mirrors/etcd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Early exit auth check on lease puts

Browse Source 
Mitigates #15993 by not checking each key individually for permission
when auth is entirely disabled or admin user is calling the method.

Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
This commit is contained in:
Thomas Jungblut
2023-06-06 10:23:46 +02:00
parent 004195bb6e
commit dfbe2038f3
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
server/etcdserver/apply/apply_auth.go
View File

@ -125,6 +125,12 @@ func (aa *authApplierV3) LeaseRevoke(lc *pb.LeaseRevokeRequest) (*pb.LeaseRevoke
func (aa *authApplierV3) checkLeasePuts(leaseID lease.LeaseID) error { func (aa *authApplierV3) checkLeasePuts(leaseID lease.LeaseID) error {
l := aa.lessor.Lookup(leaseID) l := aa.lessor.Lookup(leaseID)
if l != nil { if l != nil {
// early return for most-common scenario of either disabled auth or admin user.
// IsAdminPermitted also checks whether auth is enabled
if err := aa.as.IsAdminPermitted(&aa.authInfo); err == nil {
return nil
}
for _, key := range l.Keys() { for _, key := range l.Keys() {
if err := aa.as.IsPutPermitted(&aa.authInfo, []byte(key)); err != nil { if err := aa.as.IsPutPermitted(&aa.authInfo, []byte(key)); err != nil {
return err return err