Enhance the root permission, when root role exist, it always return r…

…ootPerm. etcdctl role grant-permission root readwrite foo. see etcdctl role get root output. Before: Role root KV Read: foo KV Write: foo After: Role root KV Read: [, <open ended> KV Write: [, <open ended>
etcd-io · May 20, 2021 · 992805f · 992805f
1 parent 5f60e0d
commit 992805f
Show file tree

Hide file tree

Showing 4 changed files with 45 additions and 5 deletions.
diff --git a/etcdctl/ctlv3/command/printer_simple.go b/etcdctl/ctlv3/command/printer_simple.go
@@ -200,7 +200,7 @@ func (s *simplePrinter) RoleGet(role string, r v3.AuthRoleGetResponse) {
 		} else {
 			fmt.Printf("\t[%s, <open ended>", sKey)
 		}
-		if v3.GetPrefixRangeEnd(sKey) == sRangeEnd {
+		if v3.GetPrefixRangeEnd(sKey) == sRangeEnd && len(sKey) > 0 {
 			fmt.Printf(" (prefix %s)", sKey)
 		}
 		fmt.Printf("\n")

diff --git a/server/auth/store.go b/server/auth/store.go
@@ -46,6 +46,8 @@ var (
 
 	revisionKey = []byte("authRevision")
 
+	rootPerm = authpb.Permission{PermType: authpb.READWRITE, Key: []byte{}, RangeEnd: []byte{0}}
+
 	ErrRootUserNotExist     = errors.New("auth: root user does not exist")
 	ErrRootRoleNotExist     = errors.New("auth: root user does not have root role")
 	ErrUserAlreadyExist     = errors.New("auth: user already exists")
@@ -631,7 +633,11 @@ func (as *authStore) RoleGet(r *pb.AuthRoleGetRequest) (*pb.AuthRoleGetResponse,
 	if role == nil {
 		return nil, ErrRoleNotFound
 	}
-	resp.Perm = append(resp.Perm, role.KeyPermission...)
+	if rootRole == string(role.Name) {
+		resp.Perm = append(resp.Perm, &rootPerm)
+	} else {
+		resp.Perm = append(resp.Perm, role.KeyPermission...)
+	}
 	return &resp, nil
 }
 
@@ -950,8 +956,8 @@ func delUser(tx backend.BatchTx, username string) {
 	tx.UnsafeDelete(buckets.AuthUsers, []byte(username))
 }
 
-func getRole(lg *zap.Logger, tx backend.BatchTx, rolename string) *authpb.Role {
-	_, vs := tx.UnsafeRange(buckets.AuthRoles, []byte(rolename), nil, 0)
+func getRole(lg *zap.Logger, tx backend.BatchTx, roleName string) *authpb.Role {
+	_, vs := tx.UnsafeRange(buckets.AuthRoles, []byte(roleName), nil, 0)
 	if len(vs) == 0 {
 		return nil
 	}

diff --git a/server/auth/store_test.go b/server/auth/store_test.go
@@ -450,6 +450,40 @@ func TestRoleGrantPermission(t *testing.T) {
 	}
 }
 
+func TestRootRoleGrantPermission(t *testing.T) {
+	as, tearDown := setupAuthStore(t)
+	defer tearDown(t)
+
+	perm := &authpb.Permission{
+		PermType: authpb.WRITE,
+		Key:      []byte("Keys"),
+		RangeEnd: []byte("RangeEnd"),
+	}
+	_, err := as.RoleGrantPermission(&pb.AuthRoleGrantPermissionRequest{
+		Name: "root",
+		Perm: perm,
+	})
+
+	if err != nil {
+		t.Error(err)
+	}
+
+	r, err := as.RoleGet(&pb.AuthRoleGetRequest{Role: "root"})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	//whatever grant permission to root, it always return root permission.
+	expectPerm := &authpb.Permission{
+		PermType: authpb.READWRITE,
+		RangeEnd: []byte{0},
+	}
+
+	if !reflect.DeepEqual(expectPerm, r.Perm[0]) {
+		t.Errorf("expected %v, got %v", expectPerm, r.Perm[0])
+	}
+}
+
 func TestRoleRevokePermission(t *testing.T) {
 	as, tearDown := setupAuthStore(t)
 	defer tearDown(t)

diff --git a/tests/e2e/ctl_v3_role_test.go b/tests/e2e/ctl_v3_role_test.go
@@ -76,7 +76,7 @@ func rootRoleGetTest(cx ctlCtx) {
 		},
 		{
 			args:        []string{"get", "root"},
-			expectedStr: []string{"Role root\r\n", "KV Read:\r\n", "\tfoo\r\n", "KV Write:\r\n", "\tfoo\r\n"},
+			expectedStr: []string{"Role root\r\n", "KV Read:\r\n", "\t[, <open ended>\r\n", "KV Write:\r\n", "\t[, <open ended>\r\n"},
 		},
 	}
-Original file line number
+Diff line change
@@ Expand Up / @@ -76,7 +76,7 @@ func rootRoleGetTest(cx ctlCtx) { @@
     		},
     		{
     			args:        []string{"get", "root"},
-    			expectedStr: []string{"Role root\r\n", "KV Read:\r\n", "\tfoo\r\n", "KV Write:\r\n", "\tfoo\r\n"},
+    			expectedStr: []string{"Role root\r\n", "KV Read:\r\n", "\t[, <open ended>\r\n", "KV Write:\r\n", "\t[, <open ended>\r\n"},
     		},
     	}
@@ Expand Down @@