vitalif
/
etcd
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
etcd/clientv3/auth.go

237 lines
10 KiB
Go
Raw Normal View History

clientv3: update LICENSE header
2016-05-13 06:50:58 +03:00
// Copyright 2016 The etcd Authors
clientv3: a new interface Auth for auth related RPCs
2016-03-02 08:57:40 +03:00
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package clientv3
import (
*: replace 'golang.org/x/net/context' with 'context' Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-09-07 00:57:25 +03:00
"context"
*: support granting key permission to role in v3 auth
2016-04-05 09:42:38 +03:00
"fmt"
"strings"
*: Update references to code moved to the api/ dir. Follow up to file-moves done in the previous commit. The commit contains purely mechanical consequences of execution (apart of scripts/genproto.sh): % find ./ -name '*.go' | xargs sed --follow-symlinks -i 's|v3/etcdserver/api/v3rpc/rpctypes|v3/api/v3rpc/rpctypes|g' % find ./ -name '*.go' | xargs sed --follow-symlinks -i 's|v3/version|v3/api/version|g' % find ./ -name '*.go' | xargs sed --follow-symlinks -i 's|v3/mvcc/mvccpb|v3/api/mvccpb|g' % find ./ -name '*.go' | xargs sed --follow-symlinks -i 's|v3/etcdserver/etcdserverpb|v3/api/etcdserverpb|g' % find ./ -name '*.go' | xargs sed --follow-symlinks -i 's|v3/etcdserver/api/membership/membershippb|v3/api/membershippb|g' % find ./ -name '*.go' | xargs sed --follow-symlinks -i 's|v3/auth/authpb|v3/api/authpb|g' % find ./ -name '*.proto' -o -name '*.md' | xargs -L 1 sed --follow-symlinks -i 's|/mvcc/mvccpb/kv.proto|/api/mvccpb/kv.proto|g' % find ./ -name '*.proto' -o -name '*.md' | xargs -L 1 sed --follow-symlinks -i 's|/auth/authpb/auth.proto|/api/authpb/auth.proto|g' % find ./ -name '*.proto' -o -name '*.md' | xargs -L 1 sed --follow-symlinks -i 's|/etcdserver/api/membership/membershippb/membership.proto|/api/membershippb/membership.proto|g' I also modified manually paths in scripts/genproto.sh. % go fmt ./...
2020-10-05 18:21:03 +03:00
"go.etcd.io/etcd/api/v3/authpb"
pb "go.etcd.io/etcd/api/v3/etcdserverpb"
*: migrate Godeps to vendor/
2016-03-23 03:10:28 +03:00
"google.golang.org/grpc"
clientv3: a new interface Auth for auth related RPCs
2016-03-02 08:57:40 +03:00
)
type (
*: rename RPCs and structs related to revoking This commit renames RPCs and structs related to revoking. 1. UserRevoke -> UserRevokeRole 2. RoleRevoke -> RoleRevokePermission
2016-06-05 10:57:23 +03:00
AuthEnableResponse pb.AuthEnableResponse
AuthDisableResponse pb.AuthDisableResponse
*: add a new API and command for checking auth status (#11536) This changes have started at etcdctl under auth.go, and make changes to stub out everything down into the internal raft. Made changes to the .proto files and regenerated them so that the local version would build successfully.
2020-02-06 06:27:42 +03:00
AuthStatusResponse pb.AuthStatusResponse
*: rename RPCs and structs related to revoking This commit renames RPCs and structs related to revoking. 1. UserRevoke -> UserRevokeRole 2. RoleRevoke -> RoleRevokePermission
2016-06-05 10:57:23 +03:00
AuthenticateResponse pb.AuthenticateResponse
AuthUserAddResponse pb.AuthUserAddResponse
AuthUserDeleteResponse pb.AuthUserDeleteResponse
AuthUserChangePasswordResponse pb.AuthUserChangePasswordResponse
auth: make naming consistent
2016-06-07 06:17:28 +03:00
AuthUserGrantRoleResponse pb.AuthUserGrantRoleResponse
*: rename RPCs and structs related to revoking This commit renames RPCs and structs related to revoking. 1. UserRevoke -> UserRevokeRole 2. RoleRevoke -> RoleRevokePermission
2016-06-05 10:57:23 +03:00
AuthUserGetResponse pb.AuthUserGetResponse
AuthUserRevokeRoleResponse pb.AuthUserRevokeRoleResponse
AuthRoleAddResponse pb.AuthRoleAddResponse
auth: make naming consistent
2016-06-07 06:17:28 +03:00
AuthRoleGrantPermissionResponse pb.AuthRoleGrantPermissionResponse
*: rename RPCs and structs related to revoking This commit renames RPCs and structs related to revoking. 1. UserRevoke -> UserRevokeRole 2. RoleRevoke -> RoleRevokePermission
2016-06-05 10:57:23 +03:00
AuthRoleGetResponse pb.AuthRoleGetResponse
AuthRoleRevokePermissionResponse pb.AuthRoleRevokePermissionResponse
AuthRoleDeleteResponse pb.AuthRoleDeleteResponse
*: support getting all users and roles in auth v3 This commit expands RPCs for getting user and role and support list up all users and roles. etcdctl v3 is now support getting all users and roles with the newly added option --all e.g. etcdctl user get --all
2016-06-15 09:11:27 +03:00
AuthUserListResponse pb.AuthUserListResponse
AuthRoleListResponse pb.AuthRoleListResponse
*: support granting key permission to role in v3 auth
2016-04-05 09:42:38 +03:00
PermissionType authpb.Permission_Type
etcdctl, clientv3: improve printing of role get for prefix permission This commit improves printing of role get command for prefix permission. If a range permission corresponds to a prefix permission, it is explicitly printed for a user. Below is an example of the new printing: $ ETCDCTL_API=3 bin/etcdctl --user root:p role get r1 Role r1 KV Read: [/dir/, /dir0) (prefix /dir/) [k1, k5) KV Write: [/dir/, /dir0) (prefix /dir/) [k1, k5)
2016-09-14 07:57:38 +03:00
Permission authpb.Permission
*: support granting key permission to role in v3 auth
2016-04-05 09:42:38 +03:00
)
const (
PermRead = authpb.READ
PermWrite = authpb.WRITE
PermReadWrite = authpb.READWRITE
clientv3: a new interface Auth for auth related RPCs
2016-03-02 08:57:40 +03:00
)
*: support creating a user without password This commit adds a feature for creating a user without password. The purpose of the feature is reducing attack surface by configuring bad passwords (CN based auth will be allowed for the user). The feature can be used with `--no-password` of `etcdctl user add` command. Fix https://github.com/coreos/etcd/issues/9590
2018-06-06 10:18:28 +03:00
type UserAddOptions authpb.UserAddOptions
clientv3: a new interface Auth for auth related RPCs
2016-03-02 08:57:40 +03:00
type Auth interface {
clientv3:get AuthToken gracefully without extra connection. (#12165) * etcdserver: check authinfo if it is not InternalAuthenticateRequest. * credentials: let GetRequestMetadata() return nil when authToken isn't initialized. * clientv3: get AuthToken gracefully without extra connection.
2020-09-25 21:01:54 +03:00
// Authenticate login and get token
Authenticate(ctx context.Context, name string, password string) (*AuthenticateResponse, error)
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation:
2016-03-23 07:25:48 +03:00
// AuthEnable enables auth of an etcd cluster.
clientv3: a new interface Auth for auth related RPCs
2016-03-02 08:57:40 +03:00
AuthEnable(ctx context.Context) (*AuthEnableResponse, error)
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation:
2016-03-23 07:25:48 +03:00
auth: Adding support for "auth disable" command. Added support for the auth disable command in the server, added the etcdctl command and a respective testcase.
2016-05-07 21:24:43 +03:00
// AuthDisable disables auth of an etcd cluster.
AuthDisable(ctx context.Context) (*AuthDisableResponse, error)
*: add a new API and command for checking auth status (#11536) This changes have started at etcdctl under auth.go, and make changes to stub out everything down into the internal raft. Made changes to the .proto files and regenerated them so that the local version would build successfully.
2020-02-06 06:27:42 +03:00
// AuthStatus returns the status of auth of an etcd cluster.
AuthStatus(ctx context.Context) (*AuthStatusResponse, error)
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation:
2016-03-23 07:25:48 +03:00
// UserAdd adds a new user to an etcd cluster.
*: add Auth prefix to auth related requests and responses
2016-03-29 08:32:19 +03:00
UserAdd(ctx context.Context, name string, password string) (*AuthUserAddResponse, error)
*: support deleting user in v3 auth This commit adds a functionality of user deletion. It can be invoked with the new user delete command. Example usage: $ ETCDCTL_API=3 etcdctl user delete usr1
2016-03-31 05:29:47 +03:00
*: support creating a user without password This commit adds a feature for creating a user without password. The purpose of the feature is reducing attack surface by configuring bad passwords (CN based auth will be allowed for the user). The feature can be used with `--no-password` of `etcdctl user add` command. Fix https://github.com/coreos/etcd/issues/9590
2018-06-06 10:18:28 +03:00
// UserAddWithOptions adds a new user to an etcd cluster with some options.
UserAddWithOptions(ctx context.Context, name string, password string, opt *UserAddOptions) (*AuthUserAddResponse, error)
*: support deleting user in v3 auth This commit adds a functionality of user deletion. It can be invoked with the new user delete command. Example usage: $ ETCDCTL_API=3 etcdctl user delete usr1
2016-03-31 05:29:47 +03:00
// UserDelete deletes a user from an etcd cluster.
UserDelete(ctx context.Context, name string) (*AuthUserDeleteResponse, error)
*: support changing password in v3 auth This commit adds a functionality for updating password of existing users.
2016-03-31 08:31:07 +03:00
// UserChangePassword changes a password of a user.
UserChangePassword(ctx context.Context, name string, password string) (*AuthUserChangePasswordResponse, error)
*: support adding role in auth v3
2016-04-01 05:07:43 +03:00
auth: make naming consistent
2016-06-07 06:17:28 +03:00
// UserGrantRole grants a role to a user.
UserGrantRole(ctx context.Context, user string, role string) (*AuthUserGrantRoleResponse, error)
*: support granting a role to a user in v3 auth
2016-04-11 08:34:13 +03:00
*: support getting user in etcdctl v3 This commit adds a new subcommand "user get" to etcdctl v3. It will list up roles that are granted to a given user. Example: $ ETCDCTL_API=3 bin/etcdctl user get u1 User: u1 Roles: r1 r2 r3 This commit also modifies the layout of InternalRaftRequest for frequent update of auth related members.
2016-05-30 11:21:11 +03:00
// UserGet gets a detailed information of a user.
UserGet(ctx context.Context, name string) (*AuthUserGetResponse, error)
*: support getting all users and roles in auth v3 This commit expands RPCs for getting user and role and support list up all users and roles. etcdctl v3 is now support getting all users and roles with the newly added option --all e.g. etcdctl user get --all
2016-06-15 09:11:27 +03:00
// UserList gets a list of all users.
UserList(ctx context.Context) (*AuthUserListResponse, error)
*: rename RPCs and structs related to revoking This commit renames RPCs and structs related to revoking. 1. UserRevoke -> UserRevokeRole 2. RoleRevoke -> RoleRevokePermission
2016-06-05 10:57:23 +03:00
// UserRevokeRole revokes a role of a user.
UserRevokeRole(ctx context.Context, name string, role string) (*AuthUserRevokeRoleResponse, error)
*: support revoking a role from a user in auth v3 This commit implements UserRevoke() RPC for supporting revoking a role from a user in auth v3. It also adds a new subcommand "user revoke" to etcdctl.
2016-06-03 10:38:59 +03:00
*: support granting key permission to role in v3 auth
2016-04-05 09:42:38 +03:00
// RoleAdd adds a new role to an etcd cluster.
*: support adding role in auth v3
2016-04-01 05:07:43 +03:00
RoleAdd(ctx context.Context, name string) (*AuthRoleAddResponse, error)
*: support granting key permission to role in v3 auth
2016-04-05 09:42:38 +03:00
auth: make naming consistent
2016-06-07 06:17:28 +03:00
// RoleGrantPermission grants a permission to a role.
*: support granting and revoking range This commit adds a feature for granting and revoking range of keys, not a single key. Example: $ ETCDCTL_API=3 bin/etcdctl role grant r1 readwrite k1 k3 Role r1 updated $ ETCDCTL_API=3 bin/etcdctl role get r1 Role r1 KV Read: [a, b) [k1, k3) [k2, k4) KV Write: [a, b) [k1, k3) [k2, k4) $ ETCDCTL_API=3 bin/etcdctl --user u1:p get k1 k4 k1 v1 $ ETCDCTL_API=3 bin/etcdctl --user u1:p get k1 k5 Error: etcdserver: permission denied
2016-06-08 21:52:57 +03:00
RoleGrantPermission(ctx context.Context, name string, key, rangeEnd string, permType PermissionType) (*AuthRoleGrantPermissionResponse, error)
*: support getting role in auth v3 This commit implements RoleGet() RPC of etcdserver and adds a new subcommand "role get" to etcdctl v3. It will list up permissions that are granted to a given role. $ ETCDCTL_API=3 bin/etcdctl role get r1 Role r1 KV Read: b d KV Write: a c d
2016-06-02 17:25:15 +03:00
// RoleGet gets a detailed information of a role.
RoleGet(ctx context.Context, role string) (*AuthRoleGetResponse, error)
*: support revoking a key from a role in auth v3 This commit implements RoleRevoke() RPC for supporting revoking a key from a role in auth v3. It also adds a new subcommand "role revoke" to etcdctl.
2016-06-03 11:10:08 +03:00
*: support getting all users and roles in auth v3 This commit expands RPCs for getting user and role and support list up all users and roles. etcdctl v3 is now support getting all users and roles with the newly added option --all e.g. etcdctl user get --all
2016-06-15 09:11:27 +03:00
// RoleList gets a list of all roles.
RoleList(ctx context.Context) (*AuthRoleListResponse, error)
*: support granting and revoking range This commit adds a feature for granting and revoking range of keys, not a single key. Example: $ ETCDCTL_API=3 bin/etcdctl role grant r1 readwrite k1 k3 Role r1 updated $ ETCDCTL_API=3 bin/etcdctl role get r1 Role r1 KV Read: [a, b) [k1, k3) [k2, k4) KV Write: [a, b) [k1, k3) [k2, k4) $ ETCDCTL_API=3 bin/etcdctl --user u1:p get k1 k4 k1 v1 $ ETCDCTL_API=3 bin/etcdctl --user u1:p get k1 k5 Error: etcdserver: permission denied
2016-06-08 21:52:57 +03:00
// RoleRevokePermission revokes a permission from a role.
RoleRevokePermission(ctx context.Context, role string, key, rangeEnd string) (*AuthRoleRevokePermissionResponse, error)
*: support deleting a role in auth v3 This commit implements RoleDelete() RPC for supporting deleting a role in auth v3. It also adds a new subcommand "role delete" to etcdctl.
2016-06-03 11:33:05 +03:00
// RoleDelete deletes a role.
RoleDelete(ctx context.Context, role string) (*AuthRoleDeleteResponse, error)
clientv3: a new interface Auth for auth related RPCs
2016-03-02 08:57:40 +03:00
}
*: don't use string literals directly in grpc metadata Current etcd code uses the string literals ("token", "authorization") as field names of grpc and swappger metadata for passing token. It is difficult to maintain so this commit introduces new constants for the purpose.
2017-10-11 11:03:24 +03:00
type authClient struct {
clientv3: call other APIs with default gRPC call options Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2017-12-20 02:07:32 +03:00
remote pb.AuthClient
callOpts []grpc.CallOption
clientv3: a new interface Auth for auth related RPCs
2016-03-02 08:57:40 +03:00
}
func NewAuth(c *Client) Auth {
*: don't use string literals directly in grpc metadata Current etcd code uses the string literals ("token", "authorization") as field names of grpc and swappger metadata for passing token. It is difficult to maintain so this commit introduces new constants for the purpose.
2017-10-11 11:03:24 +03:00
api := &authClient{remote: RetryAuthClient(c)}
clientv3: call other APIs with default gRPC call options Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2017-12-20 02:07:32 +03:00
if c != nil {
api.callOpts = c.callOpts
}
return api
clientv3: a new interface Auth for auth related RPCs
2016-03-02 08:57:40 +03:00
}
v3client: implement clientv3.Auth interface (#12140)
2020-07-21 02:53:25 +03:00
func NewAuthFromAuthClient(remote pb.AuthClient, c *Client) Auth {
api := &authClient{remote: remote}
if c != nil {
api.callOpts = c.callOpts
}
return api
}
clientv3:get AuthToken gracefully without extra connection. (#12165) * etcdserver: check authinfo if it is not InternalAuthenticateRequest. * credentials: let GetRequestMetadata() return nil when authToken isn't initialized. * clientv3: get AuthToken gracefully without extra connection.
2020-09-25 21:01:54 +03:00
func (auth *authClient) Authenticate(ctx context.Context, name string, password string) (*AuthenticateResponse, error) {
resp, err := auth.remote.Authenticate(ctx, &pb.AuthenticateRequest{Name: name, Password: password}, auth.callOpts...)
return (*AuthenticateResponse)(resp), toErr(ctx, err)
}
*: don't use string literals directly in grpc metadata Current etcd code uses the string literals ("token", "authorization") as field names of grpc and swappger metadata for passing token. It is difficult to maintain so this commit introduces new constants for the purpose.
2017-10-11 11:03:24 +03:00
func (auth *authClient) AuthEnable(ctx context.Context) (*AuthEnableResponse, error) {
clientv3: call other APIs with default gRPC call options Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2017-12-20 02:07:32 +03:00
resp, err := auth.remote.AuthEnable(ctx, &pb.AuthEnableRequest{}, auth.callOpts...)
clientv3: use grpc reconnection logic
2016-06-08 03:03:48 +03:00
return (*AuthEnableResponse)(resp), toErr(ctx, err)
clientv3: a new interface Auth for auth related RPCs
2016-03-02 08:57:40 +03:00
}
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation:
2016-03-23 07:25:48 +03:00
*: don't use string literals directly in grpc metadata Current etcd code uses the string literals ("token", "authorization") as field names of grpc and swappger metadata for passing token. It is difficult to maintain so this commit introduces new constants for the purpose.
2017-10-11 11:03:24 +03:00
func (auth *authClient) AuthDisable(ctx context.Context) (*AuthDisableResponse, error) {
clientv3: call other APIs with default gRPC call options Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2017-12-20 02:07:32 +03:00
resp, err := auth.remote.AuthDisable(ctx, &pb.AuthDisableRequest{}, auth.callOpts...)
clientv3: use grpc reconnection logic
2016-06-08 03:03:48 +03:00
return (*AuthDisableResponse)(resp), toErr(ctx, err)
auth: Adding support for "auth disable" command. Added support for the auth disable command in the server, added the etcdctl command and a respective testcase.
2016-05-07 21:24:43 +03:00
}
*: add a new API and command for checking auth status (#11536) This changes have started at etcdctl under auth.go, and make changes to stub out everything down into the internal raft. Made changes to the .proto files and regenerated them so that the local version would build successfully.
2020-02-06 06:27:42 +03:00
func (auth *authClient) AuthStatus(ctx context.Context) (*AuthStatusResponse, error) {
resp, err := auth.remote.AuthStatus(ctx, &pb.AuthStatusRequest{}, auth.callOpts...)
return (*AuthStatusResponse)(resp), toErr(ctx, err)
}
*: don't use string literals directly in grpc metadata Current etcd code uses the string literals ("token", "authorization") as field names of grpc and swappger metadata for passing token. It is difficult to maintain so this commit introduces new constants for the purpose.
2017-10-11 11:03:24 +03:00
func (auth *authClient) UserAdd(ctx context.Context, name string, password string) (*AuthUserAddResponse, error) {
*: support creating a user without password This commit adds a feature for creating a user without password. The purpose of the feature is reducing attack surface by configuring bad passwords (CN based auth will be allowed for the user). The feature can be used with `--no-password` of `etcdctl user add` command. Fix https://github.com/coreos/etcd/issues/9590
2018-06-06 10:18:28 +03:00
resp, err := auth.remote.UserAdd(ctx, &pb.AuthUserAddRequest{Name: name, Password: password, Options: &authpb.UserAddOptions{NoPassword: false}}, auth.callOpts...)
return (*AuthUserAddResponse)(resp), toErr(ctx, err)
}
func (auth *authClient) UserAddWithOptions(ctx context.Context, name string, password string, options *UserAddOptions) (*AuthUserAddResponse, error) {
resp, err := auth.remote.UserAdd(ctx, &pb.AuthUserAddRequest{Name: name, Password: password, Options: (*authpb.UserAddOptions)(options)}, auth.callOpts...)
clientv3: use grpc reconnection logic
2016-06-08 03:03:48 +03:00
return (*AuthUserAddResponse)(resp), toErr(ctx, err)
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation:
2016-03-23 07:25:48 +03:00
}
*: support deleting user in v3 auth This commit adds a functionality of user deletion. It can be invoked with the new user delete command. Example usage: $ ETCDCTL_API=3 etcdctl user delete usr1
2016-03-31 05:29:47 +03:00
*: don't use string literals directly in grpc metadata Current etcd code uses the string literals ("token", "authorization") as field names of grpc and swappger metadata for passing token. It is difficult to maintain so this commit introduces new constants for the purpose.
2017-10-11 11:03:24 +03:00
func (auth *authClient) UserDelete(ctx context.Context, name string) (*AuthUserDeleteResponse, error) {
clientv3: call other APIs with default gRPC call options Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2017-12-20 02:07:32 +03:00
resp, err := auth.remote.UserDelete(ctx, &pb.AuthUserDeleteRequest{Name: name}, auth.callOpts...)
clientv3: use grpc reconnection logic
2016-06-08 03:03:48 +03:00
return (*AuthUserDeleteResponse)(resp), toErr(ctx, err)
*: support deleting user in v3 auth This commit adds a functionality of user deletion. It can be invoked with the new user delete command. Example usage: $ ETCDCTL_API=3 etcdctl user delete usr1
2016-03-31 05:29:47 +03:00
}
*: support changing password in v3 auth This commit adds a functionality for updating password of existing users.
2016-03-31 08:31:07 +03:00
*: don't use string literals directly in grpc metadata Current etcd code uses the string literals ("token", "authorization") as field names of grpc and swappger metadata for passing token. It is difficult to maintain so this commit introduces new constants for the purpose.
2017-10-11 11:03:24 +03:00
func (auth *authClient) UserChangePassword(ctx context.Context, name string, password string) (*AuthUserChangePasswordResponse, error) {
clientv3: call other APIs with default gRPC call options Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2017-12-20 02:07:32 +03:00
resp, err := auth.remote.UserChangePassword(ctx, &pb.AuthUserChangePasswordRequest{Name: name, Password: password}, auth.callOpts...)
clientv3: use grpc reconnection logic
2016-06-08 03:03:48 +03:00
return (*AuthUserChangePasswordResponse)(resp), toErr(ctx, err)
*: support changing password in v3 auth This commit adds a functionality for updating password of existing users.
2016-03-31 08:31:07 +03:00
}
*: support adding role in auth v3
2016-04-01 05:07:43 +03:00
*: don't use string literals directly in grpc metadata Current etcd code uses the string literals ("token", "authorization") as field names of grpc and swappger metadata for passing token. It is difficult to maintain so this commit introduces new constants for the purpose.
2017-10-11 11:03:24 +03:00
func (auth *authClient) UserGrantRole(ctx context.Context, user string, role string) (*AuthUserGrantRoleResponse, error) {
clientv3: call other APIs with default gRPC call options Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2017-12-20 02:07:32 +03:00
resp, err := auth.remote.UserGrantRole(ctx, &pb.AuthUserGrantRoleRequest{User: user, Role: role}, auth.callOpts...)
clientv3: use grpc reconnection logic
2016-06-08 03:03:48 +03:00
return (*AuthUserGrantRoleResponse)(resp), toErr(ctx, err)
*: support granting a role to a user in v3 auth
2016-04-11 08:34:13 +03:00
}
*: don't use string literals directly in grpc metadata Current etcd code uses the string literals ("token", "authorization") as field names of grpc and swappger metadata for passing token. It is difficult to maintain so this commit introduces new constants for the purpose.
2017-10-11 11:03:24 +03:00
func (auth *authClient) UserGet(ctx context.Context, name string) (*AuthUserGetResponse, error) {
clientv3: call other APIs with default gRPC call options Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2017-12-20 02:07:32 +03:00
resp, err := auth.remote.UserGet(ctx, &pb.AuthUserGetRequest{Name: name}, auth.callOpts...)
clientv3: use grpc reconnection logic
2016-06-08 03:03:48 +03:00
return (*AuthUserGetResponse)(resp), toErr(ctx, err)
*: support getting user in etcdctl v3 This commit adds a new subcommand "user get" to etcdctl v3. It will list up roles that are granted to a given user. Example: $ ETCDCTL_API=3 bin/etcdctl user get u1 User: u1 Roles: r1 r2 r3 This commit also modifies the layout of InternalRaftRequest for frequent update of auth related members.
2016-05-30 11:21:11 +03:00
}
*: don't use string literals directly in grpc metadata Current etcd code uses the string literals ("token", "authorization") as field names of grpc and swappger metadata for passing token. It is difficult to maintain so this commit introduces new constants for the purpose.
2017-10-11 11:03:24 +03:00
func (auth *authClient) UserList(ctx context.Context) (*AuthUserListResponse, error) {
clientv3: call other APIs with default gRPC call options Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2017-12-20 02:07:32 +03:00
resp, err := auth.remote.UserList(ctx, &pb.AuthUserListRequest{}, auth.callOpts...)
*: support getting all users and roles in auth v3 This commit expands RPCs for getting user and role and support list up all users and roles. etcdctl v3 is now support getting all users and roles with the newly added option --all e.g. etcdctl user get --all
2016-06-15 09:11:27 +03:00
return (*AuthUserListResponse)(resp), toErr(ctx, err)
}
*: don't use string literals directly in grpc metadata Current etcd code uses the string literals ("token", "authorization") as field names of grpc and swappger metadata for passing token. It is difficult to maintain so this commit introduces new constants for the purpose.
2017-10-11 11:03:24 +03:00
func (auth *authClient) UserRevokeRole(ctx context.Context, name string, role string) (*AuthUserRevokeRoleResponse, error) {
clientv3: call other APIs with default gRPC call options Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2017-12-20 02:07:32 +03:00
resp, err := auth.remote.UserRevokeRole(ctx, &pb.AuthUserRevokeRoleRequest{Name: name, Role: role}, auth.callOpts...)
clientv3: use grpc reconnection logic
2016-06-08 03:03:48 +03:00
return (*AuthUserRevokeRoleResponse)(resp), toErr(ctx, err)
*: support revoking a role from a user in auth v3 This commit implements UserRevoke() RPC for supporting revoking a role from a user in auth v3. It also adds a new subcommand "user revoke" to etcdctl.
2016-06-03 10:38:59 +03:00
}
*: don't use string literals directly in grpc metadata Current etcd code uses the string literals ("token", "authorization") as field names of grpc and swappger metadata for passing token. It is difficult to maintain so this commit introduces new constants for the purpose.
2017-10-11 11:03:24 +03:00
func (auth *authClient) RoleAdd(ctx context.Context, name string) (*AuthRoleAddResponse, error) {
clientv3: call other APIs with default gRPC call options Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2017-12-20 02:07:32 +03:00
resp, err := auth.remote.RoleAdd(ctx, &pb.AuthRoleAddRequest{Name: name}, auth.callOpts...)
clientv3: use grpc reconnection logic
2016-06-08 03:03:48 +03:00
return (*AuthRoleAddResponse)(resp), toErr(ctx, err)
*: support adding role in auth v3
2016-04-01 05:07:43 +03:00
}
*: support granting key permission to role in v3 auth
2016-04-05 09:42:38 +03:00
*: don't use string literals directly in grpc metadata Current etcd code uses the string literals ("token", "authorization") as field names of grpc and swappger metadata for passing token. It is difficult to maintain so this commit introduces new constants for the purpose.
2017-10-11 11:03:24 +03:00
func (auth *authClient) RoleGrantPermission(ctx context.Context, name string, key, rangeEnd string, permType PermissionType) (*AuthRoleGrantPermissionResponse, error) {
*: support granting key permission to role in v3 auth
2016-04-05 09:42:38 +03:00
perm := &authpb.Permission{
Key: []byte(key),
*: support granting and revoking range This commit adds a feature for granting and revoking range of keys, not a single key. Example: $ ETCDCTL_API=3 bin/etcdctl role grant r1 readwrite k1 k3 Role r1 updated $ ETCDCTL_API=3 bin/etcdctl role get r1 Role r1 KV Read: [a, b) [k1, k3) [k2, k4) KV Write: [a, b) [k1, k3) [k2, k4) $ ETCDCTL_API=3 bin/etcdctl --user u1:p get k1 k4 k1 v1 $ ETCDCTL_API=3 bin/etcdctl --user u1:p get k1 k5 Error: etcdserver: permission denied
2016-06-08 21:52:57 +03:00
RangeEnd: []byte(rangeEnd),
*: support granting key permission to role in v3 auth
2016-04-05 09:42:38 +03:00
PermType: authpb.Permission_Type(permType),
}
clientv3: call other APIs with default gRPC call options Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2017-12-20 02:07:32 +03:00
resp, err := auth.remote.RoleGrantPermission(ctx, &pb.AuthRoleGrantPermissionRequest{Name: name, Perm: perm}, auth.callOpts...)
clientv3: use grpc reconnection logic
2016-06-08 03:03:48 +03:00
return (*AuthRoleGrantPermissionResponse)(resp), toErr(ctx, err)
*: support granting key permission to role in v3 auth
2016-04-05 09:42:38 +03:00
}
*: don't use string literals directly in grpc metadata Current etcd code uses the string literals ("token", "authorization") as field names of grpc and swappger metadata for passing token. It is difficult to maintain so this commit introduces new constants for the purpose.
2017-10-11 11:03:24 +03:00
func (auth *authClient) RoleGet(ctx context.Context, role string) (*AuthRoleGetResponse, error) {
clientv3: call other APIs with default gRPC call options Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2017-12-20 02:07:32 +03:00
resp, err := auth.remote.RoleGet(ctx, &pb.AuthRoleGetRequest{Role: role}, auth.callOpts...)
clientv3: use grpc reconnection logic
2016-06-08 03:03:48 +03:00
return (*AuthRoleGetResponse)(resp), toErr(ctx, err)
*: support getting role in auth v3 This commit implements RoleGet() RPC of etcdserver and adds a new subcommand "role get" to etcdctl v3. It will list up permissions that are granted to a given role. $ ETCDCTL_API=3 bin/etcdctl role get r1 Role r1 KV Read: b d KV Write: a c d
2016-06-02 17:25:15 +03:00
}
*: don't use string literals directly in grpc metadata Current etcd code uses the string literals ("token", "authorization") as field names of grpc and swappger metadata for passing token. It is difficult to maintain so this commit introduces new constants for the purpose.
2017-10-11 11:03:24 +03:00
func (auth *authClient) RoleList(ctx context.Context) (*AuthRoleListResponse, error) {
clientv3: call other APIs with default gRPC call options Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2017-12-20 02:07:32 +03:00
resp, err := auth.remote.RoleList(ctx, &pb.AuthRoleListRequest{}, auth.callOpts...)
*: support getting all users and roles in auth v3 This commit expands RPCs for getting user and role and support list up all users and roles. etcdctl v3 is now support getting all users and roles with the newly added option --all e.g. etcdctl user get --all
2016-06-15 09:11:27 +03:00
return (*AuthRoleListResponse)(resp), toErr(ctx, err)
}
*: don't use string literals directly in grpc metadata Current etcd code uses the string literals ("token", "authorization") as field names of grpc and swappger metadata for passing token. It is difficult to maintain so this commit introduces new constants for the purpose.
2017-10-11 11:03:24 +03:00
func (auth *authClient) RoleRevokePermission(ctx context.Context, role string, key, rangeEnd string) (*AuthRoleRevokePermissionResponse, error) {
*: unify type of key and rangeEnd in AuthRoleRevokePermissionRequest Fix https://github.com/coreos/etcd/issues/9424
2018-03-14 08:06:28 +03:00
resp, err := auth.remote.RoleRevokePermission(ctx, &pb.AuthRoleRevokePermissionRequest{Role: role, Key: []byte(key), RangeEnd: []byte(rangeEnd)}, auth.callOpts...)
clientv3: use grpc reconnection logic
2016-06-08 03:03:48 +03:00
return (*AuthRoleRevokePermissionResponse)(resp), toErr(ctx, err)
*: support revoking a key from a role in auth v3 This commit implements RoleRevoke() RPC for supporting revoking a key from a role in auth v3. It also adds a new subcommand "role revoke" to etcdctl.
2016-06-03 11:10:08 +03:00
}
*: don't use string literals directly in grpc metadata Current etcd code uses the string literals ("token", "authorization") as field names of grpc and swappger metadata for passing token. It is difficult to maintain so this commit introduces new constants for the purpose.
2017-10-11 11:03:24 +03:00
func (auth *authClient) RoleDelete(ctx context.Context, role string) (*AuthRoleDeleteResponse, error) {
clientv3: call other APIs with default gRPC call options Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2017-12-20 02:07:32 +03:00
resp, err := auth.remote.RoleDelete(ctx, &pb.AuthRoleDeleteRequest{Role: role}, auth.callOpts...)
clientv3: use grpc reconnection logic
2016-06-08 03:03:48 +03:00
return (*AuthRoleDeleteResponse)(resp), toErr(ctx, err)
*: support deleting a role in auth v3 This commit implements RoleDelete() RPC for supporting deleting a role in auth v3. It also adds a new subcommand "role delete" to etcdctl.
2016-06-03 11:33:05 +03:00
}
*: support granting key permission to role in v3 auth
2016-04-05 09:42:38 +03:00
func StrToPermissionType(s string) (PermissionType, error) {
val, ok := authpb.Permission_Type_value[strings.ToUpper(s)]
if ok {
return PermissionType(val), nil
}
return PermissionType(-1), fmt.Errorf("invalid permission type: %s", s)
}