auth, e2e, clientv3: the root role should be granted access to every key

This commit changes the semantics of the root role. The role should be able to access to every key. Partially fixes https://github.com/coreos/etcd/issues/6355
2016-09-06 11:32:25 +09:00
parent 271df0dd71
commit bc5d7bbe03
3 changed files with 49 additions and 23 deletions
--- a/clientv3/example_auth_test.go
+++ b/clientv3/example_auth_test.go
@ -35,22 +35,32 @@ func ExampleAuth() {
 	if _, err = cli.RoleAdd(context.TODO(), "root"); err != nil {
 		log.Fatal(err)
 	}
-
-	if _, err = cli.RoleGrantPermission(
-		context.TODO(),
-		"root", // role name
-		"foo",  // key
-		"zoo",  // range end
-		clientv3.PermissionType(clientv3.PermReadWrite),
-	); err != nil {
-		log.Fatal(err)
-	}
 	if _, err = cli.UserAdd(context.TODO(), "root", "123"); err != nil {
 		log.Fatal(err)
 	}
 	if _, err = cli.UserGrantRole(context.TODO(), "root", "root"); err != nil {
 		log.Fatal(err)
 	}
+
+	if _, err = cli.RoleAdd(context.TODO(), "r"); err != nil {
+		log.Fatal(err)
+	}
+
+	if _, err = cli.RoleGrantPermission(
+		context.TODO(),
+		"r",   // role name
+		"foo", // key
+		"zoo", // range end
+		clientv3.PermissionType(clientv3.PermReadWrite),
+	); err != nil {
+		log.Fatal(err)
+	}
+	if _, err = cli.UserAdd(context.TODO(), "u", "123"); err != nil {
+		log.Fatal(err)
+	}
+	if _, err = cli.UserGrantRole(context.TODO(), "u", "r"); err != nil {
+		log.Fatal(err)
+	}
 	if _, err = cli.AuthEnable(context.TODO()); err != nil {
 		log.Fatal(err)
 	}
@ -58,7 +68,7 @@ func ExampleAuth() {
 	cliAuth, err := clientv3.New(clientv3.Config{
 		Endpoints:   endpoints,
 		DialTimeout: dialTimeout,
-		Username:    "root",
+		Username:    "u",
 		Password:    "123",
 	})
 	if err != nil {
@ -77,16 +87,27 @@ func ExampleAuth() {
 		Commit()
 	fmt.Println(err)

-	// now check the permission
-	resp, err := cliAuth.RoleGet(context.TODO(), "root")
+	// now check the permission with the root account
+	rootCli, err := clientv3.New(clientv3.Config{
+		Endpoints:   endpoints,
+		DialTimeout: dialTimeout,
+		Username:    "root",
+		Password:    "123",
+	})
 	if err != nil {
 		log.Fatal(err)
 	}
-	fmt.Printf("root user permission: key %q, range end %q\n", resp.Perm[0].Key, resp.Perm[0].RangeEnd)
+	defer rootCli.Close()

-	if _, err = cliAuth.AuthDisable(context.TODO()); err != nil {
+	resp, err := rootCli.RoleGet(context.TODO(), "r")
+	if err != nil {
+		log.Fatal(err)
+	}
+	fmt.Printf("user u permission: key %q, range end %q\n", resp.Perm[0].Key, resp.Perm[0].RangeEnd)
+
+	if _, err = rootCli.AuthDisable(context.TODO()); err != nil {
 		log.Fatal(err)
 	}
 	// Output: etcdserver: permission denied
-	// root user permission: key "foo", range end "zoo"
+	// user u permission: key "foo", range end "zoo"
 }