mirrors/etcd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

auth: separate the role create and update path

Browse Source 
Giving both permission and grant/revoke is not allowed.
Creating an existing role is not allowed.
Updating a non-existing is not allowed.
This commit is contained in:
Xiang Li
2015-06-23 13:15:28 -07:00
parent bc61056912
commit c8628c8fe5
2 changed files with 26 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
etcdserver/auth/auth.go
View File

@ -97,6 +97,10 @@ type Permissions struct {
KV rwPermission `json:"kv"` KV rwPermission `json:"kv"`
} }
func (p *Permissions) IsEmpty() bool {
return p == nil || (len(p.KV.Read) == 0 && len(p.KV.Write) == 0)
}
type rwPermission struct { type rwPermission struct {
Read []string `json:"read"` Read []string `json:"read"`
Write []string `json:"write"` Write []string `json:"write"`
@ -297,16 +301,6 @@ func (s *Store) GetRole(name string) (Role, error) {
return r, nil return r, nil
} }
func (s *Store) CreateOrUpdateRole(r Role) (role Role, created bool, err error) {
_, err = s.GetRole(r.Role)
if err == nil {
role, err = s.UpdateRole(r)
created = false
return
}
return r, true, s.CreateRole(r)
}
func (s *Store) CreateRole(role Role) error { func (s *Store) CreateRole(role Role) error {
if role.Role == RootRoleName { if role.Role == RootRoleName {
return authErr(http.StatusForbidden, "Cannot modify role %s: is root role.", role.Role) return authErr(http.StatusForbidden, "Cannot modify role %s: is root role.", role.Role)

29
etcdserver/etcdhttp/client_auth.go
View File

@ -211,17 +211,32 @@ func (sh *authHandler) forRole(w http.ResponseWriter, r *http.Request, role stri
writeError(w, httptypes.NewHTTPError(http.StatusBadRequest, "Role JSON name does not match the name in the URL")) writeError(w, httptypes.NewHTTPError(http.StatusBadRequest, "Role JSON name does not match the name in the URL"))
return return
} }
newrole, created, err := sh.sec.CreateOrUpdateRole(in)
if err != nil { var out auth.Role
writeError(w, err)
return // create
} if in.Grant.IsEmpty() && in.Revoke.IsEmpty() {
if created { err = sh.sec.CreateRole(in)
if err != nil {
writeError(w, err)
return
}
w.WriteHeader(http.StatusCreated) w.WriteHeader(http.StatusCreated)
out = in
} else { } else {
if !in.Permissions.IsEmpty() {
writeError(w, httptypes.NewHTTPError(http.StatusBadRequest, "Role JSON contains both permissions and grant/revoke"))
return
}
out, err = sh.sec.UpdateRole(in)
if err != nil {
writeError(w, err)
return
}
w.WriteHeader(http.StatusOK) w.WriteHeader(http.StatusOK)
} }
err = json.NewEncoder(w).Encode(newrole)
err = json.NewEncoder(w).Encode(out)
if err != nil { if err != nil {
plog.Warningf("forRole error encoding on %s", r.URL) plog.Warningf("forRole error encoding on %s", r.URL)
return return