mirrors/etcd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Enhance the root permission, when root role exist, it always return rootPerm. (#13006)

Browse Source 
etcdctl role grant-permission root readwrite foo.
see etcdctl role get root output.
Before:
Role root
KV Read:
        foo
KV Write:
        foo
After:
Role root
KV Read:
        [, <open ended>
KV Write:
        [, <open ended>
This commit is contained in:
赵延
2021-05-25 05:58:00 +08:00
committed by GitHub
parent d2e04a7171
commit 64b01a7a8d
4 changed files with 53 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
server/auth/store.go
View File

@ -46,6 +46,8 @@ var (
revisionKey = []byte("authRevision")
rootPerm = authpb.Permission{PermType: authpb.READWRITE, Key: []byte{}, RangeEnd: []byte{0}}
ErrRootUserNotExist = errors.New("auth: root user does not exist")
ErrRootRoleNotExist = errors.New("auth: root user does not have root role")
ErrUserAlreadyExist = errors.New("auth: user already exists")
@ -631,7 +633,11 @@ func (as *authStore) RoleGet(r *pb.AuthRoleGetRequest) (*pb.AuthRoleGetResponse,
if role == nil {
return nil, ErrRoleNotFound
}
resp.Perm = append(resp.Perm, role.KeyPermission...)
if rootRole == string(role.Name) {
resp.Perm = append(resp.Perm, &rootPerm)
} else {
resp.Perm = append(resp.Perm, role.KeyPermission...)
}
return &resp, nil
}
@ -950,8 +956,8 @@ func delUser(tx backend.BatchTx, username string) {
tx.UnsafeDelete(buckets.AuthUsers, []byte(username))
}
func getRole(lg *zap.Logger, tx backend.BatchTx, rolename string) *authpb.Role {
_, vs := tx.UnsafeRange(buckets.AuthRoles, []byte(rolename), nil, 0)
func getRole(lg *zap.Logger, tx backend.BatchTx, roleName string) *authpb.Role {
_, vs := tx.UnsafeRange(buckets.AuthRoles, []byte(roleName), nil, 0)
if len(vs) == 0 {
return nil
}