etcdserver: protect revoking lease with auth

Currently clients can revoke any lease without permission. This commit
lets etcdserver protect revoking with write permission.

etcdserver/apply.go

@@ -84,6 +84,7 @@ func (s *EtcdServer) newApplierV3() applierV3 {
 	return newAuthApplierV3(
 		s.AuthStore(),
 		newQuotaApplierV3(s, &applierV3backend{s}),
+		s.lessor,
 	)
 }
 

etcdserver/apply_auth.go

@@ -19,12 +19,14 @@ import (
 
 	"github.com/coreos/etcd/auth"
 	pb "github.com/coreos/etcd/etcdserver/etcdserverpb"
+	"github.com/coreos/etcd/lease"
 	"github.com/coreos/etcd/mvcc"
 )
 
 type authApplierV3 struct {
 	applierV3
-	as auth.AuthStore
+	as     auth.AuthStore
+	lessor lease.Lessor
 
 	// mu serializes Apply so that user isn't corrupted and so that
 	// serialized requests don't leak data from TOCTOU errors
@@ -33,8 +35,8 @@ type authApplierV3 struct {
 	authInfo auth.AuthInfo
 }
 
-func newAuthApplierV3(as auth.AuthStore, base applierV3) *authApplierV3 {
-	return &authApplierV3{applierV3: base, as: as}
+func newAuthApplierV3(as auth.AuthStore, base applierV3, lessor lease.Lessor) *authApplierV3 {
+	return &authApplierV3{applierV3: base, as: as, lessor: lessor}
 }
 
 func (aa *authApplierV3) Apply(r *pb.InternalRaftRequest) *applyResult {
@@ -158,6 +160,18 @@ func (aa *authApplierV3) Txn(rt *pb.TxnRequest) (*pb.TxnResponse, error) {
 	return aa.applierV3.Txn(rt)
 }
 
+func (aa *authApplierV3) LeaseRevoke(lc *pb.LeaseRevokeRequest) (*pb.LeaseRevokeResponse, error) {
+	lease := aa.lessor.Lookup(lease.LeaseID(lc.ID))
+	if lease != nil {
+		for _, key := range lease.Keys() {
+			if err := aa.as.IsPutPermitted(&aa.authInfo, []byte(key)); err != nil {
+				return nil, err
+			}
+		}
+	}
+	return aa.applierV3.LeaseRevoke(lc)
+}
+
 func needAdminPermission(r *pb.InternalRaftRequest) bool {
 	switch {
 	case r.AuthEnable != nil: