Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug 1870189: Bump v3.4.14 #65

Merged
merged 106 commits into from
Mar 2, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
106 commits
Select commit Hold shift + click to select a range
78f6798
etcdserver, et al: add --unsafe-no-fsync flag
crawshaw May 25, 2020
91b1a91
Merge pull request #11977 from jpbetz/automated-cherry-pick-of-#11946…
gyuho Jun 5, 2020
434f7e8
pkg: check file stats
spzala Apr 20, 2020
05c441f
embed: fix compaction runtime err
spzala Apr 15, 2020
7d1cf64
wal: fix panic when decoder not set
spzala Apr 23, 2020
9a24f73
Discovery: do not allow passing negative cluster size
spzala Feb 9, 2020
47001f2
etcdmain: best effort detection of self pointing in tcp proxy
xiang90 May 4, 2020
36f8dee
Documentation: note on password strength
mitake Apr 19, 2020
6f011ce
auth: a new error code for the case of password auth against no passw…
mitake Apr 19, 2020
963b242
etcdserver: don't let InternalAuthenticateRequest have password
mitake Apr 26, 2020
3d8e9a3
Documentation: note on the policy of insecure by default
mitake Apr 29, 2020
c69efda
etcdctl, etcdmain: warn about --insecure-skip-tls-verify options
mitake May 3, 2020
6dab8af
Merge pull request #12044 from spzala/automated-cherry-pick-of-#11841…
gyuho Jun 22, 2020
c37245e
Merge pull request #12043 from spzala/automated-cherry-pick-of-#11830…
gyuho Jun 22, 2020
8292fd5
Merge pull request #12042 from spzala/automated-cherry-pick-of-#11818…
gyuho Jun 22, 2020
e151faf
Merge pull request #12040 from spzala/automated-cherry-pick-of-#11796…
gyuho Jun 22, 2020
7adbfa1
Merge pull request #12038 from spzala/automated-cherry-pick-of-#11608…
gyuho Jun 22, 2020
368ff75
Merge pull request #12039 from spzala/automated-cherry-pick-of-#11845…
gyuho Jun 22, 2020
c8b3c6f
Merge pull request #12041 from spzala/automated-cherry-pick-of-#11795…
gyuho Jun 22, 2020
493f15c
Merge pull request #12037 from spzala/automated-cherry-pick-of-#11807…
gyuho Jun 22, 2020
37ac222
Merge pull request #12035 from spzala/automated-cherry-pick-of-#11787…
gyuho Jun 22, 2020
4571e52
wal: check out of range slice in "ReadAll", "decoder"
gyuho Apr 16, 2020
36452a1
clientv3: cancel watches proactively on client context cancellation
jackkleeman May 6, 2020
ee96347
etcdserver:FDUsage set ticker to 10 minute from 5 seconds. This ticke…
cfc4n Jun 16, 2020
b86bb61
doc: add TLS related warnings
xiang90 Jun 23, 2020
e42d7b5
etcdmain: fix shadow error
tangcong Jun 24, 2020
2212a84
Merge pull request #12034 from spzala/automated-cherry-pick-of-#11798…
gyuho Jun 25, 2020
a4f4294
Merge pull request #12072 from tangcong/automated-cherry-pick-of-#120…
gyuho Jun 25, 2020
1a12810
Merge pull request #12070 from spzala/automated-cherry-pick-of-#12060…
gyuho Jun 25, 2020
45192cf
Merge pull request #12064 from cfc4n/automated-cherry-pick-of-#11986-…
gyuho Jun 25, 2020
83fc96d
Merge pull request #12055 from tangcong/automated-cherry-pick-of-#118…
gyuho Jun 25, 2020
31e49a4
Merge pull request #12048 from spzala/automated-cherry-pick-of-#11793…
gyuho Jun 25, 2020
490c613
auth: return incorrect result 'ErrUserNotFound' when client request w…
cfc4n Jun 12, 2020
7b99863
mvcc: chanLen 1024 is to biger,and it used more memory. 128 seems to …
cfc4n Jun 10, 2020
4488595
auth: Customize simpleTokenTTL settings.
cfc4n Jun 11, 2020
e5424fc
pkg: Fix dir permission check on Windows
polyrabbit May 25, 2020
81a2edc
Merge pull request #12081 from spzala/automated-cherry-pick-of-#11945…
gyuho Jun 26, 2020
d5dec73
Merge pull request #12077 from cfc4n/automated-cherry-pick-of-#11980-…
gyuho Jun 26, 2020
99e893d
Merge pull request #12074 from cfc4n/automated-cherry-pick-of-#12005-…
gyuho Jun 26, 2020
0207d1d
pkg/fileutil: print desired file permission in error log
tangcong Jun 10, 2020
a4667f5
etcdmain: fix shadow error
tangcong Jul 1, 2020
7dec4c4
etcdmain: let grpc proxy warn about insecure-skip-tls-verify
mitake Jun 29, 2020
85cc4de
Merge pull request #12103 from spzala/automated-cherry-pick-of-#12092…
spzala Jul 5, 2020
32583af
Merge pull request #12101 from tangcong/automated-cherry-pick-of-#121…
gyuho Jul 6, 2020
a8454e4
Merge pull request #12089 from tangcong/automated-cherry-pick-of-#119…
gyuho Jul 6, 2020
2acdf88
Merge pull request #12076 from cfc4n/automated-cherry-pick-of-#11987-…
gyuho Jul 6, 2020
3193311
pkg: consider umask when use MkdirAll
spzala Jun 15, 2020
d3a702a
Merge pull request #12112 from spzala/automated-cherry-pick-of-#12018…
gyuho Jul 7, 2020
ed28c76
etcdserver: change protobuf field type from int to int64 (#12000)
YoyinZyc Jun 12, 2020
67bfc31
Documentation: note on data encryption
mitake Jun 14, 2020
a2c3748
Merge pull request #12127 from spzala/automated-cherry-pick-of-#12012…
spzala Jul 13, 2020
7b82704
Merge pull request #12106 from bart0sh/PR001-cherry-pick-change-proto…
jingyih Jul 15, 2020
18dfb9c
version: 3.4.10
gyuho Jul 16, 2020
0372cfc
etcdserver/api/v3rpc: "MemberList" never return non-empty ClientURLs
gyuho Jul 16, 2020
e800c62
clientv3: log warning in case of error sending request
yutedz Dec 20, 2019
cf558ee
pkg/runtime: optimize FDUsage by removing sort
gyuho Aug 12, 2020
0080741
etcdserver: add OS level FD metrics
gyuho Aug 12, 2020
6fcab5a
clientv3: remove excessive watch cancel logging
jingyih Jul 29, 2020
8a4afdb
Merge pull request #12189 from jingyih/automated-cherry-pick-of-#1145…
gyuho Aug 14, 2020
c60dabf
*: add experimental flag for watch notify interval
jingyih Aug 14, 2020
75d5e78
*: fix backport of PR12216
jingyih Aug 16, 2020
299e0f1
Revert "etcdserver/api/v3rpc: "MemberList" never return non-empty Cli…
gyuho Aug 18, 2020
bc44e36
version: 3.4.11
gyuho Aug 18, 2020
e71e0c5
Merge pull request #12226 from jingyih/fix_backport_PR12216
gyuho Aug 18, 2020
b8878ea
etcdserver: Avoid panics logging slow v2 requests in integration tests
liggitt Aug 19, 2020
c07cba0
Merge pull request #12239 from liggitt/slow-v2-panic-3.4
gyuho Aug 19, 2020
17cef6e
version: 3.4.12
gyuho Aug 19, 2020
46a0a44
Automated cherry pick of #12243 on release 3.4
hexfusion Aug 21, 2020
7cd5872
Merge pull request #12244 from hexfusion/automated-cherry-pick-of-#12…
hexfusion Aug 21, 2020
d5ebbbc
pkg: file stat warning
spzala Aug 20, 2020
781bde7
Merge pull request #12250 from spzala/automated-cherry-pick-of-#12242…
gyuho Aug 24, 2020
ae9734e
version: 3.4.13
gyuho Aug 24, 2020
f44aaf8
integration: add flag WatchProgressNotifyInterval in integration test
jingyih Sep 6, 2020
dd1b699
Merge pull request #12280 from jingyih/automated-cherry-pick-of-#1227…
jpbetz Sep 10, 2020
3019246
etcdserver: add ConfChangeAddLearnerNode to the list of config changes
galal-hussein Sep 11, 2020
7e2d426
Merge pull request #12299 from galal-hussein/fix_panic_34
jingyih Sep 15, 2020
40b7107
clientv3: get AuthToken automatically when clientConn is ready.
cfc4n Sep 16, 2020
eb0fb0e
Merge pull request #12356 from cfc4n/automated-cherry-pick-of-#12264-…
gyuho Oct 12, 2020
e3b29b6
tools/etcd-dump-metrics: validate exec cmd args
gyuho Nov 25, 2020
a4b43b3
pkg/netutil: remove unused "iptables" wrapper
gyuho Nov 25, 2020
8a03d2e
version: 3.4.14
gyuho Nov 25, 2020
e3a6e53
version: openshift-v4.0
hexfusion Nov 29, 2018
71105c2
Dockerfile: add etcdctl
hexfusion Feb 20, 2019
e1488b8
Dockerfile.*: Fix "etcd is distributed" -> "etcd is a distributed"
wking Feb 7, 2019
056745d
Dockerfile: resolve issue where binary was not properly copied from b…
hexfusion Feb 20, 2019
d0c4369
OWNERS: add
hexfusion May 5, 2019
a0ab7b0
Dockerfile: set coreos org as canonical for release-3.3
hexfusion May 4, 2019
aea1f70
Dockerfile: use build instead of make build
hexfusion Aug 29, 2019
9305d2f
Dockerfile: bump golang 1.12
hexfusion Sep 23, 2019
5cce7e9
add stub discovery-etcd-initial-cluster command
deads2k Feb 20, 2020
d4e6872
build openshift tools with etcd
deads2k Feb 20, 2020
34bc15b
codify the initial cluster check as golang code
deads2k Feb 20, 2020
420e702
Archive data-dir if target member is unstarted
Feb 23, 2020
16c163a
Archive data-dir if target member is unstarted
Feb 23, 2020
d089c92
fix removed member name, unmask error
alaypatel07 Feb 27, 2020
cc39358
If we weren't able to get client or get target member but memberDir e…
Feb 28, 2020
b4bc9e8
list all peers in initial-cluster
deads2k Mar 5, 2020
fd6f3fb
*: migrate openshift assets to new etcd org
hexfusion Apr 7, 2020
728f48b
Revert "pkg, clientv3, etcdmain: let grpcproxy rise an error when its…
hexfusion Apr 7, 2020
8dee987
make evaluation of targetMember strict
deads2k May 14, 2020
c3aff57
go.mod: drop go 1.14
hexfusion Jul 14, 2020
4938e7b
discover-etcd-initial-cluster: improve error handling when we dont sc…
hexfusion Sep 30, 2020
f8ef071
Updating ose-etcd builder & base images to be consistent with ART
jupierce Sep 30, 2020
2ffa177
Updating ose-etcd builder & base images to be consistent with ART
jupierce Oct 7, 2020
b926547
OWNERS: add component
hexfusion Oct 20, 2020
b60e76b
*: tidy
hexfusion Dec 15, 2020
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions Dockerfile.openshift
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
FROM registry.svc.ci.openshift.org/openshift/release:golang-1.12 AS builder

WORKDIR /go/src/go.etcd.io/etcd

COPY . .

RUN ./build

# stage 2
FROM registry.svc.ci.openshift.org/openshift/origin-v4.0:base

ENTRYPOINT ["/usr/bin/etcd"]

COPY --from=builder /go/src/go.etcd.io/etcd/bin/etcd /usr/bin/
COPY --from=builder /go/src/go.etcd.io/etcd/bin/etcdctl /usr/bin/
COPY --from=builder /go/src/go.etcd.io/etcd/bin/discover-etcd-initial-cluster /usr/bin/

LABEL io.k8s.display-name="etcd server" \
io.k8s.description="etcd is a distributed key-value store which stores the persistent master state for Kubernetes and OpenShift." \
maintainer="Sam Batschelet <sbatsche@redhat.com>"
20 changes: 20 additions & 0 deletions Dockerfile.rhel
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
FROM registry.svc.ci.openshift.org/ocp/builder:rhel-8-etcd-golang-1.12 AS builder

WORKDIR /go/src/go.etcd.io/etcd

COPY . .

RUN ./build

# stage 2
FROM registry.svc.ci.openshift.org/ocp/4.7:base

ENTRYPOINT ["/usr/bin/etcd"]

COPY --from=builder /go/src/go.etcd.io/etcd/bin/etcd /usr/bin/
COPY --from=builder /go/src/go.etcd.io/etcd/bin/etcdctl /usr/bin/
COPY --from=builder /go/src/go.etcd.io/etcd/bin/discover-etcd-initial-cluster /usr/bin/

LABEL io.k8s.display-name="etcd server" \
io.k8s.description="etcd is a distributed key-value store which stores the persistent master state for Kubernetes and OpenShift." \
maintainer="Sam Batschelet <sbatsche@redhat.com>"
2 changes: 2 additions & 0 deletions Documentation/op-guide/authentication.md
Original file line number Diff line number Diff line change
Expand Up @@ -174,3 +174,5 @@ As of version v3.2 if an etcd server is launched with the option `--client-cert-
As of version v3.3 if an etcd server is launched with the option `--peer-cert-allowed-cn` or `--peer-cert-allowed-hostname` filtering of inter-peer connections is enabled. Nodes can only join the etcd cluster if their TLS certificate identity match the allowed one.
See [etcd security page](https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/security.md) for more details.

## Notes on password strength
`etcdctl` command line interface and etcd API don't check a strength (length, coexistence of numbers and alphabets, etc) of the password during creating a new user or updating password of an existing user. An administrator needs to care about a requirement of password strength by themselves.
6 changes: 3 additions & 3 deletions Documentation/op-guide/gateway.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ title: etcd gateway

## What is etcd gateway

etcd gateway is a simple TCP proxy that forwards network data to the etcd cluster. The gateway is stateless and transparent; it neither inspects client requests nor interferes with cluster responses.
etcd gateway is a simple TCP proxy that forwards network data to the etcd cluster. The gateway is stateless and transparent; it neither inspects client requests nor interferes with cluster responses. It does not terminate TLS connections, do TLS handshakes on behalf of its clients, or verify if the connection is secured.

The gateway supports multiple etcd server endpoints and works on a simple round-robin policy. It only routes to available endpoints and hides failures from its clients. Other retry policies, such as weighted round-robin, may be supported in the future.

Expand Down Expand Up @@ -74,7 +74,7 @@ $ etcd gateway start --discovery-srv=example.com

* Comma-separated list of etcd server targets for forwarding client connections.
* Default: `127.0.0.1:2379`
* Invalid example: `https://127.0.0.1:2379` (gateway does not terminate TLS)
* Invalid example: `https://127.0.0.1:2379` (gateway does not terminate TLS). Note that the gateway does not verify the HTTP schema or inspect the requests, it only forwards requests to the given endpoints.

#### --discovery-srv

Expand Down Expand Up @@ -103,5 +103,5 @@ $ etcd gateway start --discovery-srv=example.com

#### --trusted-ca-file

* Path to the client TLS CA file for the etcd cluster. Used to authenticate endpoints.
* Path to the client TLS CA file for the etcd cluster to verify the endpoints returned from SRV discovery. Note that it is ONLY used for authenticating the discovered endpoints rather than creating connections for data transferring. The gateway never terminates TLS connections or create TLS connections on behalf of its clients.
* Default: (not set)
11 changes: 10 additions & 1 deletion Documentation/op-guide/security.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
title: Transport security model
---

etcd supports automatic TLS as well as authentication through client certificates for both clients to server as well as peer (server to server / cluster) communication.
etcd supports automatic TLS as well as authentication through client certificates for both clients to server as well as peer (server to server / cluster) communication. **Note that etcd doesn't enable [RBAC based authentication][auth] or the authentication feature in the transport layer by default to reduce friction for users getting started with the database. Further, changing this default would be a breaking change for the project which was established since 2013. An etcd cluster which doesn't enable security features can expose its data to any clients.**

To get up and running, first have a CA certificate and a signed key pair for one member. It is recommended to create and sign a new key pair for every member in a cluster.

Expand Down Expand Up @@ -426,8 +426,17 @@ Make sure to sign the certificates with a Subject Name the member's public IP ad

The certificate needs to be signed for the member's FQDN in its Subject Name, use Subject Alternative Names (short IP SANs) to add the IP address. The `etcd-ca` tool provides `--domain=` option for its `new-cert` command, and openssl can make [it][alt-name] too.

### Does etcd encrypt data stored on disk drives?
No. etcd doesn't encrypt key/value data stored on disk drives. If a user need to encrypt data stored on etcd, there are some options:
* Let client applications encrypt and decrypt the data
* Use a feature of underlying storage systems for encrypting stored data like [dm-crypt]

### I’m seeing a log warning that "directory X exist without recommended permission -rwx------"
When etcd create certain new directories it sets file permission to 700 to prevent unprivileged access as possible. However, if user has already created a directory with own preference, etcd uses the existing directory and logs a warning message if the permission is different than 700.

[cfssl]: https://github.com/cloudflare/cfssl
[tls-setup]: ../../hack/tls-setup
[tls-guide]: https://github.com/coreos/docs/blob/master/os/generate-self-signed-certificates.md
[alt-name]: http://wiki.cacert.org/FAQ/subjectAltName
[auth]: authentication.md
[dm-crypt]: https://en.wikipedia.org/wiki/Dm-crypt
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@

.PHONY: build
build:
GO_BUILD_FLAGS="-v" ./build
GO111MODULE=on GO_BUILD_FLAGS="-v -mod vendor" ./build
./bin/etcd --version
./bin/etcdctl version

Expand Down
21 changes: 5 additions & 16 deletions OWNERS
Original file line number Diff line number Diff line change
@@ -1,20 +1,9 @@
approvers:
- heyitsanthony
- philips
- fanminshi
- gyuho
- mitake
- jpbetz
- xiang90
- hexfusion
reviewers:
- heyitsanthony
- philips
- fanminshi
- gyuho
- mitake
- jpbetz
- xiang90
- wenjiaswe
- jingyih
- deads2k
- crawford
- hexfusion
- smarterclayton
- wking
component: "Etcd"
25 changes: 18 additions & 7 deletions auth/simple_token.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ const (

// var for testing purposes
var (
simpleTokenTTL = 5 * time.Minute
simpleTokenTTLDefault = 300 * time.Second
simpleTokenTTLResolution = 1 * time.Second
)

Expand All @@ -47,6 +47,7 @@ type simpleTokenTTLKeeper struct {
stopc chan struct{}
deleteTokenFunc func(string)
mu *sync.Mutex
simpleTokenTTL time.Duration
}

func (tm *simpleTokenTTLKeeper) stop() {
Expand All @@ -58,12 +59,12 @@ func (tm *simpleTokenTTLKeeper) stop() {
}

func (tm *simpleTokenTTLKeeper) addSimpleToken(token string) {
tm.tokens[token] = time.Now().Add(simpleTokenTTL)
tm.tokens[token] = time.Now().Add(tm.simpleTokenTTL)
}

func (tm *simpleTokenTTLKeeper) resetSimpleToken(token string) {
if _, ok := tm.tokens[token]; ok {
tm.tokens[token] = time.Now().Add(simpleTokenTTL)
tm.tokens[token] = time.Now().Add(tm.simpleTokenTTL)
}
}

Expand Down Expand Up @@ -101,6 +102,7 @@ type tokenSimple struct {
simpleTokenKeeper *simpleTokenTTLKeeper
simpleTokensMu sync.Mutex
simpleTokens map[string]string // token -> username
simpleTokenTTL time.Duration
}

func (t *tokenSimple) genTokenPrefix() (string, error) {
Expand Down Expand Up @@ -157,6 +159,10 @@ func (t *tokenSimple) invalidateUser(username string) {
}

func (t *tokenSimple) enable() {
if t.simpleTokenTTL <= 0 {
t.simpleTokenTTL = simpleTokenTTLDefault
}

delf := func(tk string) {
if username, ok := t.simpleTokens[tk]; ok {
if t.lg != nil {
Expand All @@ -177,6 +183,7 @@ func (t *tokenSimple) enable() {
stopc: make(chan struct{}),
deleteTokenFunc: delf,
mu: &t.simpleTokensMu,
simpleTokenTTL: t.simpleTokenTTL,
}
go t.simpleTokenKeeper.run()
}
Expand Down Expand Up @@ -234,10 +241,14 @@ func (t *tokenSimple) isValidSimpleToken(ctx context.Context, token string) bool
return false
}

func newTokenProviderSimple(lg *zap.Logger, indexWaiter func(uint64) <-chan struct{}) *tokenSimple {
func newTokenProviderSimple(lg *zap.Logger, indexWaiter func(uint64) <-chan struct{}, TokenTTL time.Duration) *tokenSimple {
if lg == nil {
lg = zap.NewNop()
}
return &tokenSimple{
lg: lg,
simpleTokens: make(map[string]string),
indexWaiter: indexWaiter,
lg: lg,
simpleTokens: make(map[string]string),
indexWaiter: indexWaiter,
simpleTokenTTL: TokenTTL,
}
}
6 changes: 3 additions & 3 deletions auth/simple_token_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,9 @@ import (
// TestSimpleTokenDisabled ensures that TokenProviderSimple behaves correctly when
// disabled.
func TestSimpleTokenDisabled(t *testing.T) {
initialState := newTokenProviderSimple(zap.NewExample(), dummyIndexWaiter)
initialState := newTokenProviderSimple(zap.NewExample(), dummyIndexWaiter, simpleTokenTTLDefault)

explicitlyDisabled := newTokenProviderSimple(zap.NewExample(), dummyIndexWaiter)
explicitlyDisabled := newTokenProviderSimple(zap.NewExample(), dummyIndexWaiter, simpleTokenTTLDefault)
explicitlyDisabled.enable()
explicitlyDisabled.disable()

Expand All @@ -48,7 +48,7 @@ func TestSimpleTokenDisabled(t *testing.T) {
// TestSimpleTokenAssign ensures that TokenProviderSimple can correctly assign a
// token, look it up with info, and invalidate it by user.
func TestSimpleTokenAssign(t *testing.T) {
tp := newTokenProviderSimple(zap.NewExample(), dummyIndexWaiter)
tp := newTokenProviderSimple(zap.NewExample(), dummyIndexWaiter, simpleTokenTTLDefault)
tp.enable()
ctx := context.WithValue(context.WithValue(context.TODO(), AuthenticateParamIndex{}, uint64(1)), AuthenticateParamSimpleTokenPrefix{}, "dummy")
token, err := tp.assign(ctx, "user1", 0)
Expand Down
11 changes: 7 additions & 4 deletions auth/store.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ import (
"strings"
"sync"
"sync/atomic"
"time"

"go.etcd.io/etcd/auth/authpb"
"go.etcd.io/etcd/etcdserver/api/v3rpc/rpctypes"
Expand Down Expand Up @@ -59,6 +60,7 @@ var (
ErrRoleNotFound = errors.New("auth: role not found")
ErrRoleEmpty = errors.New("auth: role name is empty")
ErrAuthFailed = errors.New("auth: authentication failed, invalid user ID or password")
ErrNoPasswordUser = errors.New("auth: authentication failed, password was given for no password user")
ErrPermissionDenied = errors.New("auth: permission denied")
ErrRoleNotGranted = errors.New("auth: role is not granted to the user")
ErrPermissionNotGranted = errors.New("auth: permission is not granted to the role")
Expand Down Expand Up @@ -360,7 +362,7 @@ func (as *authStore) CheckPassword(username, password string) (uint64, error) {
}

if user.Options != nil && user.Options.NoPassword {
return 0, ErrAuthFailed
return 0, ErrNoPasswordUser
}

return getRevision(tx), nil
Expand Down Expand Up @@ -994,7 +996,7 @@ func (as *authStore) IsAdminPermitted(authInfo *AuthInfo) error {
if !as.IsAuthEnabled() {
return nil
}
if authInfo == nil {
if authInfo == nil || authInfo.Username == "" {
return ErrUserEmpty
}

Expand Down Expand Up @@ -1351,7 +1353,8 @@ func decomposeOpts(lg *zap.Logger, optstr string) (string, map[string]string, er
func NewTokenProvider(
lg *zap.Logger,
tokenOpts string,
indexWaiter func(uint64) <-chan struct{}) (TokenProvider, error) {
indexWaiter func(uint64) <-chan struct{},
TokenTTL time.Duration) (TokenProvider, error) {
tokenType, typeSpecificOpts, err := decomposeOpts(lg, tokenOpts)
if err != nil {
return nil, ErrInvalidAuthOpts
Expand All @@ -1364,7 +1367,7 @@ func NewTokenProvider(
} else {
plog.Warningf("simple token is not cryptographically signed")
}
return newTokenProviderSimple(lg, indexWaiter), nil
return newTokenProviderSimple(lg, indexWaiter, TokenTTL), nil

case tokenTypeJWT:
return newTokenProviderJWT(lg, typeSpecificOpts)
Expand Down
28 changes: 17 additions & 11 deletions auth/store_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ func TestNewAuthStoreRevision(t *testing.T) {
b, tPath := backend.NewDefaultTmpBackend()
defer os.Remove(tPath)

tp, err := NewTokenProvider(zap.NewExample(), tokenTypeSimple, dummyIndexWaiter)
tp, err := NewTokenProvider(zap.NewExample(), tokenTypeSimple, dummyIndexWaiter, simpleTokenTTLDefault)
if err != nil {
t.Fatal(err)
}
Expand Down Expand Up @@ -78,7 +78,7 @@ func TestNewAuthStoreBcryptCost(t *testing.T) {
b, tPath := backend.NewDefaultTmpBackend()
defer os.Remove(tPath)

tp, err := NewTokenProvider(zap.NewExample(), tokenTypeSimple, dummyIndexWaiter)
tp, err := NewTokenProvider(zap.NewExample(), tokenTypeSimple, dummyIndexWaiter, simpleTokenTTLDefault)
if err != nil {
t.Fatal(err)
}
Expand All @@ -98,7 +98,7 @@ func TestNewAuthStoreBcryptCost(t *testing.T) {
func setupAuthStore(t *testing.T) (store *authStore, teardownfunc func(t *testing.T)) {
b, tPath := backend.NewDefaultTmpBackend()

tp, err := NewTokenProvider(zap.NewExample(), tokenTypeSimple, dummyIndexWaiter)
tp, err := NewTokenProvider(zap.NewExample(), tokenTypeSimple, dummyIndexWaiter, simpleTokenTTLDefault)
if err != nil {
t.Fatal(err)
}
Expand Down Expand Up @@ -626,7 +626,7 @@ func TestAuthInfoFromCtxRace(t *testing.T) {
b, tPath := backend.NewDefaultTmpBackend()
defer os.Remove(tPath)

tp, err := NewTokenProvider(zap.NewExample(), tokenTypeSimple, dummyIndexWaiter)
tp, err := NewTokenProvider(zap.NewExample(), tokenTypeSimple, dummyIndexWaiter, simpleTokenTTLDefault)
if err != nil {
t.Fatal(err)
}
Expand Down Expand Up @@ -658,6 +658,12 @@ func TestIsAdminPermitted(t *testing.T) {
t.Errorf("expected %v, got %v", ErrUserNotFound, err)
}

// empty user
err = as.IsAdminPermitted(&AuthInfo{Username: "", Revision: 1})
if err != ErrUserEmpty {
t.Errorf("expected %v, got %v", ErrUserEmpty, err)
}

// non-admin user
err = as.IsAdminPermitted(&AuthInfo{Username: "foo", Revision: 1})
if err != ErrPermissionDenied {
Expand Down Expand Up @@ -692,7 +698,7 @@ func TestRecoverFromSnapshot(t *testing.T) {

as.Close()

tp, err := NewTokenProvider(zap.NewExample(), tokenTypeSimple, dummyIndexWaiter)
tp, err := NewTokenProvider(zap.NewExample(), tokenTypeSimple, dummyIndexWaiter, simpleTokenTTLDefault)
if err != nil {
t.Fatal(err)
}
Expand Down Expand Up @@ -725,13 +731,13 @@ func contains(array []string, str string) bool {

func TestHammerSimpleAuthenticate(t *testing.T) {
// set TTL values low to try to trigger races
oldTTL, oldTTLRes := simpleTokenTTL, simpleTokenTTLResolution
oldTTL, oldTTLRes := simpleTokenTTLDefault, simpleTokenTTLResolution
defer func() {
simpleTokenTTL = oldTTL
simpleTokenTTLDefault = oldTTL
simpleTokenTTLResolution = oldTTLRes
}()
simpleTokenTTL = 10 * time.Millisecond
simpleTokenTTLResolution = simpleTokenTTL
simpleTokenTTLDefault = 10 * time.Millisecond
simpleTokenTTLResolution = simpleTokenTTLDefault
users := make(map[string]struct{})

as, tearDown := setupAuthStore(t)
Expand Down Expand Up @@ -774,7 +780,7 @@ func TestRolesOrder(t *testing.T) {
b, tPath := backend.NewDefaultTmpBackend()
defer os.Remove(tPath)

tp, err := NewTokenProvider(zap.NewExample(), tokenTypeSimple, dummyIndexWaiter)
tp, err := NewTokenProvider(zap.NewExample(), tokenTypeSimple, dummyIndexWaiter, simpleTokenTTLDefault)
if err != nil {
t.Fatal(err)
}
Expand Down Expand Up @@ -829,7 +835,7 @@ func testAuthInfoFromCtxWithRoot(t *testing.T, opts string) {
b, tPath := backend.NewDefaultTmpBackend()
defer os.Remove(tPath)

tp, err := NewTokenProvider(zap.NewExample(), opts, dummyIndexWaiter)
tp, err := NewTokenProvider(zap.NewExample(), opts, dummyIndexWaiter, simpleTokenTTLDefault)
if err != nil {
t.Fatal(err)
}
Expand Down
Loading