From bd680c33027c35f05e5c29f900101b33d6eb792e Mon Sep 17 00:00:00 2001 From: Anthony Romano Date: Fri, 19 May 2017 11:18:19 -0700 Subject: [PATCH 1/2] ctlv3: add --prefix support to role revoke-permission, cleanup role flag handling --- etcdctl/ctlv3/command/role_command.go | 66 ++++++++++++++------------- 1 file changed, 35 insertions(+), 31 deletions(-) diff --git a/etcdctl/ctlv3/command/role_command.go b/etcdctl/ctlv3/command/role_command.go index f75a8efceb4..b467a56322b 100644 --- a/etcdctl/ctlv3/command/role_command.go +++ b/etcdctl/ctlv3/command/role_command.go @@ -23,8 +23,8 @@ import ( ) var ( - grantPermissionPrefix bool - permFromKey bool + rolePermPrefix bool + rolePermFromKey bool ) // NewRoleCommand returns the cobra command for "role". @@ -83,8 +83,8 @@ func newRoleGrantPermissionCommand() *cobra.Command { Run: roleGrantPermissionCommandFunc, } - cmd.Flags().BoolVar(&grantPermissionPrefix, "prefix", false, "grant a prefix permission") - cmd.Flags().BoolVar(&permFromKey, "from-key", false, "grant a permission of keys that are greater than or equal to the given key using byte compare") + cmd.Flags().BoolVar(&rolePermPrefix, "prefix", false, "grant a prefix permission") + cmd.Flags().BoolVar(&rolePermFromKey, "from-key", false, "grant a permission of keys that are greater than or equal to the given key using byte compare") return cmd } @@ -96,7 +96,8 @@ func newRoleRevokePermissionCommand() *cobra.Command { Run: roleRevokePermissionCommandFunc, } - cmd.Flags().BoolVar(&permFromKey, "from-key", false, "grant a permission of keys that are greater than or equal to the given key using byte compare") + cmd.Flags().BoolVar(&rolePermPrefix, "prefix", false, "revoke a prefix permission") + cmd.Flags().BoolVar(&rolePermFromKey, "from-key", false, "revoke a permission of keys that are greater than or equal to the given key using byte compare") return cmd } @@ -169,27 +170,10 @@ func roleGrantPermissionCommandFunc(cmd *cobra.Command, args []string) { ExitWithError(ExitBadArgs, err) } - rangeEnd := "" - if 4 <= len(args) { - if grantPermissionPrefix { - ExitWithError(ExitBadArgs, fmt.Errorf("don't pass both of --prefix option and range end to grant permission command")) - } - - if permFromKey { - ExitWithError(ExitBadArgs, fmt.Errorf("don't pass both of --from-key option and range end to grant permission command")) - } - - rangeEnd = args[3] - } else if grantPermissionPrefix { - if permFromKey { - ExitWithError(ExitBadArgs, fmt.Errorf("don't pass both of --from-key option and --prefix option to grant permission command")) - } - - rangeEnd = clientv3.GetPrefixRangeEnd(args[2]) - } else if permFromKey { - rangeEnd = "\x00" + rangeEnd, rerr := rangeEndFromPermFlags(args[2:]) + if rerr != nil { + ExitWithError(ExitBadArgs, rerr) } - resp, err := mustClientFromCmd(cmd).Auth.RoleGrantPermission(context.TODO(), args[0], args[2], rangeEnd, perm) if err != nil { ExitWithError(ExitError, err) @@ -204,16 +188,36 @@ func roleRevokePermissionCommandFunc(cmd *cobra.Command, args []string) { ExitWithError(ExitBadArgs, fmt.Errorf("role revoke-permission command requires role name and key [endkey] as its argument.")) } - rangeEnd := "" - if 3 <= len(args) { - rangeEnd = args[2] - } else if permFromKey { - rangeEnd = "\x00" + rangeEnd, rerr := rangeEndFromPermFlags(args[1:]) + if rerr != nil { + ExitWithError(ExitBadArgs, rerr) } - resp, err := mustClientFromCmd(cmd).Auth.RoleRevokePermission(context.TODO(), args[0], args[1], rangeEnd) if err != nil { ExitWithError(ExitError, err) } display.RoleRevokePermission(args[0], args[1], rangeEnd, *resp) } + +func rangeEndFromPermFlags(args []string) (string, error) { + if len(args) == 1 { + if rolePermPrefix { + if rolePermFromKey { + return "", fmt.Errorf("--from-key and --prefix flags are mutually exclusive") + } + return clientv3.GetPrefixRangeEnd(args[0]), nil + } + if rolePermFromKey { + return "\x00", nil + } + // single key case + return "", nil + } + if rolePermPrefix { + return "", fmt.Errorf("unexpected endkey argument with --prefix flag") + } + if rolePermFromKey { + return "", fmt.Errorf("unexpected endkey argument with --from-key flag") + } + return args[1], nil +} From 2f1467cb2778895a3fee694e5fd793ee92cd1e12 Mon Sep 17 00:00:00 2001 From: Anthony Romano Date: Fri, 19 May 2017 11:20:55 -0700 Subject: [PATCH 2/2] etcdctl: sync README with etcdctl role command, add prefix example, fix typo Fixes #7951 --- etcdctl/README.md | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/etcdctl/README.md b/etcdctl/README.md index 90913558447..2781177f200 100644 --- a/etcdctl/README.md +++ b/etcdctl/README.md @@ -961,25 +961,42 @@ RPC: RoleGrantPermission #### Options +- from-key -- grant a permission of keys that are greater than or equal to the given key using byte compare + - prefix -- grant a prefix permission -#### Ouptut +#### Output `Role updated`. #### Examples +Grant read and write permission on the key `foo` to role `myrole`: + ```bash ./etcdctl --user=root:123 role grant-permission myrole readwrite foo # Role myrole updated ``` +Grant read permission on the wildcard key pattern `foo/*` to role `myrole`: + +```bash +./etcdctl --user=root:123 role grant-permission --prefix myrole readwrite foo/ +# Role myrole updated +``` + ### ROLE REVOKE-PERMISSION \ \ \ [endkey] `role revoke-permission` revokes a key from a role. RPC: RoleRevokePermission +#### Options + +- from-key -- revoke a permission of keys that are greater than or equal to the given key using byte compare + +- prefix -- revoke a prefix permission + #### Output `Permission of key is revoked from role ` for single key. `Permission of range [, ) is revoked from role ` for a key range. Exit code is zero.