auth: separate the role create and update path

Giving both permission and grant/revoke is not allowed.
Creating an existing role is not allowed.
Updating a non-existing is not allowed.

etcdserver/auth/auth.go

@@ -97,6 +97,10 @@ type Permissions struct {
 	KV rwPermission `json:"kv"`
 }
 
+func (p *Permissions) IsEmpty() bool {
+	return p == nil || (len(p.KV.Read) == 0 && len(p.KV.Write) == 0)
+}
+
 type rwPermission struct {
 	Read  []string `json:"read"`
 	Write []string `json:"write"`
@@ -297,16 +301,6 @@ func (s *Store) GetRole(name string) (Role, error) {
 	return r, nil
 }
 
-func (s *Store) CreateOrUpdateRole(r Role) (role Role, created bool, err error) {
-	_, err = s.GetRole(r.Role)
-	if err == nil {
-		role, err = s.UpdateRole(r)
-		created = false
-		return
-	}
-	return r, true, s.CreateRole(r)
-}
-
 func (s *Store) CreateRole(role Role) error {
 	if role.Role == RootRoleName {
 		return authErr(http.StatusForbidden, "Cannot modify role %s: is root role.", role.Role)