrantPermissionResponse, error)
    82. 

  82. 

  83. 	// RoleGet gets a detailed information of a role.
    84. 

  84. 	RoleGet(ctx context.Context, role string) (*AuthRoleGetResponse, error)
    85. 

  85. 

  86. 	// RoleRevokePermission revokes a key from a user.
    87. 

  87. 	RoleRevokePermission(ctx context.Context, role string, key string) (*AuthRoleRevokePermissionResponse, error)
    88. 

  88. 

  89. 	// RoleDelete deletes a role.
    90. 

  90. 	RoleDelete(ctx context.Context, role string) (*AuthRoleDeleteResponse, error)
    91. 

  91. }
    92. 

  92. 

  93. type auth struct {
    94. 

  94. 	c *Client
    95. 

  95. 

  96. 	conn   *grpc.ClientConn // conn in-use
    97. 

  97. 	remote pb.AuthClient
    98. 

  98. }
    99. 

  99. 

  100. func NewAuth(c *Client) Auth {
    101. 

  101. 	conn := c.ActiveConnection()
    102. 

  102. 	return &auth{
    103. 

  103. 		conn:   c.ActiveConnection(),
    104. 

  104. 		remote: pb.NewAuthClient(conn),
    105. 

  105. 		c:      c,
    106. 

  106. 	}
    107. 

  107. }
    108. 

  108. 

  109. func (auth *auth) AuthEnable(ctx context.Context) (*AuthEnableResponse, error) {
    110. 

  110. 	resp, err := auth.remote.AuthEnable(ctx, &pb.AuthEnableRequest{})
    111. 

  111. 	return (*AuthEnableResponse)(resp), toErr(ctx, err)
    112. 

  112. }
    113. 

  113. 

  114. func (auth *auth) AuthDisable(ctx context.Context) (*AuthDisableResponse, error) {
    115. 

  115. 	resp, err := auth.remote.AuthDisable(ctx, &pb.AuthDisableRequest{})
    116. 

  116. 	return (*AuthDisableResponse)(resp), toErr(ctx, err)
    117. 

  117. }
    118. 

  118. 

  119. func (auth *auth) UserAdd(ctx context.Context, name string, password string) (*AuthUserAddResponse, error) {
    120. 

  120. 	resp, err := auth.remote.UserAdd(ctx, &pb.AuthUserAddRequest{Name: name, Password: password})
    121. 

  121. 	return (*AuthUserAddResponse)(resp), toErr(ctx, err)
    122. 

  122. }
    123. 

  123. 

  124. func (auth *auth) UserDelete(ctx context.Context, name string) (*AuthUserDeleteResponse, error) {
    125. 

  125. 	resp, err := auth.remote.UserDelete(ctx, &pb.AuthUserDeleteRequest{Name: name})
    126. 

  126. 	return (*AuthUserDeleteResponse)(resp), toErr(ctx, err)
    127. 

  127. }
    128. 

  128. 

  129. func (auth *auth) UserChangePassword(ctx context.Context, name string, password string) (*AuthUserChangePasswordResponse, error) {
    130. 

  130. 	resp, err := auth.remote.UserChangePassword(ctx, &pb.AuthUserChangePasswordRequest{Name: name, Password: password})
    131. 

  131. 	return (*AuthUserChangePasswordResponse)(resp), toErr(ctx, err)
    132. 

  132. }
    133. 

  133. 

  134. func (auth *auth) UserGrantRole(ctx context.Context, user string, role string) (*AuthUserGrantRoleResponse, error) {
    135. 

  135. 	resp, err := auth.remote.UserGrantRole(ctx, &pb.AuthUserGrantRoleRequest{User: user, Role: role})
    136. 

  136. 	return (*AuthUserGrantRoleResponse)(resp), toErr(ctx, err)
    137. 

  137. }
    138. 

  138. 

  139. func (auth *auth) UserGet(ctx context.Context, name string) (*AuthUserGetResponse, error) {
    140. 

  140. 	resp, err := auth.remote.UserGet(ctx, &pb.AuthUserGetRequest{Name: name})
    141. 

  141. 	return (*AuthUserGetResponse)(resp), toErr(ctx, err)
    142. 

  142. }
    143. 

  143. 

  144. func (auth *auth) UserRevokeRole(ctx context.Context, name string, role string) (*AuthUserRevokeRoleResponse, error) {
    145. 

  145. 	resp, err := auth.remote.UserRevokeRole(ctx, &pb.AuthUserRevokeRoleRequest{Name: name, Role: role})
    146. 

  146. 	return (*AuthUserRevokeRoleResponse)(resp), toErr(ctx, err)
    147. 

  147. }
    148. 

  148. 

  149. func (auth *auth) RoleAdd(ctx context.Context, name string) (*AuthRoleAddResponse, error) {
    150. 

  150. 	resp, err := auth.remote.RoleAdd(ctx, &pb.AuthRoleAddRequest{Name: name})
    151. 

  151. 	return (*AuthRoleAddResponse)(resp), toErr(ctx, err)
    152. 

  152. }
    153. 

  153. 

  154. func (auth *auth) RoleGrantPermission(ctx context.Context, name string, key string, permType PermissionType) (*AuthRoleGrantPermissionResponse, error) {
    155. 

  155. 	perm := &authpb.Permission{
    156. 

  156. 		Key:      []byte(key),
    157. 

  157. 		PermType: authpb.Permission_Type(permType),
    158. 

  158. 	}
    159. 

  159. 	resp, err := auth.remote.RoleGrantPermission(ctx, &pb.AuthRoleGrantPermissionRequest{Name: name, Perm: perm})
    160. 

  160. 	return (*AuthRoleGrantPermissionResponse)(resp), toErr(ctx, err)
    161. 

  161. }
    162. 

  162. 

  163. func (auth *auth) RoleGet(ctx context.Context, role string) (*AuthRoleGetResponse, error) {
    164. 

  164. 	resp, err := auth.remote.RoleGet(ctx, &pb.AuthRoleGetRequest{Role: role})
    165. 

  165. 	return (*AuthRoleGetResponse)(resp), toErr(ctx, err)
    166. 

  166. }
    167. 

  167. 

  168. func (auth *auth) RoleRevokePermission(ctx context.Context, role string, key string) (*AuthRoleRevokePermissionResponse, error) {
    169. 

  169. 	resp, err := auth.remote.RoleRevokePermission(ctx, &pb.AuthRoleRevokePermissionRequest{Role: role, Key: key})
    170. 

  170. 	return (*AuthRoleRevokePermissionResponse)(resp), toErr(ctx, err)
    171. 

  171. }
    172. 

  172. 

  173. func (auth *auth) RoleDelete(ctx context.Context, role string) (*AuthRoleDeleteResponse, error) {
    174. 

  174. 	resp, err := auth.remote.RoleDelete(ctx, &pb.AuthRoleDeleteRequest{Role: role})
    175. 

  175. 	return (*AuthRoleDeleteResponse)(resp), toErr(ctx, err)
    176. 

  176. }
    177. 

  177. 

  178. func StrToPermissionType(s string) (PermissionType, error) {
    179. 

  179. 	val, ok := authpb.Permission_Type_value[strings.ToUpper(s)]
    180. 

  180. 	if ok {
    181. 

  181. 		return PermissionType(val), nil
    182. 

  182. 	}
    183. 

  183. 	return PermissionType(-1), fmt.Errorf("invalid permission type: %s", s)
    184. 

  184. }
    185. 

  185. 

  186. type authenticator struct {
    187. 

  187. 	conn   *grpc.ClientConn // conn in-use
    188. 

  188. 	remote pb.AuthClient
    189. 

  189. }
    190. 

  190. 

  191. func (auth *authenticator) authenticate(ctx context.Context, name string, password string) (*AuthenticateResponse, error) {
    192. 

  192. 	resp, err := auth.remote.Authenticate(ctx, &pb.AuthenticateRequest{Name: name, Password: password})
    193. 

  193. 	return (*AuthenticateResponse)(resp), toErr(ctx, err)
    194. 

  194. }
    195. 

  195. 

  196. func (auth *authenticator) close() {
    197. 

  197. 	auth.conn.Close()
    198. 

  198. }
    199. 

  199. 

  200. func newAuthenticator(endpoint string, opts []grpc.DialOption) (*authenticator, error) {
    201. 

  201. 	conn, err := grpc.Dial(endpoint, opts...)
    202. 

  202. 	if err != nil {
    203. 

  203. 		return nil, err
    204. 

  204. 	}
    205. 

  205. 

  206. 	return &authenticator{
    207. 

  207. 		conn:   conn,
    208. 

  208. 		remote: pb.NewAuthClient(conn),
    209. 

  209. 	}, nil
    210. 

  210. }
    211.