etcdctl make-mirror doesn't work when RBAC enabled and user doesn't have read permissions of key "foo"

[tomskikh]

What happened?

I enabled RBAC, added role and user, granted read permission on prefix and tried to make mirror of that prefix. etcdctl make-mirror failed with permission denied.

What did you expect to happen?

etcdctl make-mirror works.

How can we reproduce it (as minimally and precisely as possible)?

On cluster A:

1. Add a role (somerole) with read permission to a prefix (/someprefix/)
2. Add a user (someuser) with this role
3. Try to run make-mirror with that user and prefix

   etcdctl --endpoints localhost:12379 --user someuser:test make-mirror localhost:22379 --prefix=/someprefix/
   

   make-mirror fails with the error

   {"level":"warn","ts":"2022-03-28T14:49:15.456+0700","logger":"etcd-client","caller":"v3/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc0004d01c0/localhost:12379","attempt":0,"error":"rpc error: code = PermissionDenied desc = etcdserver: permission denied"}
   

4. Add read permission to the key foo to the role somerole
5. make-mirror works without errors

Anything else we need to know?

make-mirror uses key foo to get the most recent revision

etcd/client/v3/mirror/syncer.go

Line 55 in be29295

resp, err := s.c.Get(ctx, "foo")

Etcd version (please run commands below)

$ etcd --version
etcd Version: 3.5.2
Git SHA: 99018a77b
Go Version: go1.16.3
Go OS/Arch: linux/amd64

$ etcdctl version
etcdctl version: 3.5.2
API version: 3.5

Etcd configuration (command line flags or environment variables)

paste your configuration here

Etcd debug information (please run commands blow, feel free to obfuscate the IP address or FQDN in the output)

$ etcdctl member list -w table
# paste output here

$ etcdctl --endpoints=<member list> endpoint status -w table
# paste output here

Relevant log output

No response