-
Notifications
You must be signed in to change notification settings - Fork 9.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
etcdctl: add a new option --open-ended for unlimited range permission #7649
Conversation
e2e/ctl_v3_role_test.go
Outdated
key string | ||
rangeEnd string | ||
prefix bool | ||
openEnded bool |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just use rangeEnd == "\x00"
to represent this instead of a special flag?
@@ -141,7 +141,11 @@ func (s *simplePrinter) RoleGet(role string, r v3.AuthRoleGetResponse) { | |||
printRange := func(perm *v3.Permission) { | |||
sKey := string(perm.Key) | |||
sRangeEnd := string(perm.RangeEnd) | |||
fmt.Printf("\t[%s, %s)", sKey, sRangeEnd) | |||
if strings.Compare(sRangeEnd, "\xff") != 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should this be sRangeEnd != "\x00"
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, my understanding of Range interface was very wrong... any byte sequences (other than ascii strings) are allowed to be a key so 0xff cannot be the largest key. I'll follow your suggestions and use StringAffineComparable
for the purpose.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just checking against "\x00" here should be OK, no need for the adt/affine stuff. RangeEnd == "\x00" meaning >= is already part of the RPC wire protocol.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for my confusing writing. Yes, I'll just add the checking against "\x00" here. The idea of the affine stuff will be implemented in the perm cache side. My comment wasn't limited to the above line.
@@ -188,7 +192,11 @@ func (s *simplePrinter) RoleRevokePermission(role string, key string, end string | |||
fmt.Printf("Permission of key %s is revoked from role %s\n", key, role) | |||
return | |||
} | |||
fmt.Printf("Permission of range [%s, %s) is revoked from role %s\n", key, end, role) | |||
if strings.Compare(end, "\xff") != 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same here, check end is "\x00"?
@@ -83,16 +84,21 @@ func newRoleGrantPermissionCommand() *cobra.Command { | |||
} | |||
|
|||
cmd.Flags().BoolVar(&grantPermissionPrefix, "prefix", false, "grant a prefix permission") | |||
cmd.Flags().BoolVar(&openEnded, "open-ended", false, "grant an open ended range permission") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
probably should be from-key
to match etcdctl get
flags
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I'll use the name as the option.
rangeEnd = clientv3.GetPrefixRangeEnd(args[2]) | ||
} else if openEnded { | ||
rangeEnd = "\xff" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rangeEnd = "\x00"
?
@@ -190,6 +207,8 @@ func roleRevokePermissionCommandFunc(cmd *cobra.Command, args []string) { | |||
rangeEnd := "" | |||
if 3 <= len(args) { | |||
rangeEnd = args[2] | |||
} else if openEnded { | |||
rangeEnd = "\xff" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rangeEnd = "\x00"
?
Use: "revoke-permission <role name> <key> [endkey]", | ||
Short: "Revokes a key from a role", | ||
Run: roleRevokePermissionCommandFunc, | ||
} | ||
|
||
cmd.Flags().BoolVar(&openEnded, "open-ended", false, "revoke an open ended range permission") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
from-key
here too
// try the granted open ended permission | ||
cx.user, cx.pass = "test-user", "pass" | ||
for i := 0; i < 10; i++ { | ||
key := fmt.Sprintf("z%d", i) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can stress the >= range a bit more with \xff
's:
key := "\xff"
for j := 0; j < i; j++ {
key += "\xff"
}
@heyitsanthony updated based on your comments, especially for changing the option name ( |
This commit adds a new option --from-key to the command etcdctl role grant-permission. If the option is passed, an open ended permission will be granted to a role e.g. from start-key to any keys those are larger than start-key. Example: $ ETCDCTL_API=3 bin/etcdctl --user root:p role grant r1 readwrite a b $ ETCDCTL_API=3 bin/etcdctl --user root:p role grant --from-key r1 readwrite c $ ETCDCTL_API=3 bin/etcdctl --user root:p role get r1 Role r1 KV Read: [a, b) (prefix a) [c, <open ended> KV Write: [a, b) (prefix a) [c, <open ended> Note that a closed parenthesis doesn't follow the above <open ended> for indicating that the role has an open ended permission ("<open ended>" is a valid range end). Fixes etcd-io#7468
lgtm. Thanks! |
@heyitsanthony thanks, I'm merging it |
This commit adds a new option --open-ended to the command etcdctl role
grant-permission. If the option is passed, an open ended permission
will be granted to a role e.g. from start-key to any keys those are
larger than start-key.
Note that a closed parenthesis doesn't follow the above
for indicating that the role has an open ended permission ("" is a valid range end).
Fixes #7468