diff --git a/etcdctl/README.md b/etcdctl/README.md index 90913558447..2781177f200 100644 --- a/etcdctl/README.md +++ b/etcdctl/README.md @@ -961,25 +961,42 @@ RPC: RoleGrantPermission #### Options +- from-key -- grant a permission of keys that are greater than or equal to the given key using byte compare + - prefix -- grant a prefix permission -#### Ouptut +#### Output `Role updated`. #### Examples +Grant read and write permission on the key `foo` to role `myrole`: + ```bash ./etcdctl --user=root:123 role grant-permission myrole readwrite foo # Role myrole updated ``` +Grant read permission on the wildcard key pattern `foo/*` to role `myrole`: + +```bash +./etcdctl --user=root:123 role grant-permission --prefix myrole readwrite foo/ +# Role myrole updated +``` + ### ROLE REVOKE-PERMISSION \ \ \ [endkey] `role revoke-permission` revokes a key from a role. RPC: RoleRevokePermission +#### Options + +- from-key -- revoke a permission of keys that are greater than or equal to the given key using byte compare + +- prefix -- revoke a prefix permission + #### Output `Permission of key is revoked from role ` for single key. `Permission of range [, ) is revoked from role ` for a key range. Exit code is zero. diff --git a/etcdctl/ctlv3/command/role_command.go b/etcdctl/ctlv3/command/role_command.go index f75a8efceb4..b467a56322b 100644 --- a/etcdctl/ctlv3/command/role_command.go +++ b/etcdctl/ctlv3/command/role_command.go @@ -23,8 +23,8 @@ import ( ) var ( - grantPermissionPrefix bool - permFromKey bool + rolePermPrefix bool + rolePermFromKey bool ) // NewRoleCommand returns the cobra command for "role". @@ -83,8 +83,8 @@ func newRoleGrantPermissionCommand() *cobra.Command { Run: roleGrantPermissionCommandFunc, } - cmd.Flags().BoolVar(&grantPermissionPrefix, "prefix", false, "grant a prefix permission") - cmd.Flags().BoolVar(&permFromKey, "from-key", false, "grant a permission of keys that are greater than or equal to the given key using byte compare") + cmd.Flags().BoolVar(&rolePermPrefix, "prefix", false, "grant a prefix permission") + cmd.Flags().BoolVar(&rolePermFromKey, "from-key", false, "grant a permission of keys that are greater than or equal to the given key using byte compare") return cmd } @@ -96,7 +96,8 @@ func newRoleRevokePermissionCommand() *cobra.Command { Run: roleRevokePermissionCommandFunc, } - cmd.Flags().BoolVar(&permFromKey, "from-key", false, "grant a permission of keys that are greater than or equal to the given key using byte compare") + cmd.Flags().BoolVar(&rolePermPrefix, "prefix", false, "revoke a prefix permission") + cmd.Flags().BoolVar(&rolePermFromKey, "from-key", false, "revoke a permission of keys that are greater than or equal to the given key using byte compare") return cmd } @@ -169,27 +170,10 @@ func roleGrantPermissionCommandFunc(cmd *cobra.Command, args []string) { ExitWithError(ExitBadArgs, err) } - rangeEnd := "" - if 4 <= len(args) { - if grantPermissionPrefix { - ExitWithError(ExitBadArgs, fmt.Errorf("don't pass both of --prefix option and range end to grant permission command")) - } - - if permFromKey { - ExitWithError(ExitBadArgs, fmt.Errorf("don't pass both of --from-key option and range end to grant permission command")) - } - - rangeEnd = args[3] - } else if grantPermissionPrefix { - if permFromKey { - ExitWithError(ExitBadArgs, fmt.Errorf("don't pass both of --from-key option and --prefix option to grant permission command")) - } - - rangeEnd = clientv3.GetPrefixRangeEnd(args[2]) - } else if permFromKey { - rangeEnd = "\x00" + rangeEnd, rerr := rangeEndFromPermFlags(args[2:]) + if rerr != nil { + ExitWithError(ExitBadArgs, rerr) } - resp, err := mustClientFromCmd(cmd).Auth.RoleGrantPermission(context.TODO(), args[0], args[2], rangeEnd, perm) if err != nil { ExitWithError(ExitError, err) @@ -204,16 +188,36 @@ func roleRevokePermissionCommandFunc(cmd *cobra.Command, args []string) { ExitWithError(ExitBadArgs, fmt.Errorf("role revoke-permission command requires role name and key [endkey] as its argument.")) } - rangeEnd := "" - if 3 <= len(args) { - rangeEnd = args[2] - } else if permFromKey { - rangeEnd = "\x00" + rangeEnd, rerr := rangeEndFromPermFlags(args[1:]) + if rerr != nil { + ExitWithError(ExitBadArgs, rerr) } - resp, err := mustClientFromCmd(cmd).Auth.RoleRevokePermission(context.TODO(), args[0], args[1], rangeEnd) if err != nil { ExitWithError(ExitError, err) } display.RoleRevokePermission(args[0], args[1], rangeEnd, *resp) } + +func rangeEndFromPermFlags(args []string) (string, error) { + if len(args) == 1 { + if rolePermPrefix { + if rolePermFromKey { + return "", fmt.Errorf("--from-key and --prefix flags are mutually exclusive") + } + return clientv3.GetPrefixRangeEnd(args[0]), nil + } + if rolePermFromKey { + return "\x00", nil + } + // single key case + return "", nil + } + if rolePermPrefix { + return "", fmt.Errorf("unexpected endkey argument with --prefix flag") + } + if rolePermFromKey { + return "", fmt.Errorf("unexpected endkey argument with --from-key flag") + } + return args[1], nil +}