Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhance the root permission, when root role exist, it always return rootPerm. #13006

Merged
merged 1 commit into from
May 24, 2021
Merged

Enhance the root permission, when root role exist, it always return rootPerm. #13006

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion etcdctl/ctlv3/command/printer_simple.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -200,7 +200,7 @@ func (s *simplePrinter) RoleGet(role string, r v3.AuthRoleGetResponse) {
} else {
fmt.Printf("\t[%s, <open ended>", sKey)
}
if v3.GetPrefixRangeEnd(sKey) == sRangeEnd {
if v3.GetPrefixRangeEnd(sKey) == sRangeEnd && len(sKey) > 0 {
Copy link
Contributor Author

@horizonzy horizonzy May 19, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When sKey is empty, GetPrefixRangeEnd will return []byte{0}, it will be same with rootPerm rangeEnd []byte{0}.
And when sKey is empty, it shouldn't show prefix.
So modify it.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Out of curiosity: What's wrong with showing 'empty' prefix. Prefixes are IMHO easier to understand than ranges.

Copy link
Contributor Author

@horizonzy horizonzy May 20, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it will show:


Role root
KV Read:
        [, <open ended> (prefix )
KV Write:
        [, <open ended> (prefix )

It's not the expected when role is root

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In fact, the empty prefix is no sense.

fmt.Printf(" (prefix %s)", sKey)
}
fmt.Printf("\n")
Expand Down
12 changes: 9 additions & 3 deletions server/auth/store.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,8 @@ var (

revisionKey = []byte("authRevision")

rootPerm = authpb.Permission{PermType: authpb.READWRITE, Key: []byte{}, RangeEnd: []byte{0}}

ErrRootUserNotExist = errors.New("auth: root user does not exist")
ErrRootRoleNotExist = errors.New("auth: root user does not have root role")
ErrUserAlreadyExist = errors.New("auth: user already exists")
Expand Down Expand Up @@ -631,7 +633,11 @@ func (as *authStore) RoleGet(r *pb.AuthRoleGetRequest) (*pb.AuthRoleGetResponse,
if role == nil {
return nil, ErrRoleNotFound
}
resp.Perm = append(resp.Perm, role.KeyPermission...)
if rootRole == string(role.Name) {
resp.Perm = append(resp.Perm, &rootPerm)
} else {
resp.Perm = append(resp.Perm, role.KeyPermission...)
}
return &resp, nil
}

Expand Down Expand Up @@ -950,8 +956,8 @@ func delUser(tx backend.BatchTx, username string) {
tx.UnsafeDelete(buckets.AuthUsers, []byte(username))
}

func getRole(lg *zap.Logger, tx backend.BatchTx, rolename string) *authpb.Role {
_, vs := tx.UnsafeRange(buckets.AuthRoles, []byte(rolename), nil, 0)
func getRole(lg *zap.Logger, tx backend.BatchTx, roleName string) *authpb.Role {
_, vs := tx.UnsafeRange(buckets.AuthRoles, []byte(roleName), nil, 0)
if len(vs) == 0 {
return nil
}
Expand Down
57 changes: 42 additions & 15 deletions server/auth/store_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ import (
"context"
"encoding/base64"
"fmt"
"reflect"
"github.com/stretchr/testify/assert"
"strings"
"sync"
"testing"
Expand Down Expand Up @@ -384,9 +384,8 @@ func TestGetUser(t *testing.T) {
t.Fatal("expect user not nil, got nil")
}
expected := []string{"role-test"}
if !reflect.DeepEqual(expected, u.Roles) {
t.Errorf("expected %v, got %v", expected, u.Roles)
}

assert.Equal(t, expected, u.Roles)

// check non existent user
_, err = as.UserGet(&pb.AuthUserGetRequest{Name: "nouser"})
Expand Down Expand Up @@ -445,9 +444,40 @@ func TestRoleGrantPermission(t *testing.T) {
t.Fatal(err)
}

if !reflect.DeepEqual(perm, r.Perm[0]) {
t.Errorf("expected %v, got %v", perm, r.Perm[0])
assert.Equal(t, perm, r.Perm[0])
}

func TestRootRoleGrantPermission(t *testing.T) {
as, tearDown := setupAuthStore(t)
defer tearDown(t)

perm := &authpb.Permission{
PermType: authpb.WRITE,
Key: []byte("Keys"),
RangeEnd: []byte("RangeEnd"),
}
_, err := as.RoleGrantPermission(&pb.AuthRoleGrantPermissionRequest{
Name: "root",
Perm: perm,
})

if err != nil {
t.Error(err)
}

r, err := as.RoleGet(&pb.AuthRoleGetRequest{Role: "root"})
if err != nil {
t.Fatal(err)
}

//whatever grant permission to root, it always return root permission.
expectPerm := &authpb.Permission{
PermType: authpb.READWRITE,
Key: []byte{},
RangeEnd: []byte{0},
}

assert.Equal(t, expectPerm, r.Perm[0])
}

func TestRoleRevokePermission(t *testing.T) {
Expand Down Expand Up @@ -522,9 +552,8 @@ func TestUserRevokePermission(t *testing.T) {
}

expected := []string{"role-test", "role-test-1"}
if !reflect.DeepEqual(expected, u.Roles) {
t.Fatalf("expected %v, got %v", expected, u.Roles)
}

assert.Equal(t, expected, u.Roles)

_, err = as.UserRevokeRole(&pb.AuthUserRevokeRoleRequest{Name: "foo", Role: "role-test-1"})
if err != nil {
Expand All @@ -537,9 +566,8 @@ func TestUserRevokePermission(t *testing.T) {
}

expected = []string{"role-test"}
if !reflect.DeepEqual(expected, u.Roles) {
t.Errorf("expected %v, got %v", expected, u.Roles)
}

assert.Equal(t, expected, u.Roles)
}

func TestRoleDelete(t *testing.T) {
Expand All @@ -555,9 +583,8 @@ func TestRoleDelete(t *testing.T) {
t.Fatal(err)
}
expected := []string{"root"}
if !reflect.DeepEqual(expected, rl.Roles) {
t.Errorf("expected %v, got %v", expected, rl.Roles)
}

assert.Equal(t, expected, rl.Roles)
}

func TestAuthInfoFromCtx(t *testing.T) {
Expand Down
2 changes: 1 addition & 1 deletion tests/e2e/ctl_v3_role_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ func rootRoleGetTest(cx ctlCtx) {
},
{
args: []string{"get", "root"},
expectedStr: []string{"Role root\r\n", "KV Read:\r\n", "\tfoo\r\n", "KV Write:\r\n", "\tfoo\r\n"},
expectedStr: []string{"Role root\r\n", "KV Read:\r\n", "\t[, <open ended>\r\n", "KV Write:\r\n", "\t[, <open ended>\r\n"},
horizonzy marked this conversation as resolved.
Show resolved Hide resolved
},
}

Expand Down