apply_auth.go 4.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169
  1. // Copyright 2016 The etcd Authors
  2. //
  3. // Licensed under the Apache License, Version 2.0 (the "License");
  4. // you may not use this file except in compliance with the License.
  5. // You may obtain a copy of the License at
  6. //
  7. // http://www.apache.org/licenses/LICENSE-2.0
  8. //
  9. // Unless required by applicable law or agreed to in writing, software
  10. // distributed under the License is distributed on an "AS IS" BASIS,
  11. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12. // See the License for the specific language governing permissions and
  13. // limitations under the License.
  14. package etcdserver
  15. import (
  16. "sync"
  17. "github.com/coreos/etcd/auth"
  18. pb "github.com/coreos/etcd/etcdserver/etcdserverpb"
  19. )
  20. type authApplierV3 struct {
  21. applierV3
  22. as auth.AuthStore
  23. // mu serializes Apply so that user isn't corrupted and so that
  24. // serialized requests don't leak data from TOCTOU errors
  25. mu sync.Mutex
  26. user string
  27. }
  28. func newAuthApplierV3(as auth.AuthStore, base applierV3) *authApplierV3 {
  29. return &authApplierV3{applierV3: base, as: as}
  30. }
  31. func (aa *authApplierV3) Apply(r *pb.InternalRaftRequest) *applyResult {
  32. aa.mu.Lock()
  33. defer aa.mu.Unlock()
  34. if r.Header != nil {
  35. // backward-compatible with pre-3.0 releases when internalRaftRequest
  36. // does not have header field
  37. aa.user = r.Header.Username
  38. }
  39. if needAdminPermission(r) && !aa.as.IsAdminPermitted(aa.user) {
  40. aa.user = ""
  41. return &applyResult{err: auth.ErrPermissionDenied}
  42. }
  43. ret := aa.applierV3.Apply(r)
  44. aa.user = ""
  45. return ret
  46. }
  47. func (aa *authApplierV3) Put(txnID int64, r *pb.PutRequest) (*pb.PutResponse, error) {
  48. if !aa.as.IsPutPermitted(aa.user, r.Key) {
  49. return nil, auth.ErrPermissionDenied
  50. }
  51. if r.PrevKv && !aa.as.IsRangePermitted(aa.user, r.Key, nil) {
  52. return nil, auth.ErrPermissionDenied
  53. }
  54. return aa.applierV3.Put(txnID, r)
  55. }
  56. func (aa *authApplierV3) Range(txnID int64, r *pb.RangeRequest) (*pb.RangeResponse, error) {
  57. if !aa.as.IsRangePermitted(aa.user, r.Key, r.RangeEnd) {
  58. return nil, auth.ErrPermissionDenied
  59. }
  60. return aa.applierV3.Range(txnID, r)
  61. }
  62. func (aa *authApplierV3) DeleteRange(txnID int64, r *pb.DeleteRangeRequest) (*pb.DeleteRangeResponse, error) {
  63. if !aa.as.IsDeleteRangePermitted(aa.user, r.Key, r.RangeEnd) {
  64. return nil, auth.ErrPermissionDenied
  65. }
  66. if r.PrevKv && !aa.as.IsRangePermitted(aa.user, r.Key, r.RangeEnd) {
  67. return nil, auth.ErrPermissionDenied
  68. }
  69. return aa.applierV3.DeleteRange(txnID, r)
  70. }
  71. func (aa *authApplierV3) checkTxnReqsPermission(reqs []*pb.RequestOp) bool {
  72. for _, requ := range reqs {
  73. switch tv := requ.Request.(type) {
  74. case *pb.RequestOp_RequestRange:
  75. if tv.RequestRange == nil {
  76. continue
  77. }
  78. if !aa.as.IsRangePermitted(aa.user, tv.RequestRange.Key, tv.RequestRange.RangeEnd) {
  79. return false
  80. }
  81. case *pb.RequestOp_RequestPut:
  82. if tv.RequestPut == nil {
  83. continue
  84. }
  85. if !aa.as.IsPutPermitted(aa.user, tv.RequestPut.Key) {
  86. return false
  87. }
  88. case *pb.RequestOp_RequestDeleteRange:
  89. if tv.RequestDeleteRange == nil {
  90. continue
  91. }
  92. if tv.RequestDeleteRange.PrevKv && !aa.as.IsRangePermitted(aa.user, tv.RequestDeleteRange.Key, tv.RequestDeleteRange.RangeEnd) {
  93. return false
  94. }
  95. }
  96. }
  97. return true
  98. }
  99. func (aa *authApplierV3) Txn(rt *pb.TxnRequest) (*pb.TxnResponse, error) {
  100. for _, c := range rt.Compare {
  101. if !aa.as.IsRangePermitted(aa.user, c.Key, nil) {
  102. return nil, auth.ErrPermissionDenied
  103. }
  104. }
  105. if !aa.checkTxnReqsPermission(rt.Success) {
  106. return nil, auth.ErrPermissionDenied
  107. }
  108. if !aa.checkTxnReqsPermission(rt.Failure) {
  109. return nil, auth.ErrPermissionDenied
  110. }
  111. return aa.applierV3.Txn(rt)
  112. }
  113. func needAdminPermission(r *pb.InternalRaftRequest) bool {
  114. switch {
  115. case r.AuthEnable != nil:
  116. return true
  117. case r.AuthDisable != nil:
  118. return true
  119. case r.AuthUserAdd != nil:
  120. return true
  121. case r.AuthUserDelete != nil:
  122. return true
  123. case r.AuthUserChangePassword != nil:
  124. return true
  125. case r.AuthUserGrantRole != nil:
  126. return true
  127. case r.AuthUserGet != nil:
  128. return true
  129. case r.AuthUserRevokeRole != nil:
  130. return true
  131. case r.AuthRoleAdd != nil:
  132. return true
  133. case r.AuthRoleGrantPermission != nil:
  134. return true
  135. case r.AuthRoleGet != nil:
  136. return true
  137. case r.AuthRoleRevokePermission != nil:
  138. return true
  139. case r.AuthRoleDelete != nil:
  140. return true
  141. case r.AuthUserList != nil:
  142. return true
  143. case r.AuthRoleList != nil:
  144. return true
  145. default:
  146. return false
  147. }
  148. }