mirrors/etcd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

etcdctl: add a new option --from-key for unlimited range permission

Browse Source 
This commit adds a new option --from-key to the command etcdctl role
grant-permission. If the option is passed, an open ended permission
will be granted to a role e.g. from start-key to any keys those are
larger than start-key.

Example:
$ ETCDCTL_API=3 bin/etcdctl --user root:p role grant r1 readwrite a b
$ ETCDCTL_API=3 bin/etcdctl --user root:p role grant --from-key r1 readwrite c
$ ETCDCTL_API=3 bin/etcdctl --user root:p role get r1
Role r1
KV Read:
        [a, b) (prefix a)
        [c, <open ended>
KV Write:
        [a, b) (prefix a)
        [c, <open ended>

Note that a closed parenthesis doesn't follow the above <open ended>
for indicating that the role has an open ended permission ("<open
ended>" is a valid range end).

Fixes https://github.com/coreos/etcd/issues/7468
This commit is contained in:
Hitoshi Mitake
2017-04-03 17:29:31 +09:00
parent d6efc0b22b
commit 0a7fc7cd34
4 changed files with 48 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
auth/range_perm_cache.go
View File

@ -38,11 +38,18 @@ func getMergedPerms(tx backend.BatchTx, userName string) *unifiedRangePermission
for _, perm := range role.KeyPermission {
var ivl adt.Interval
var rangeEnd string
if len(perm.RangeEnd) == 1 && perm.RangeEnd[0] == 0 {
rangeEnd = ""
} else {
rangeEnd = string(perm.RangeEnd)
}
if len(perm.RangeEnd) != 0 {
ivl = adt.NewStringInterval(string(perm.Key), string(perm.RangeEnd))
ivl = adt.NewStringAffineInterval(string(perm.Key), string(rangeEnd))
} else {
ivl = adt.NewStringPoint(string(perm.Key))
ivl = adt.NewStringAffinePoint(string(perm.Key))
}
switch perm.PermType {
@ -66,7 +73,11 @@ func getMergedPerms(tx backend.BatchTx, userName string) *unifiedRangePermission
}
func checkKeyInterval(cachedPerms *unifiedRangePermissions, key, rangeEnd string, permtyp authpb.Permission_Type) bool {
ivl := adt.NewStringInterval(key, rangeEnd)
if len(rangeEnd) == 1 && rangeEnd[0] == '\x00' {
rangeEnd = ""
}
ivl := adt.NewStringAffineInterval(key, rangeEnd)
switch permtyp {
case authpb.READ:
return cachedPerms.readPerms.Contains(ivl)
@ -79,7 +90,7 @@ func checkKeyInterval(cachedPerms *unifiedRangePermissions, key, rangeEnd string
}
func checkKeyPoint(cachedPerms *unifiedRangePermissions, key string, permtyp authpb.Permission_Type) bool {
pt := adt.NewStringPoint(key)
pt := adt.NewStringAffinePoint(key)
switch permtyp {
case authpb.READ:
return cachedPerms.readPerms.Intersects(pt)