Home Explore Help
Register Sign In
publics
/
etcd-io__etcd
0
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 94f22e8a07
Branches Tags
etcd-io__etcd
/
clientv3
/
auth.go

auth.go 8.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211 
  1. // Copyright 2016 The etcd Authors
    2. 

  2. //
    3. 

  3. // Licensed under the Apache License, Version 2.0 (the "License");
    4. 

  4. // you may not use this file except in compliance with the License.
    5. 

  5. // You may obtain a copy of the License at
    6. 

  6. //
    7. 

  7. //     http://www.apache.org/licenses/LICENSE-2.0
    8. 

  8. //
    9. 

  9. // Unless required by applicable law or agreed to in writing, software
    10. 

  10. // distributed under the License is distributed on an "AS IS" BASIS,
    11. 

  11. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12. 

  12. // See the License for the specific language governing permissions and
    13. 

  13. // limitations under the License.
    14. 

  14. 

  15. package clientv3
    16. 

  16. 

  17. import (
    18. 

  18. 	"fmt"
    19. 

  19. 	"strings"
    20. 

  20. 

  21. 	"github.com/coreos/etcd/auth/authpb"
    22. 

  22. 	"github.com/coreos/etcd/etcdserver/api/v3rpc/rpctypes"
    23. 

  23. 	pb "github.com/coreos/etcd/etcdserver/etcdserverpb"
    24. 

  24. 	"golang.org/x/net/context"
    25. 

  25. 	"google.golang.org/grpc"
    26. 

  26. )
    27. 

  27. 

  28. type (
    29. 

  29. 	AuthEnableResponse               pb.AuthEnableResponse
    30. 

  30. 	AuthDisableResponse              pb.AuthDisableResponse
    31. 

  31. 	AuthenticateResponse             pb.AuthenticateResponse
    32. 

  32. 	AuthUserAddResponse              pb.AuthUserAddResponse
    33. 

  33. 	AuthUserDeleteResponse           pb.AuthUserDeleteResponse
    34. 

  34. 	AuthUserChangePasswordResponse   pb.AuthUserChangePasswordResponse
    35. 

  35. 	AuthUserGrantResponse            pb.AuthUserGrantResponse
    36. 

  36. 	AuthUserGetResponse              pb.AuthUserGetResponse
    37. 

  37. 	AuthUserRevokeRoleResponse       pb.AuthUserRevokeRoleResponse
    38. 

  38. 	AuthRoleAddResponse              pb.AuthRoleAddResponse
    39. 

  39. 	AuthRoleGrantResponse            pb.AuthRoleGrantResponse
    40. 

  40. 	AuthRoleGetResponse              pb.AuthRoleGetResponse
    41. 

  41. 	AuthRoleRevokePermissionResponse pb.AuthRoleRevokePermissionResponse
    42. 

  42. 	AuthRoleDeleteResponse           pb.AuthRoleDeleteResponse
    43. 

  43. 

  44. 	PermissionType authpb.Permission_Type
    45. 

  45. )
    46. 

  46. 

  47. const (
    48. 

  48. 	PermRead      = authpb.READ
    49. 

  49. 	PermWrite     = authpb.WRITE
    50. 

  50. 	PermReadWrite = authpb.READWRITE
    51. 

  51. )
    52. 

  52. 

  53. type Auth interface {
    54. 

  54. 	// AuthEnable enables auth of an etcd cluster.
    55. 

  55. 	AuthEnable(ctx context.Context) (*AuthEnableResponse, error)
    56. 

  56. 

  57. 	// AuthDisable disables auth of an etcd cluster.
    58. 

  58. 	AuthDisable(ctx context.Context) (*AuthDisableResponse, error)
    59. 

  59. 

  60. 	// UserAdd adds a new user to an etcd cluster.
    61. 

  61. 	UserAdd(ctx context.Context, name string, password string) (*AuthUserAddResponse, error)
    62. 

  62. 

  63. 	// UserDelete deletes a user from an etcd cluster.
    64. 

  64. 	UserDelete(ctx context.Context, name string) (*AuthUserDeleteResponse, error)
    65. 

  65. 

  66. 	// UserChangePassword changes a password of a user.
    67. 

  67. 	UserChangePassword(ctx context.Context, name string, password string) (*AuthUserChangePasswordResponse, error)
    68. 

  68. 

  69. 	// UserGrant grants a role to a user.
    70. 

  70. 	UserGrant(ctx context.Context, user string, role string) (*AuthUserGrantResponse, error)
    71. 

  71. 

  72. 	// UserGet gets a detailed information of a user.
    73. 

  73. 	UserGet(ctx context.Context, name string) (*AuthUserGetResponse, error)
    74. 

  74. 

  75. 	// UserRevokeRole revokes a role of a user.
    76. 

  76. 	UserRevokeRole(ctx context.Context, name string, role string) (*AuthUserRevokeRoleResponse, error)
    77. 

  77. 

  78. 	// RoleAdd adds a new role to an etcd cluster.
    79. 

  79. 	RoleAdd(ctx context.Context, name string) (*AuthRoleAddResponse, error)
    80. 

  80. 

  81. 	// RoleGrant grants a permission to a role.
    82. 

  82. 	RoleGrant(ctx context.Context, name string, key string, permType PermissionType) (*AuthRoleGrantResponse, error)
    83. 

  83. 

  84. 	// RoleGet gets a detailed information of a role.
    85. 

  85. 	RoleGet(ctx context.Context, role string) (*AuthRoleGetResponse, error)
    86. 

  86. 

  87. 	// RoleRevokePermission revokes a key from a user.
    88. 

  88. 	RoleRevokePermission(ctx context.Context, role string, key string) (*AuthRoleRevokePermissionResponse, error)
    89. 

  89. 

  90. 	// RoleDelete deletes a role.
    91. 

  91. 	RoleDelete(ctx context.Context, role string) (*AuthRoleDeleteResponse, error)
    92. 

  92. }
    93. 

  93. 

  94. type auth struct {
    95. 

  95. 	c *Client
    96. 

  96. 

  97. 	conn   *grpc.ClientConn // conn in-use
    98. 

  98. 	remote pb.AuthClient
    99. 

  99. }
    100. 

  100. 

  101. func NewAuth(c *Client) Auth {
    102. 

  102. 	conn := c.ActiveConnection()
    103. 

  103. 	return &auth{
    104. 

  104. 		conn:   c.ActiveConnection(),
    105. 

  105. 		remote: pb.NewAuthClient(conn),
    106. 

  106. 		c:      c,
    107. 

  107. 	}
    108. 

  108. }
    109. 

  109. 

  110. func (auth *auth) AuthEnable(ctx context.Context) (*AuthEnableResponse, error) {
    111. 

  111. 	resp, err := auth.remote.AuthEnable(ctx, &pb.AuthEnableRequest{})
    112. 

  112. 	return (*AuthEnableResponse)(resp), rpctypes.Error(err)
    113. 

  113. }
    114. 

  114. 

  115. func (auth *auth) AuthDisable(ctx context.Context) (*AuthDisableResponse, error) {
    116. 

  116. 	resp, err := auth.remote.AuthDisable(ctx, &pb.AuthDisableRequest{})
    117. 

  117. 	return (*AuthDisableResponse)(resp), rpctypes.Error(err)
    118. 

  118. }
    119. 

  119. 

  120. func (auth *auth) UserAdd(ctx context.Context, name string, password string) (*AuthUserAddResponse, error) {
    121. 

  121. 	resp, err := auth.remote.UserAdd(ctx, &pb.AuthUserAddRequest{Name: name, Password: password})
    122. 

  122. 	return (*AuthUserAddResponse)(resp), rpctypes.Error(err)
    123. 

  123. }
    124. 

  124. 

  125. func (auth *auth) UserDelete(ctx context.Context, name string) (*AuthUserDeleteResponse, error) {
    126. 

  126. 	resp, err := auth.remote.UserDelete(ctx, &pb.AuthUserDeleteRequest{Name: name})
    127. 

  127. 	return (*AuthUserDeleteResponse)(resp), rpctypes.Error(err)
    128. 

  128. }
    129. 

  129. 

  130. func (auth *auth) UserChangePassword(ctx context.Context, name string, password string) (*AuthUserChangePasswordResponse, error) {
    131. 

  131. 	resp, err := auth.remote.UserChangePassword(ctx, &pb.AuthUserChangePasswordRequest{Name: name, Password: password})
    132. 

  132. 	return (*AuthUserChangePasswordResponse)(resp), rpctypes.Error(err)
    133. 

  133. }
    134. 

  134. 

  135. func (auth *auth) UserGrant(ctx context.Context, user string, role string) (*AuthUserGrantResponse, error) {
    136. 

  136. 	resp, err := auth.remote.UserGrant(ctx, &pb.AuthUserGrantRequest{User: user, Role: role})
    137. 

  137. 	return (*AuthUserGrantResponse)(resp), rpctypes.Error(err)
    138. 

  138. }
    139. 

  139. 

  140. func (auth *auth) UserGet(ctx context.Context, name string) (*AuthUserGetResponse, error) {
    141. 

  141. 	resp, err := auth.remote.UserGet(ctx, &pb.AuthUserGetRequest{Name: name})
    142. 

  142. 	return (*AuthUserGetResponse)(resp), rpctypes.Error(err)
    143. 

  143. }
    144. 

  144. 

  145. func (auth *auth) UserRevokeRole(ctx context.Context, name string, role string) (*AuthUserRevokeRoleResponse, error) {
    146. 

  146. 	resp, err := auth.remote.UserRevokeRole(ctx, &pb.AuthUserRevokeRoleRequest{Name: name, Role: role})
    147. 

  147. 	return (*AuthUserRevokeRoleResponse)(resp), rpctypes.Error(err)
    148. 

  148. }
    149. 

  149. 

  150. func (auth *auth) RoleAdd(ctx context.Context, name string) (*AuthRoleAddResponse, error) {
    151. 

  151. 	resp, err := auth.remote.RoleAdd(ctx, &pb.AuthRoleAddRequest{Name: name})
    152. 

  152. 	return (*AuthRoleAddResponse)(resp), rpctypes.Error(err)
    153. 

  153. }
    154. 

  154. 

  155. func (auth *auth) RoleGrant(ctx context.Context, name string, key string, permType PermissionType) (*AuthRoleGrantResponse, error) {
    156. 

  156. 	perm := &authpb.Permission{
    157. 

  157. 		Key:      []byte(key),
    158. 

  158. 		PermType: authpb.Permission_Type(permType),
    159. 

  159. 	}
    160. 

  160. 	resp, err := auth.remote.RoleGrant(ctx, &pb.AuthRoleGrantRequest{Name: name, Perm: perm})
    161. 

  161. 	return (*AuthRoleGrantResponse)(resp), rpctypes.Error(err)
    162. 

  162. }
    163. 

  163. 

  164. func (auth *auth) RoleGet(ctx context.Context, role string) (*AuthRoleGetResponse, error) {
    165. 

  165. 	resp, err := auth.remote.RoleGet(ctx, &pb.AuthRoleGetRequest{Role: role})
    166. 

  166. 	return (*AuthRoleGetResponse)(resp), rpctypes.Error(err)
    167. 

  167. }
    168. 

  168. 

  169. func (auth *auth) RoleRevokePermission(ctx context.Context, role string, key string) (*AuthRoleRevokePermissionResponse, error) {
    170. 

  170. 	resp, err := auth.remote.RoleRevokePermission(ctx, &pb.AuthRoleRevokePermissionRequest{Role: role, Key: key})
    171. 

  171. 	return (*AuthRoleRevokePermissionResponse)(resp), rpctypes.Error(err)
    172. 

  172. }
    173. 

  173. 

  174. func (auth *auth) RoleDelete(ctx context.Context, role string) (*AuthRoleDeleteResponse, error) {
    175. 

  175. 	resp, err := auth.remote.RoleDelete(ctx, &pb.AuthRoleDeleteRequest{Role: role})
    176. 

  176. 	return (*AuthRoleDeleteResponse)(resp), rpctypes.Error(err)
    177. 

  177. }
    178. 

  178. 

  179. func StrToPermissionType(s string) (PermissionType, error) {
    180. 

  180. 	val, ok := authpb.Permission_Type_value[strings.ToUpper(s)]
    181. 

  181. 	if ok {
    182. 

  182. 		return PermissionType(val), nil
    183. 

  183. 	}
    184. 

  184. 	return PermissionType(-1), fmt.Errorf("invalid permission type: %s", s)
    185. 

  185. }
    186. 

  186. 

  187. type authenticator struct {
    188. 

  188. 	conn   *grpc.ClientConn // conn in-use
    189. 

  189. 	remote pb.AuthClient
    190. 

  190. }
    191. 

  191. 

  192. func (auth *authenticator) authenticate(ctx context.Context, name string, password string) (*AuthenticateResponse, error) {
    193. 

  193. 	resp, err := auth.remote.Authenticate(ctx, &pb.AuthenticateRequest{Name: name, Password: password})
    194. 

  194. 	return (*AuthenticateResponse)(resp), rpctypes.Error(err)
    195. 

  195. }
    196. 

  196. 

  197. func (auth *authenticator) close() {
    198. 

  198. 	auth.conn.Close()
    199. 

  199. }
    200. 

  200. 

  201. func newAuthenticator(endpoint string, opts []grpc.DialOption) (*authenticator, error) {
    202. 

  202. 	conn, err := grpc.Dial(endpoint, opts...)
    203. 

  203. 	if err != nil {
    204. 

  204. 		return nil, err
    205. 

  205. 	}
    206. 

  206. 

  207. 	return &authenticator{
    208. 

  208. 		conn:   conn,
    209. 

  209. 		remote: pb.NewAuthClient(conn),
    210. 

  210. 	}, nil
    211. 

  211. }
    212.