etcd/clientv3/auth.go

// Copyright 2016 Nippon Telegraph and Telephone Corporation.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package clientv3

import (
	"fmt"
	"strings"

	"github.com/coreos/etcd/auth/authpb"
	pb "github.com/coreos/etcd/etcdserver/etcdserverpb"
	"golang.org/x/net/context"
	"google.golang.org/grpc"
)

type (
	AuthEnableResponse             pb.AuthEnableResponse
	AuthUserAddResponse            pb.AuthUserAddResponse
	AuthUserDeleteResponse         pb.AuthUserDeleteResponse
	AuthUserChangePasswordResponse pb.AuthUserChangePasswordResponse
	AuthRoleAddResponse            pb.AuthRoleAddResponse
	AuthRoleGrantResponse          pb.AuthRoleGrantResponse

	PermissionType authpb.Permission_Type
)

const (
	PermRead      = authpb.READ
	PermWrite     = authpb.WRITE
	PermReadWrite = authpb.READWRITE
)

type Auth interface {
	// AuthEnable enables auth of an etcd cluster.
	AuthEnable(ctx context.Context) (*AuthEnableResponse, error)

	// UserAdd adds a new user to an etcd cluster.
	UserAdd(ctx context.Context, name string, password string) (*AuthUserAddResponse, error)

	// UserDelete deletes a user from an etcd cluster.
	UserDelete(ctx context.Context, name string) (*AuthUserDeleteResponse, error)

	// UserChangePassword changes a password of a user.
	UserChangePassword(ctx context.Context, name string, password string) (*AuthUserChangePasswordResponse, error)

	// RoleAdd adds a new role to an etcd cluster.
	RoleAdd(ctx context.Context, name string) (*AuthRoleAddResponse, error)

	// RoleGrant grants a permission to a role.
	RoleGrant(ctx context.Context, name string, key string, permType PermissionType) (*AuthRoleGrantResponse, error)
}

type auth struct {
	c *Client

	conn   *grpc.ClientConn // conn in-use
	remote pb.AuthClient
}

func NewAuth(c *Client) Auth {
	conn := c.ActiveConnection()
	return &auth{
		conn:   c.ActiveConnection(),
		remote: pb.NewAuthClient(conn),
		c:      c,
	}
}

func (auth *auth) AuthEnable(ctx context.Context) (*AuthEnableResponse, error) {
	resp, err := auth.remote.AuthEnable(ctx, &pb.AuthEnableRequest{})
	return (*AuthEnableResponse)(resp), err
}

func (auth *auth) UserAdd(ctx context.Context, name string, password string) (*AuthUserAddResponse, error) {
	resp, err := auth.remote.UserAdd(ctx, &pb.AuthUserAddRequest{Name: name, Password: password})
	return (*AuthUserAddResponse)(resp), err
}

func (auth *auth) UserDelete(ctx context.Context, name string) (*AuthUserDeleteResponse, error) {
	resp, err := auth.remote.UserDelete(ctx, &pb.AuthUserDeleteRequest{Name: name})
	return (*AuthUserDeleteResponse)(resp), err
}

func (auth *auth) UserChangePassword(ctx context.Context, name string, password string) (*AuthUserChangePasswordResponse, error) {
	resp, err := auth.remote.UserChangePassword(ctx, &pb.AuthUserChangePasswordRequest{Name: name, Password: password})
	return (*AuthUserChangePasswordResponse)(resp), err
}

func (auth *auth) RoleAdd(ctx context.Context, name string) (*AuthRoleAddResponse, error) {
	resp, err := auth.remote.RoleAdd(ctx, &pb.AuthRoleAddRequest{Name: name})
	return (*AuthRoleAddResponse)(resp), err
}

func (auth *auth) RoleGrant(ctx context.Context, name string, key string, permType PermissionType) (*AuthRoleGrantResponse, error) {
	perm := &authpb.Permission{
		Key:      []byte(key),
		PermType: authpb.Permission_Type(permType),
	}
	resp, err := auth.remote.RoleGrant(ctx, &pb.AuthRoleGrantRequest{Name: name, Perm: perm})
	return (*AuthRoleGrantResponse)(resp), err
}

func StrToPermissionType(s string) (PermissionType, error) {
	val, ok := authpb.Permission_Type_value[strings.ToUpper(s)]
	if ok {
		return PermissionType(val), nil
	}
	return PermissionType(-1), fmt.Errorf("invalid permission type: %s", s)
}
clientv3: a new interface Auth for auth related RPCs 2016-03-02 08:57:40 +03:00			`// Copyright 2016 Nippon Telegraph and Telephone Corporation.`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

			`package clientv3`

			`import (`
*: support granting key permission to role in v3 auth 2016-04-05 09:42:38 +03:00			`"fmt"`
			`"strings"`

			`"github.com/coreos/etcd/auth/authpb"`
clientv3: a new interface Auth for auth related RPCs 2016-03-02 08:57:40 +03:00			`pb "github.com/coreos/etcd/etcdserver/etcdserverpb"`
*: migrate Godeps to vendor/ 2016-03-23 03:10:28 +03:00			`"golang.org/x/net/context"`
			`"google.golang.org/grpc"`
clientv3: a new interface Auth for auth related RPCs 2016-03-02 08:57:40 +03:00			`)`

			`type (`
*: support changing password in v3 auth This commit adds a functionality for updating password of existing users. 2016-03-31 08:31:07 +03:00			`AuthEnableResponse pb.AuthEnableResponse`
			`AuthUserAddResponse pb.AuthUserAddResponse`
			`AuthUserDeleteResponse pb.AuthUserDeleteResponse`
			`AuthUserChangePasswordResponse pb.AuthUserChangePasswordResponse`
*: support adding role in auth v3 2016-04-01 05:07:43 +03:00			`AuthRoleAddResponse pb.AuthRoleAddResponse`
*: support granting key permission to role in v3 auth 2016-04-05 09:42:38 +03:00			`AuthRoleGrantResponse pb.AuthRoleGrantResponse`

			`PermissionType authpb.Permission_Type`
			`)`

			`const (`
			`PermRead = authpb.READ`
			`PermWrite = authpb.WRITE`
			`PermReadWrite = authpb.READWRITE`
clientv3: a new interface Auth for auth related RPCs 2016-03-02 08:57:40 +03:00			`)`

			`type Auth interface {`
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation: 2016-03-23 07:25:48 +03:00			`// AuthEnable enables auth of an etcd cluster.`
clientv3: a new interface Auth for auth related RPCs 2016-03-02 08:57:40 +03:00			`AuthEnable(ctx context.Context) (*AuthEnableResponse, error)`
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation: 2016-03-23 07:25:48 +03:00
			`// UserAdd adds a new user to an etcd cluster.`
*: add Auth prefix to auth related requests and responses 2016-03-29 08:32:19 +03:00			`UserAdd(ctx context.Context, name string, password string) (*AuthUserAddResponse, error)`
*: support deleting user in v3 auth This commit adds a functionality of user deletion. It can be invoked with the new user delete command. Example usage: $ ETCDCTL_API=3 etcdctl user delete usr1 2016-03-31 05:29:47 +03:00
			`// UserDelete deletes a user from an etcd cluster.`
			`UserDelete(ctx context.Context, name string) (*AuthUserDeleteResponse, error)`
*: support changing password in v3 auth This commit adds a functionality for updating password of existing users. 2016-03-31 08:31:07 +03:00
			`// UserChangePassword changes a password of a user.`
			`UserChangePassword(ctx context.Context, name string, password string) (*AuthUserChangePasswordResponse, error)`
*: support adding role in auth v3 2016-04-01 05:07:43 +03:00
*: support granting key permission to role in v3 auth 2016-04-05 09:42:38 +03:00			`// RoleAdd adds a new role to an etcd cluster.`
*: support adding role in auth v3 2016-04-01 05:07:43 +03:00			`RoleAdd(ctx context.Context, name string) (*AuthRoleAddResponse, error)`
*: support granting key permission to role in v3 auth 2016-04-05 09:42:38 +03:00
			`// RoleGrant grants a permission to a role.`
			`RoleGrant(ctx context.Context, name string, key string, permType PermissionType) (*AuthRoleGrantResponse, error)`
clientv3: a new interface Auth for auth related RPCs 2016-03-02 08:57:40 +03:00			`}`

			`type auth struct {`
			`c *Client`

			`conn *grpc.ClientConn // conn in-use`
			`remote pb.AuthClient`
			`}`

			`func NewAuth(c *Client) Auth {`
			`conn := c.ActiveConnection()`
			`return &auth{`
			`conn: c.ActiveConnection(),`
			`remote: pb.NewAuthClient(conn),`
			`c: c,`
			`}`
			`}`

			`func (auth auth) AuthEnable(ctx context.Context) (AuthEnableResponse, error) {`
			`resp, err := auth.remote.AuthEnable(ctx, &pb.AuthEnableRequest{})`
			`return (*AuthEnableResponse)(resp), err`
			`}`
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation: 2016-03-23 07:25:48 +03:00
*: add Auth prefix to auth related requests and responses 2016-03-29 08:32:19 +03:00			`func (auth auth) UserAdd(ctx context.Context, name string, password string) (AuthUserAddResponse, error) {`
			`resp, err := auth.remote.UserAdd(ctx, &pb.AuthUserAddRequest{Name: name, Password: password})`
			`return (*AuthUserAddResponse)(resp), err`
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation: 2016-03-23 07:25:48 +03:00			`}`
*: support deleting user in v3 auth This commit adds a functionality of user deletion. It can be invoked with the new user delete command. Example usage: $ ETCDCTL_API=3 etcdctl user delete usr1 2016-03-31 05:29:47 +03:00
			`func (auth auth) UserDelete(ctx context.Context, name string) (AuthUserDeleteResponse, error) {`
			`resp, err := auth.remote.UserDelete(ctx, &pb.AuthUserDeleteRequest{Name: name})`
			`return (*AuthUserDeleteResponse)(resp), err`
			`}`
*: support changing password in v3 auth This commit adds a functionality for updating password of existing users. 2016-03-31 08:31:07 +03:00
			`func (auth auth) UserChangePassword(ctx context.Context, name string, password string) (AuthUserChangePasswordResponse, error) {`
			`resp, err := auth.remote.UserChangePassword(ctx, &pb.AuthUserChangePasswordRequest{Name: name, Password: password})`
			`return (*AuthUserChangePasswordResponse)(resp), err`
			`}`
*: support adding role in auth v3 2016-04-01 05:07:43 +03:00
			`func (auth auth) RoleAdd(ctx context.Context, name string) (AuthRoleAddResponse, error) {`
			`resp, err := auth.remote.RoleAdd(ctx, &pb.AuthRoleAddRequest{Name: name})`
			`return (*AuthRoleAddResponse)(resp), err`
			`}`
*: support granting key permission to role in v3 auth 2016-04-05 09:42:38 +03:00
			`func (auth auth) RoleGrant(ctx context.Context, name string, key string, permType PermissionType) (AuthRoleGrantResponse, error) {`
			`perm := &authpb.Permission{`
			`Key: []byte(key),`
			`PermType: authpb.Permission_Type(permType),`
			`}`
			`resp, err := auth.remote.RoleGrant(ctx, &pb.AuthRoleGrantRequest{Name: name, Perm: perm})`
			`return (*AuthRoleGrantResponse)(resp), err`
			`}`

			`func StrToPermissionType(s string) (PermissionType, error) {`
			`val, ok := authpb.Permission_Type_value[strings.ToUpper(s)]`
			`if ok {`
			`return PermissionType(val), nil`
			`}`
			`return PermissionType(-1), fmt.Errorf("invalid permission type: %s", s)`
			`}`