auth, etcdserver: allow users to know their roles and permissions

Current UserGet() and RoleGet() RPCs require admin permission. It means that users cannot know which roles they belong to and what permissions the roles have. This commit change the semantics and now users can know their roles and permissions.
mitake · Jun 23, 2017 · a56e324 · a56e324
1 parent 47a8156
commit a56e324
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 4 deletions.
diff --git a/auth/store.go b/auth/store.go
@@ -165,6 +165,9 @@ type AuthStore interface {
 
 	// WithRoot generates and installs a token that can be used as a root credential
 	WithRoot(ctx context.Context) context.Context
+
+	// BelongTo checks that user belongs to role
+	BelongTo(user, role string) bool
 }
 
 type TokenProvider interface {
@@ -1097,3 +1100,23 @@ func (as *authStore) WithRoot(ctx context.Context) context.Context {
 	tokenMD := metadata.New(mdMap)
 	return metadata.NewContext(ctx, tokenMD)
 }
+
+func (as *authStore) BelongTo(user, role string) bool {
+	tx := as.be.BatchTx()
+	tx.Lock()
+	defer tx.Unlock()
+
+	u := getUser(tx, user)
+	if u == nil {
+		plog.Errorf("tried to check user %s belongs to role %s, but user %s doesn't exist", user, role, user)
+		return false
+	}
+
+	for _, r := range u.Roles {
+		if strings.Compare(role, r) == 0 {
+			return true
+		}
+	}
+
+	return false
+}
diff --git a/etcdserver/apply_auth.go b/etcdserver/apply_auth.go
@@ -15,6 +15,7 @@
 package etcdserver
 
 import (
+	"strings"
 	"sync"
 
 	"github.com/coreos/etcd/auth"
@@ -189,6 +190,28 @@ func (aa *authApplierV3) checkLeasePuts(leaseID lease.LeaseID) error {
 	return nil
 }
 
+func (aa *authApplierV3) UserGet(r *pb.AuthUserGetRequest) (*pb.AuthUserGetResponse, error) {
+	err := aa.as.IsAdminPermitted(&aa.authInfo)
+	if err != nil && strings.Compare(r.Name, aa.authInfo.Username) != 0 {
+		aa.authInfo.Username = ""
+		aa.authInfo.Revision = 0
+		return &pb.AuthUserGetResponse{}, err
+	}
+
+	return aa.applierV3.UserGet(r)
+}
+
+func (aa *authApplierV3) RoleGet(r *pb.AuthRoleGetRequest) (*pb.AuthRoleGetResponse, error) {
+	err := aa.as.IsAdminPermitted(&aa.authInfo)
+	if err != nil && !aa.as.BelongTo(aa.authInfo.Username, r.Role) {
+		aa.authInfo.Username = ""
+		aa.authInfo.Revision = 0
+		return &pb.AuthRoleGetResponse{}, err
+	}
+
+	return aa.applierV3.RoleGet(r)
+}
+
 func needAdminPermission(r *pb.InternalRaftRequest) bool {
 	switch {
 	case r.AuthEnable != nil:
@@ -203,16 +226,12 @@ func needAdminPermission(r *pb.InternalRaftRequest) bool {
 		return true
 	case r.AuthUserGrantRole != nil:
 		return true
-	case r.AuthUserGet != nil:
-		return true
 	case r.AuthUserRevokeRole != nil:
 		return true
 	case r.AuthRoleAdd != nil:
 		return true
 	case r.AuthRoleGrantPermission != nil:
 		return true
-	case r.AuthRoleGet != nil:
-		return true
 	case r.AuthRoleRevokePermission != nil:
 		return true
 	case r.AuthRoleDelete != nil: