vitalif
/
etcd
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
etcd/auth/store.go

1050 lines
25 KiB
Go
Raw Normal View History

auth: update LICENSE header
2016-05-13 06:51:14 +03:00
// Copyright 2016 The etcd Authors
etcdserver, auth: new package auth for the auth feature This commit adds a new package auth. Its role is persisting auth related metadata. This commit also connects its main interface AuthStore and v3 server.
2016-03-08 11:31:48 +03:00
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package auth
import (
auth: sort key permissions of role struct for effective searching
2016-04-12 08:14:15 +03:00
"bytes"
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
"encoding/binary"
etcdserver: return internal error in a case of not auth specific errors
2016-03-28 07:00:10 +03:00
"errors"
*: support granting a role to a user in v3 auth
2016-04-11 08:34:13 +03:00
"sort"
*: support granting key permission to role in v3 auth
2016-04-05 09:42:38 +03:00
"strings"
*: do permission check in raft log apply phase This commit lets etcdserver check permission during its log applying phase. With this change, permission checking of operations is supported. Currently, put and range are supported. In addition, multi key permission check of range isn't supported yet.
2016-05-17 09:20:50 +03:00
"sync"
etcdserver: return internal error in a case of not auth specific errors
2016-03-28 07:00:10 +03:00
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation:
2016-03-23 07:25:48 +03:00
"github.com/coreos/etcd/auth/authpb"
pb "github.com/coreos/etcd/etcdserver/etcdserverpb"
*: rename storage package to mvcc
2016-04-25 22:32:58 +03:00
"github.com/coreos/etcd/mvcc/backend"
*: migrate Godeps to vendor/
2016-03-23 03:10:28 +03:00
"github.com/coreos/pkg/capnslog"
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation:
2016-03-23 07:25:48 +03:00
"golang.org/x/crypto/bcrypt"
auth, etcdserver: make auth tokens consistent for all nodes Currently auth tokens are generated in the replicated state machine layer randomly. It means one auth token generated in node A cannot be used for node B. It is problematic for load balancing and fail over. This commit moves the token generation logic from the state machine to API layer (before raft) and let all nodes share a single token. Log index of Raft is also added to a token for ensuring uniqueness of the token and detecting activation of the token in the cluster (some nodes can receive the token before generating and installing the token in its state machine). This commit also lets authStore have simple token related things. It is required because of unit test. The test requires cleaning of the state of the simple token things after one test (succeeding test can create duplicated token and it causes panic).
2016-06-09 03:11:26 +03:00
"golang.org/x/net/context"
auth, etcdserver: authenticate clients based on certificate CommonName This commit lets v3 auth mechanism authenticate clients based on CommonName of certificate like v2 auth.
2016-11-21 07:47:29 +03:00
"google.golang.org/grpc/credentials"
auth, etcdserver: let maintenance services require root role This commit lets maintenance services require root privilege. It also moves AuthInfoFromCtx() from etcdserver to auth pkg for cleaning purpose.
2016-11-24 10:34:29 +03:00
"google.golang.org/grpc/metadata"
auth, etcdserver: authenticate clients based on certificate CommonName This commit lets v3 auth mechanism authenticate clients based on CommonName of certificate like v2 auth.
2016-11-21 07:47:29 +03:00
"google.golang.org/grpc/peer"
etcdserver, auth: new package auth for the auth feature This commit adds a new package auth. Its role is persisting auth related metadata. This commit also connects its main interface AuthStore and v3 server.
2016-03-08 11:31:48 +03:00
)
var (
*: support adding role in auth v3
2016-04-01 05:07:43 +03:00
enableFlagKey = []byte("authEnabled")
auth: implement recover
2016-06-10 19:37:37 +03:00
authEnabled = []byte{1}
authDisabled = []byte{0}
*: support adding role in auth v3
2016-04-01 05:07:43 +03:00
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
revisionKey = []byte("authRevision")
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation:
2016-03-23 07:25:48 +03:00
authBucketName = []byte("auth")
authUsersBucketName = []byte("authUsers")
*: support adding role in auth v3
2016-04-01 05:07:43 +03:00
authRolesBucketName = []byte("authRoles")
etcdserver, auth: new package auth for the auth feature This commit adds a new package auth. Its role is persisting auth related metadata. This commit also connects its main interface AuthStore and v3 server.
2016-03-08 11:31:48 +03:00
plog = capnslog.NewPackageLogger("github.com/coreos/etcd", "auth")
etcdserver: return internal error in a case of not auth specific errors
2016-03-28 07:00:10 +03:00
auth: add root user and root role
2016-06-08 07:44:54 +03:00
ErrRootUserNotExist = errors.New("auth: root user does not exist")
ErrRootRoleNotExist = errors.New("auth: root user does not have root role")
auth, etcdserver: error codes for revoking non existing role and permission This commit adds error codes for representing revoking non existing role (from user) and permission (from role).
2016-06-05 10:41:10 +03:00
ErrUserAlreadyExist = errors.New("auth: user already exists")
auth, etcdserver: forbid adding a user with empty name
2016-11-02 07:37:37 +03:00
ErrUserEmpty = errors.New("auth: user name is empty")
auth, etcdserver: error codes for revoking non existing role and permission This commit adds error codes for representing revoking non existing role (from user) and permission (from role).
2016-06-05 10:41:10 +03:00
ErrUserNotFound = errors.New("auth: user not found")
ErrRoleAlreadyExist = errors.New("auth: role already exists")
ErrRoleNotFound = errors.New("auth: role not found")
ErrAuthFailed = errors.New("auth: authentication failed, invalid user ID or password")
ErrPermissionDenied = errors.New("auth: permission denied")
ErrRoleNotGranted = errors.New("auth: role is not granted to the user")
ErrPermissionNotGranted = errors.New("auth: permission is not granted to the role")
auth, etcdserver: let Authenticate() fail if auth isn't enabled Successful Authenticate() would be confusing and make trouble shooting harder if auth isn't enabled in a cluster.
2016-06-20 11:09:13 +03:00
ErrAuthNotEnabled = errors.New("auth: authentication is not enabled")
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
ErrAuthOldRevision = errors.New("auth: revision in header is old")
auth, etcdserver: let maintenance services require root role This commit lets maintenance services require root privilege. It also moves AuthInfoFromCtx() from etcdserver to auth pkg for cleaning purpose.
2016-11-24 10:34:29 +03:00
ErrInvalidAuthToken = errors.New("auth: invalid auth token")
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
ErrInvalidAuthOpts = errors.New("auth: invalid auth options")
auth, etcdserver: forbid invalid auth management If auth is enabled, 1. deleting the user root 2. revoking the role root from the user root must not be allowed. This commit forbids them.
2017-03-17 10:04:56 +03:00
ErrInvalidAuthMgmt = errors.New("auth: invalid auth management")
auth: set bcrypt cost to minimum for test cases DefaultCost makes auth tests 10x more expensive than MinCost. Fixes #5851
2016-07-07 09:01:09 +03:00
// BcryptCost is the algorithm cost / strength for hashing auth passwords
BcryptCost = bcrypt.DefaultCost
etcdserver, auth: new package auth for the auth feature This commit adds a new package auth. Its role is persisting auth related metadata. This commit also connects its main interface AuthStore and v3 server.
2016-03-08 11:31:48 +03:00
)
auth: add root user and root role
2016-06-08 07:44:54 +03:00
const (
rootUser = "root"
rootRole = "root"
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
revBytesLen = 8
auth: add root user and root role
2016-06-08 07:44:54 +03:00
)
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
type AuthInfo struct {
Username string
Revision uint64
}
etcdserver, auth: new package auth for the auth feature This commit adds a new package auth. Its role is persisting auth related metadata. This commit also connects its main interface AuthStore and v3 server.
2016-03-08 11:31:48 +03:00
type AuthStore interface {
auth: add tests
2016-04-27 19:15:23 +03:00
// AuthEnable turns on the authentication feature
auth: add root user and root role
2016-06-08 07:44:54 +03:00
AuthEnable() error
auth, etcdserver: add a method for recoverying from backend during apply snapshot This commit adds a new method Recovery() to auth.AuthStore for recoverying auth state from backend during apply snapshot. It follows a manner of the lessor.
2016-03-21 16:43:41 +03:00
auth: Adding support for "auth disable" command. Added support for the auth disable command in the server, added the etcdctl command and a respective testcase.
2016-05-07 21:24:43 +03:00
// AuthDisable turns off the authentication feature
AuthDisable()
auth, etcdserver: make auth tokens consistent for all nodes Currently auth tokens are generated in the replicated state machine layer randomly. It means one auth token generated in node A cannot be used for node B. It is problematic for load balancing and fail over. This commit moves the token generation logic from the state machine to API layer (before raft) and let all nodes share a single token. Log index of Raft is also added to a token for ensuring uniqueness of the token and detecting activation of the token in the cluster (some nodes can receive the token before generating and installing the token in its state machine). This commit also lets authStore have simple token related things. It is required because of unit test. The test requires cleaning of the state of the simple token things after one test (succeeding test can create duplicated token and it causes panic).
2016-06-09 03:11:26 +03:00
// Authenticate does authentication based on given user name and password
Authenticate(ctx context.Context, username, password string) (*pb.AuthenticateResponse, error)
*: support authenticate in v3 auth This commit implements Authenticate() API of the auth package. It does authentication based on its authUsers bucket and generate a token for succeeding RPCs.
2016-04-13 07:44:53 +03:00
auth, etcdserver: add a method for recoverying from backend during apply snapshot This commit adds a new method Recovery() to auth.AuthStore for recoverying auth state from backend during apply snapshot. It follows a manner of the lessor.
2016-03-21 16:43:41 +03:00
// Recover recovers the state of auth store from the given backend
Recover(b backend.Backend)
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation:
2016-03-23 07:25:48 +03:00
// UserAdd adds a new user
*: add Auth prefix to auth related requests and responses
2016-03-29 08:32:19 +03:00
UserAdd(r *pb.AuthUserAddRequest) (*pb.AuthUserAddResponse, error)
*: support deleting user in v3 auth This commit adds a functionality of user deletion. It can be invoked with the new user delete command. Example usage: $ ETCDCTL_API=3 etcdctl user delete usr1
2016-03-31 05:29:47 +03:00
// UserDelete deletes a user
UserDelete(r *pb.AuthUserDeleteRequest) (*pb.AuthUserDeleteResponse, error)
*: support changing password in v3 auth This commit adds a functionality for updating password of existing users.
2016-03-31 08:31:07 +03:00
// UserChangePassword changes a password of a user
UserChangePassword(r *pb.AuthUserChangePasswordRequest) (*pb.AuthUserChangePasswordResponse, error)
*: support adding role in auth v3
2016-04-01 05:07:43 +03:00
auth: make naming consistent
2016-06-07 06:17:28 +03:00
// UserGrantRole grants a role to the user
UserGrantRole(r *pb.AuthUserGrantRoleRequest) (*pb.AuthUserGrantRoleResponse, error)
*: support granting a role to a user in v3 auth
2016-04-11 08:34:13 +03:00
*: support getting all users and roles in auth v3 This commit expands RPCs for getting user and role and support list up all users and roles. etcdctl v3 is now support getting all users and roles with the newly added option --all e.g. etcdctl user get --all
2016-06-15 09:11:27 +03:00
// UserGet gets the detailed information of a users
*: support getting user in etcdctl v3 This commit adds a new subcommand "user get" to etcdctl v3. It will list up roles that are granted to a given user. Example: $ ETCDCTL_API=3 bin/etcdctl user get u1 User: u1 Roles: r1 r2 r3 This commit also modifies the layout of InternalRaftRequest for frequent update of auth related members.
2016-05-30 11:21:11 +03:00
UserGet(r *pb.AuthUserGetRequest) (*pb.AuthUserGetResponse, error)
*: rename RPCs and structs related to revoking This commit renames RPCs and structs related to revoking. 1. UserRevoke -> UserRevokeRole 2. RoleRevoke -> RoleRevokePermission
2016-06-05 10:57:23 +03:00
// UserRevokeRole revokes a role of a user
UserRevokeRole(r *pb.AuthUserRevokeRoleRequest) (*pb.AuthUserRevokeRoleResponse, error)
*: support revoking a role from a user in auth v3 This commit implements UserRevoke() RPC for supporting revoking a role from a user in auth v3. It also adds a new subcommand "user revoke" to etcdctl.
2016-06-03 10:38:59 +03:00
*: support adding role in auth v3
2016-04-01 05:07:43 +03:00
// RoleAdd adds a new role
RoleAdd(r *pb.AuthRoleAddRequest) (*pb.AuthRoleAddResponse, error)
*: support granting key permission to role in v3 auth
2016-04-05 09:42:38 +03:00
auth: make naming consistent
2016-06-07 06:17:28 +03:00
// RoleGrantPermission grants a permission to a role
RoleGrantPermission(r *pb.AuthRoleGrantPermissionRequest) (*pb.AuthRoleGrantPermissionResponse, error)
*: do permission check in raft log apply phase This commit lets etcdserver check permission during its log applying phase. With this change, permission checking of operations is supported. Currently, put and range are supported. In addition, multi key permission check of range isn't supported yet.
2016-05-17 09:20:50 +03:00
*: support getting role in auth v3 This commit implements RoleGet() RPC of etcdserver and adds a new subcommand "role get" to etcdctl v3. It will list up permissions that are granted to a given role. $ ETCDCTL_API=3 bin/etcdctl role get r1 Role r1 KV Read: b d KV Write: a c d
2016-06-02 17:25:15 +03:00
// RoleGet gets the detailed information of a role
RoleGet(r *pb.AuthRoleGetRequest) (*pb.AuthRoleGetResponse, error)
*: rename RPCs and structs related to revoking This commit renames RPCs and structs related to revoking. 1. UserRevoke -> UserRevokeRole 2. RoleRevoke -> RoleRevokePermission
2016-06-05 10:57:23 +03:00
// RoleRevokePermission gets the detailed information of a role
RoleRevokePermission(r *pb.AuthRoleRevokePermissionRequest) (*pb.AuthRoleRevokePermissionResponse, error)
*: support revoking a key from a role in auth v3 This commit implements RoleRevoke() RPC for supporting revoking a key from a role in auth v3. It also adds a new subcommand "role revoke" to etcdctl.
2016-06-03 11:10:08 +03:00
*: support deleting a role in auth v3 This commit implements RoleDelete() RPC for supporting deleting a role in auth v3. It also adds a new subcommand "role delete" to etcdctl.
2016-06-03 11:33:05 +03:00
// RoleDelete gets the detailed information of a role
RoleDelete(r *pb.AuthRoleDeleteRequest) (*pb.AuthRoleDeleteResponse, error)
*: support getting all users and roles in auth v3 This commit expands RPCs for getting user and role and support list up all users and roles. etcdctl v3 is now support getting all users and roles with the newly added option --all e.g. etcdctl user get --all
2016-06-15 09:11:27 +03:00
// UserList gets a list of all users
UserList(r *pb.AuthUserListRequest) (*pb.AuthUserListResponse, error)
// RoleList gets a list of all roles
RoleList(r *pb.AuthRoleListRequest) (*pb.AuthRoleListResponse, error)
*: do permission check in raft log apply phase This commit lets etcdserver check permission during its log applying phase. With this change, permission checking of operations is supported. Currently, put and range are supported. In addition, multi key permission check of range isn't supported yet.
2016-05-17 09:20:50 +03:00
// IsPutPermitted checks put permission of the user
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
IsPutPermitted(authInfo *AuthInfo, key []byte) error
*: do permission check in raft log apply phase This commit lets etcdserver check permission during its log applying phase. With this change, permission checking of operations is supported. Currently, put and range are supported. In addition, multi key permission check of range isn't supported yet.
2016-05-17 09:20:50 +03:00
// IsRangePermitted checks range permission of the user
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
IsRangePermitted(authInfo *AuthInfo, key, rangeEnd []byte) error
*: add admin permission checking
2016-06-09 23:40:26 +03:00
*: support deleteRange perm checking
2016-06-14 03:19:59 +03:00
// IsDeleteRangePermitted checks delete-range permission of the user
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
IsDeleteRangePermitted(authInfo *AuthInfo, key, rangeEnd []byte) error
*: support deleteRange perm checking
2016-06-14 03:19:59 +03:00
*: add admin permission checking
2016-06-09 23:40:26 +03:00
// IsAdminPermitted checks admin permission of the user
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
IsAdminPermitted(authInfo *AuthInfo) error
auth, etcdserver: make auth tokens consistent for all nodes Currently auth tokens are generated in the replicated state machine layer randomly. It means one auth token generated in node A cannot be used for node B. It is problematic for load balancing and fail over. This commit moves the token generation logic from the state machine to API layer (before raft) and let all nodes share a single token. Log index of Raft is also added to a token for ensuring uniqueness of the token and detecting activation of the token in the cluster (some nodes can receive the token before generating and installing the token in its state machine). This commit also lets authStore have simple token related things. It is required because of unit test. The test requires cleaning of the state of the simple token things after one test (succeeding test can create duplicated token and it causes panic).
2016-06-09 03:11:26 +03:00
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
// GenTokenPrefix produces a random string in a case of simple token
// in a case of JWT, it produces an empty string
GenTokenPrefix() (string, error)
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
// Revision gets current revision of authStore
Revision() uint64
auth, etcdserver: check password at API layer The cost of bcrypt password checking is quite high (almost 100ms on a modern machine) so executing it in apply loop will be problematic. This commit exclude the checking mechanism to the API layer. The password checking is validated with the OCC like way similar to the auth of serializable get. This commit also removes a unit test of Authenticate RPC from auth/store_test.go. It is because the RPC now accepts an auth request unconditionally and delegates the checking functionality to authStore.CheckPassword() (so a unit test for CheckPassword() is added). The combination of the two functionalities can be tested by e2e (e.g. TestCtlV3AuthWriteKey). Fixes https://github.com/coreos/etcd/issues/6530
2016-10-13 13:30:35 +03:00
// CheckPassword checks a given pair of username and password is correct
CheckPassword(username, password string) (uint64, error)
auth: add a timeout mechanism to simple token
2016-11-14 22:17:55 +03:00
// Close does cleanup of AuthStore
Close() error
auth, etcdserver: let maintenance services require root role This commit lets maintenance services require root privilege. It also moves AuthInfoFromCtx() from etcdserver to auth pkg for cleaning purpose.
2016-11-24 10:34:29 +03:00
// AuthInfoFromCtx gets AuthInfo from gRPC's context
AuthInfoFromCtx(ctx context.Context) (*AuthInfo, error)
auth, etcdserver: authenticate clients based on certificate CommonName This commit lets v3 auth mechanism authenticate clients based on CommonName of certificate like v2 auth.
2016-11-21 07:47:29 +03:00
// AuthInfoFromTLS gets AuthInfo from TLS info of gRPC's context
AuthInfoFromTLS(ctx context.Context) *AuthInfo
etcdserver, auth: new package auth for the auth feature This commit adds a new package auth. Its role is persisting auth related metadata. This commit also connects its main interface AuthStore and v3 server.
2016-03-08 11:31:48 +03:00
}
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
type TokenProvider interface {
info(ctx context.Context, token string, revision uint64) (*AuthInfo, bool)
assign(ctx context.Context, username string, revision uint64) (string, error)
enable()
disable()
invalidateUser(string)
genTokenPrefix() (string, error)
}
etcdserver, auth: new package auth for the auth feature This commit adds a new package auth. Its role is persisting auth related metadata. This commit also connects its main interface AuthStore and v3 server.
2016-03-08 11:31:48 +03:00
type authStore struct {
*: do permission check in raft log apply phase This commit lets etcdserver check permission during its log applying phase. With this change, permission checking of operations is supported. Currently, put and range are supported. In addition, multi key permission check of range isn't supported yet.
2016-05-17 09:20:50 +03:00
be backend.Backend
enabled bool
enabledMu sync.RWMutex
auth, etcdserver: permission of range requests Currently the auth mechanism doesn't support permissions of range request. It just checks exact matching of key names even for range queries. This commit adds a mechanism for setting permission to range queries. Range queries are allowed if a range of the query is [begin1, end1) and the user has a permission of reading [begin2, range2) and [begin1, end2) is a subset of [begin2, range2). Range delete requests will follow the same rule.
2016-06-07 21:45:29 +03:00
rangePermCache map[string]*unifiedRangePermissions // username -> unifiedRangePermissions
auth, etcdserver: make auth tokens consistent for all nodes Currently auth tokens are generated in the replicated state machine layer randomly. It means one auth token generated in node A cannot be used for node B. It is problematic for load balancing and fail over. This commit moves the token generation logic from the state machine to API layer (before raft) and let all nodes share a single token. Log index of Raft is also added to a token for ensuring uniqueness of the token and detecting activation of the token in the cluster (some nodes can receive the token before generating and installing the token in its state machine). This commit also lets authStore have simple token related things. It is required because of unit test. The test requires cleaning of the state of the simple token things after one test (succeeding test can create duplicated token and it causes panic).
2016-06-09 03:11:26 +03:00
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
revision uint64
auth, etcdserver: let maintenance services require root role This commit lets maintenance services require root privilege. It also moves AuthInfoFromCtx() from etcdserver to auth pkg for cleaning purpose.
2016-11-24 10:34:29 +03:00
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
tokenProvider TokenProvider
auth: correct initialization in NewAuthStore() Because of my own silly mistake, current NewAuthStore() doesn't initialize authStore in a correct manner. For example, after recovery from snapshot, it cannot revive the flag of enabled/disabled. This commit fixes the problem. Fix https://github.com/coreos/etcd/issues/7165
2017-02-01 11:47:09 +03:00
}
auth: add root user and root role
2016-06-08 07:44:54 +03:00
func (as *authStore) AuthEnable() error {
auth: add a timeout mechanism to simple token
2016-11-14 22:17:55 +03:00
as.enabledMu.Lock()
defer as.enabledMu.Unlock()
if as.enabled {
plog.Noticef("Authentication already enabled")
return nil
}
auth, etcdserver: add a method for recoverying from backend during apply snapshot This commit adds a new method Recovery() to auth.AuthStore for recoverying auth state from backend during apply snapshot. It follows a manner of the lessor.
2016-03-21 16:43:41 +03:00
b := as.be
etcdserver, auth: new package auth for the auth feature This commit adds a new package auth. Its role is persisting auth related metadata. This commit also connects its main interface AuthStore and v3 server.
2016-03-08 11:31:48 +03:00
tx := b.BatchTx()
tx.Lock()
auth: add root user and root role
2016-06-08 07:44:54 +03:00
defer func() {
tx.Unlock()
b.ForceCommit()
}()
u := getUser(tx, rootUser)
if u == nil {
return ErrRootUserNotExist
}
*: add admin permission checking
2016-06-09 23:40:26 +03:00
if !hasRootRole(u) {
auth: add root user and root role
2016-06-08 07:44:54 +03:00
return ErrRootRoleNotExist
}
auth: implement recover
2016-06-10 19:37:37 +03:00
tx.UnsafePut(authBucketName, enableFlagKey, authEnabled)
etcdserver, auth: new package auth for the auth feature This commit adds a new package auth. Its role is persisting auth related metadata. This commit also connects its main interface AuthStore and v3 server.
2016-03-08 11:31:48 +03:00
*: do permission check in raft log apply phase This commit lets etcdserver check permission during its log applying phase. With this change, permission checking of operations is supported. Currently, put and range are supported. In addition, multi key permission check of range isn't supported yet.
2016-05-17 09:20:50 +03:00
as.enabled = true
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
as.tokenProvider.enable()
*: do permission check in raft log apply phase This commit lets etcdserver check permission during its log applying phase. With this change, permission checking of operations is supported. Currently, put and range are supported. In addition, multi key permission check of range isn't supported yet.
2016-05-17 09:20:50 +03:00
auth, etcdserver: permission of range requests Currently the auth mechanism doesn't support permissions of range request. It just checks exact matching of key names even for range queries. This commit adds a mechanism for setting permission to range queries. Range queries are allowed if a range of the query is [begin1, end1) and the user has a permission of reading [begin2, range2) and [begin1, end2) is a subset of [begin2, range2). Range delete requests will follow the same rule.
2016-06-07 21:45:29 +03:00
as.rangePermCache = make(map[string]*unifiedRangePermissions)
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
as.revision = getRevision(tx)
etcdserver, auth: new package auth for the auth feature This commit adds a new package auth. Its role is persisting auth related metadata. This commit also connects its main interface AuthStore and v3 server.
2016-03-08 11:31:48 +03:00
plog.Noticef("Authentication enabled")
auth: add root user and root role
2016-06-08 07:44:54 +03:00
return nil
etcdserver, auth: new package auth for the auth feature This commit adds a new package auth. Its role is persisting auth related metadata. This commit also connects its main interface AuthStore and v3 server.
2016-03-08 11:31:48 +03:00
}
auth: Adding support for "auth disable" command. Added support for the auth disable command in the server, added the etcdctl command and a respective testcase.
2016-05-07 21:24:43 +03:00
func (as *authStore) AuthDisable() {
auth: add a timeout mechanism to simple token
2016-11-14 22:17:55 +03:00
as.enabledMu.Lock()
defer as.enabledMu.Unlock()
if !as.enabled {
return
}
auth: Adding support for "auth disable" command. Added support for the auth disable command in the server, added the etcdctl command and a respective testcase.
2016-05-07 21:24:43 +03:00
b := as.be
tx := b.BatchTx()
tx.Lock()
auth: implement recover
2016-06-10 19:37:37 +03:00
tx.UnsafePut(authBucketName, enableFlagKey, authDisabled)
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
as.commitRevision(tx)
auth: Adding support for "auth disable" command. Added support for the auth disable command in the server, added the etcdctl command and a respective testcase.
2016-05-07 21:24:43 +03:00
tx.Unlock()
b.ForceCommit()
*: do permission check in raft log apply phase This commit lets etcdserver check permission during its log applying phase. With this change, permission checking of operations is supported. Currently, put and range are supported. In addition, multi key permission check of range isn't supported yet.
2016-05-17 09:20:50 +03:00
as.enabled = false
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
as.tokenProvider.disable()
auth: invalidate every token in disabling auth
2016-06-22 09:43:43 +03:00
auth: Adding support for "auth disable" command. Added support for the auth disable command in the server, added the etcdctl command and a respective testcase.
2016-05-07 21:24:43 +03:00
plog.Noticef("Authentication disabled")
}
auth: add a timeout mechanism to simple token
2016-11-14 22:17:55 +03:00
func (as *authStore) Close() error {
as.enabledMu.Lock()
defer as.enabledMu.Unlock()
if !as.enabled {
return nil
}
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
as.tokenProvider.disable()
auth: add a timeout mechanism to simple token
2016-11-14 22:17:55 +03:00
return nil
}
auth, etcdserver: make auth tokens consistent for all nodes Currently auth tokens are generated in the replicated state machine layer randomly. It means one auth token generated in node A cannot be used for node B. It is problematic for load balancing and fail over. This commit moves the token generation logic from the state machine to API layer (before raft) and let all nodes share a single token. Log index of Raft is also added to a token for ensuring uniqueness of the token and detecting activation of the token in the cluster (some nodes can receive the token before generating and installing the token in its state machine). This commit also lets authStore have simple token related things. It is required because of unit test. The test requires cleaning of the state of the simple token things after one test (succeeding test can create duplicated token and it causes panic).
2016-06-09 03:11:26 +03:00
func (as *authStore) Authenticate(ctx context.Context, username, password string) (*pb.AuthenticateResponse, error) {
auth, etcdserver: let Authenticate() fail if auth isn't enabled Successful Authenticate() would be confusing and make trouble shooting harder if auth isn't enabled in a cluster.
2016-06-20 11:09:13 +03:00
if !as.isAuthEnabled() {
return nil, ErrAuthNotEnabled
}
*: support authenticate in v3 auth This commit implements Authenticate() API of the auth package. It does authentication based on its authUsers bucket and generate a token for succeeding RPCs.
2016-04-13 07:44:53 +03:00
tx := as.be.BatchTx()
tx.Lock()
defer tx.Unlock()
auth, etcdserver: make auth tokens consistent for all nodes Currently auth tokens are generated in the replicated state machine layer randomly. It means one auth token generated in node A cannot be used for node B. It is problematic for load balancing and fail over. This commit moves the token generation logic from the state machine to API layer (before raft) and let all nodes share a single token. Log index of Raft is also added to a token for ensuring uniqueness of the token and detecting activation of the token in the cluster (some nodes can receive the token before generating and installing the token in its state machine). This commit also lets authStore have simple token related things. It is required because of unit test. The test requires cleaning of the state of the simple token things after one test (succeeding test can create duplicated token and it causes panic).
2016-06-09 03:11:26 +03:00
user := getUser(tx, username)
auth: cleanup get user and get role usage
2016-06-10 23:23:28 +03:00
if user == nil {
return nil, ErrAuthFailed
*: support authenticate in v3 auth This commit implements Authenticate() API of the auth package. It does authentication based on its authUsers bucket and generate a token for succeeding RPCs.
2016-04-13 07:44:53 +03:00
}
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
// Password checking is already performed in the API layer, so we don't need to check for now.
// Staleness of password can be detected with OCC in the API layer, too.
token, err := as.tokenProvider.assign(ctx, username, as.revision)
if err != nil {
return nil, err
}
*: support authenticate in v3 auth This commit implements Authenticate() API of the auth package. It does authentication based on its authUsers bucket and generate a token for succeeding RPCs.
2016-04-13 07:44:53 +03:00
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
plog.Debugf("authorized %s, token is %s", username, token)
*: support authenticate in v3 auth This commit implements Authenticate() API of the auth package. It does authentication based on its authUsers bucket and generate a token for succeeding RPCs.
2016-04-13 07:44:53 +03:00
return &pb.AuthenticateResponse{Token: token}, nil
}
auth, etcdserver: check password at API layer The cost of bcrypt password checking is quite high (almost 100ms on a modern machine) so executing it in apply loop will be problematic. This commit exclude the checking mechanism to the API layer. The password checking is validated with the OCC like way similar to the auth of serializable get. This commit also removes a unit test of Authenticate RPC from auth/store_test.go. It is because the RPC now accepts an auth request unconditionally and delegates the checking functionality to authStore.CheckPassword() (so a unit test for CheckPassword() is added). The combination of the two functionalities can be tested by e2e (e.g. TestCtlV3AuthWriteKey). Fixes https://github.com/coreos/etcd/issues/6530
2016-10-13 13:30:35 +03:00
func (as *authStore) CheckPassword(username, password string) (uint64, error) {
tx := as.be.BatchTx()
tx.Lock()
defer tx.Unlock()
user := getUser(tx, username)
if user == nil {
return 0, ErrAuthFailed
}
if bcrypt.CompareHashAndPassword(user.Password, []byte(password)) != nil {
plog.Noticef("authentication failed, invalid password for user %s", username)
return 0, ErrAuthFailed
}
return getRevision(tx), nil
}
auth, etcdserver: add a method for recoverying from backend during apply snapshot This commit adds a new method Recovery() to auth.AuthStore for recoverying auth state from backend during apply snapshot. It follows a manner of the lessor.
2016-03-21 16:43:41 +03:00
func (as *authStore) Recover(be backend.Backend) {
auth: implement recover
2016-06-10 19:37:37 +03:00
enabled := false
auth, etcdserver: add a method for recoverying from backend during apply snapshot This commit adds a new method Recovery() to auth.AuthStore for recoverying auth state from backend during apply snapshot. It follows a manner of the lessor.
2016-03-21 16:43:41 +03:00
as.be = be
auth: implement recover
2016-06-10 19:37:37 +03:00
tx := be.BatchTx()
tx.Lock()
_, vs := tx.UnsafeRange(authBucketName, enableFlagKey, nil, 0)
if len(vs) == 1 {
if bytes.Equal(vs[0], authEnabled) {
enabled = true
}
}
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
as.revision = getRevision(tx)
auth: implement recover
2016-06-10 19:37:37 +03:00
tx.Unlock()
as.enabledMu.Lock()
as.enabled = enabled
as.enabledMu.Unlock()
auth, etcdserver: add a method for recoverying from backend during apply snapshot This commit adds a new method Recovery() to auth.AuthStore for recoverying auth state from backend during apply snapshot. It follows a manner of the lessor.
2016-03-21 16:43:41 +03:00
}
*: add Auth prefix to auth related requests and responses
2016-03-29 08:32:19 +03:00
func (as *authStore) UserAdd(r *pb.AuthUserAddRequest) (*pb.AuthUserAddResponse, error) {
auth, etcdserver: forbid adding a user with empty name
2016-11-02 07:37:37 +03:00
if len(r.Name) == 0 {
return nil, ErrUserEmpty
}
auth: set bcrypt cost to minimum for test cases DefaultCost makes auth tests 10x more expensive than MinCost. Fixes #5851
2016-07-07 09:01:09 +03:00
hashed, err := bcrypt.GenerateFromPassword([]byte(r.Password), BcryptCost)
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation:
2016-03-23 07:25:48 +03:00
if err != nil {
plog.Errorf("failed to hash password: %s", err)
return nil, err
}
tx := as.be.BatchTx()
tx.Lock()
defer tx.Unlock()
auth: add getuser
2016-06-08 08:42:39 +03:00
user := getUser(tx, r.Name)
if user != nil {
return nil, ErrUserAlreadyExist
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation:
2016-03-23 07:25:48 +03:00
}
auth: add put_user
2016-06-10 21:27:42 +03:00
newUser := &authpb.User{
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation:
2016-03-23 07:25:48 +03:00
Name: []byte(r.Name),
Password: hashed,
}
auth: add put_user
2016-06-10 21:27:42 +03:00
putUser(tx, newUser)
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation:
2016-03-23 07:25:48 +03:00
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
as.commitRevision(tx)
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation:
2016-03-23 07:25:48 +03:00
plog.Noticef("added a new user: %s", r.Name)
*: add Auth prefix to auth related requests and responses
2016-03-29 08:32:19 +03:00
return &pb.AuthUserAddResponse{}, nil
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation:
2016-03-23 07:25:48 +03:00
}
*: support deleting user in v3 auth This commit adds a functionality of user deletion. It can be invoked with the new user delete command. Example usage: $ ETCDCTL_API=3 etcdctl user delete usr1
2016-03-31 05:29:47 +03:00
func (as *authStore) UserDelete(r *pb.AuthUserDeleteRequest) (*pb.AuthUserDeleteResponse, error) {
auth, etcdserver: forbid invalid auth management If auth is enabled, 1. deleting the user root 2. revoking the role root from the user root must not be allowed. This commit forbids them.
2017-03-17 10:04:56 +03:00
if as.enabled && strings.Compare(r.Name, rootUser) == 0 {
plog.Errorf("the user root must not be deleted")
return nil, ErrInvalidAuthMgmt
}
*: support deleting user in v3 auth This commit adds a functionality of user deletion. It can be invoked with the new user delete command. Example usage: $ ETCDCTL_API=3 etcdctl user delete usr1
2016-03-31 05:29:47 +03:00
tx := as.be.BatchTx()
tx.Lock()
defer tx.Unlock()
auth: add getuser
2016-06-08 08:42:39 +03:00
user := getUser(tx, r.Name)
if user == nil {
return nil, ErrUserNotFound
*: support deleting user in v3 auth This commit adds a functionality of user deletion. It can be invoked with the new user delete command. Example usage: $ ETCDCTL_API=3 etcdctl user delete usr1
2016-03-31 05:29:47 +03:00
}
auth: add del functions for user/role
2016-06-11 00:11:00 +03:00
delUser(tx, r.Name)
*: support deleting user in v3 auth This commit adds a functionality of user deletion. It can be invoked with the new user delete command. Example usage: $ ETCDCTL_API=3 etcdctl user delete usr1
2016-03-31 05:29:47 +03:00
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
as.commitRevision(tx)
as.invalidateCachedPerm(r.Name)
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
as.tokenProvider.invalidateUser(r.Name)
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
*: support deleting user in v3 auth This commit adds a functionality of user deletion. It can be invoked with the new user delete command. Example usage: $ ETCDCTL_API=3 etcdctl user delete usr1
2016-03-31 05:29:47 +03:00
plog.Noticef("deleted a user: %s", r.Name)
return &pb.AuthUserDeleteResponse{}, nil
}
*: support changing password in v3 auth This commit adds a functionality for updating password of existing users.
2016-03-31 08:31:07 +03:00
func (as *authStore) UserChangePassword(r *pb.AuthUserChangePasswordRequest) (*pb.AuthUserChangePasswordResponse, error) {
// TODO(mitake): measure the cost of bcrypt.GenerateFromPassword()
// If the cost is too high, we should move the encryption to outside of the raft
auth: set bcrypt cost to minimum for test cases DefaultCost makes auth tests 10x more expensive than MinCost. Fixes #5851
2016-07-07 09:01:09 +03:00
hashed, err := bcrypt.GenerateFromPassword([]byte(r.Password), BcryptCost)
*: support changing password in v3 auth This commit adds a functionality for updating password of existing users.
2016-03-31 08:31:07 +03:00
if err != nil {
plog.Errorf("failed to hash password: %s", err)
return nil, err
}
tx := as.be.BatchTx()
tx.Lock()
defer tx.Unlock()
auth: add getuser
2016-06-08 08:42:39 +03:00
user := getUser(tx, r.Name)
if user == nil {
return nil, ErrUserNotFound
*: support changing password in v3 auth This commit adds a functionality for updating password of existing users.
2016-03-31 08:31:07 +03:00
}
auth: add put_user
2016-06-10 21:27:42 +03:00
updatedUser := &authpb.User{
*: support changing password in v3 auth This commit adds a functionality for updating password of existing users.
2016-03-31 08:31:07 +03:00
Name: []byte(r.Name),
auth: add put_user
2016-06-10 21:27:42 +03:00
Roles: user.Roles,
*: support changing password in v3 auth This commit adds a functionality for updating password of existing users.
2016-03-31 08:31:07 +03:00
Password: hashed,
}
auth: add put_user
2016-06-10 21:27:42 +03:00
putUser(tx, updatedUser)
*: support changing password in v3 auth This commit adds a functionality for updating password of existing users.
2016-03-31 08:31:07 +03:00
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
as.commitRevision(tx)
as.invalidateCachedPerm(r.Name)
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
as.tokenProvider.invalidateUser(r.Name)
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
*: support changing password in v3 auth This commit adds a functionality for updating password of existing users.
2016-03-31 08:31:07 +03:00
plog.Noticef("changed a password of a user: %s", r.Name)
return &pb.AuthUserChangePasswordResponse{}, nil
}
auth: make naming consistent
2016-06-07 06:17:28 +03:00
func (as *authStore) UserGrantRole(r *pb.AuthUserGrantRoleRequest) (*pb.AuthUserGrantRoleResponse, error) {
*: support granting a role to a user in v3 auth
2016-04-11 08:34:13 +03:00
tx := as.be.BatchTx()
tx.Lock()
defer tx.Unlock()
auth: add getuser
2016-06-08 08:42:39 +03:00
user := getUser(tx, r.User)
if user == nil {
*: support granting a role to a user in v3 auth
2016-04-11 08:34:13 +03:00
return nil, ErrUserNotFound
}
auth: add root user and root role
2016-06-08 07:44:54 +03:00
if r.Role != rootRole {
auth: cleanup get user and get role usage
2016-06-10 23:23:28 +03:00
role := getRole(tx, r.Role)
if role == nil {
auth: add root user and root role
2016-06-08 07:44:54 +03:00
return nil, ErrRoleNotFound
}
*: support granting a role to a user in v3 auth
2016-04-11 08:34:13 +03:00
}
idx := sort.SearchStrings(user.Roles, r.Role)
if idx < len(user.Roles) && strings.Compare(user.Roles[idx], r.Role) == 0 {
plog.Warningf("user %s is already granted role %s", r.User, r.Role)
auth: make naming consistent
2016-06-07 06:17:28 +03:00
return &pb.AuthUserGrantRoleResponse{}, nil
*: support granting a role to a user in v3 auth
2016-04-11 08:34:13 +03:00
}
user.Roles = append(user.Roles, r.Role)
sort.Sort(sort.StringSlice(user.Roles))
auth: add put_user
2016-06-10 21:27:42 +03:00
putUser(tx, user)
*: support granting a role to a user in v3 auth
2016-04-11 08:34:13 +03:00
auth, etcdserver: permission of range requests Currently the auth mechanism doesn't support permissions of range request. It just checks exact matching of key names even for range queries. This commit adds a mechanism for setting permission to range queries. Range queries are allowed if a range of the query is [begin1, end1) and the user has a permission of reading [begin2, range2) and [begin1, end2) is a subset of [begin2, range2). Range delete requests will follow the same rule.
2016-06-07 21:45:29 +03:00
as.invalidateCachedPerm(r.User)
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
as.commitRevision(tx)
*: support granting a role to a user in v3 auth
2016-04-11 08:34:13 +03:00
plog.Noticef("granted role %s to user %s", r.Role, r.User)
auth: make naming consistent
2016-06-07 06:17:28 +03:00
return &pb.AuthUserGrantRoleResponse{}, nil
*: support granting a role to a user in v3 auth
2016-04-11 08:34:13 +03:00
}
*: support getting user in etcdctl v3 This commit adds a new subcommand "user get" to etcdctl v3. It will list up roles that are granted to a given user. Example: $ ETCDCTL_API=3 bin/etcdctl user get u1 User: u1 Roles: r1 r2 r3 This commit also modifies the layout of InternalRaftRequest for frequent update of auth related members.
2016-05-30 11:21:11 +03:00
func (as *authStore) UserGet(r *pb.AuthUserGetRequest) (*pb.AuthUserGetResponse, error) {
tx := as.be.BatchTx()
tx.Lock()
defer tx.Unlock()
*: support getting all users and roles in auth v3 This commit expands RPCs for getting user and role and support list up all users and roles. etcdctl v3 is now support getting all users and roles with the newly added option --all e.g. etcdctl user get --all
2016-06-15 09:11:27 +03:00
var resp pb.AuthUserGetResponse
auth: add getuser
2016-06-08 08:42:39 +03:00
user := getUser(tx, r.Name)
if user == nil {
*: support getting user in etcdctl v3 This commit adds a new subcommand "user get" to etcdctl v3. It will list up roles that are granted to a given user. Example: $ ETCDCTL_API=3 bin/etcdctl user get u1 User: u1 Roles: r1 r2 r3 This commit also modifies the layout of InternalRaftRequest for frequent update of auth related members.
2016-05-30 11:21:11 +03:00
return nil, ErrUserNotFound
}
auth: fix gosimple errors
2016-12-09 23:05:19 +03:00
resp.Roles = append(resp.Roles, user.Roles...)
*: support getting user in etcdctl v3 This commit adds a new subcommand "user get" to etcdctl v3. It will list up roles that are granted to a given user. Example: $ ETCDCTL_API=3 bin/etcdctl user get u1 User: u1 Roles: r1 r2 r3 This commit also modifies the layout of InternalRaftRequest for frequent update of auth related members.
2016-05-30 11:21:11 +03:00
return &resp, nil
}
*: support getting all users and roles in auth v3 This commit expands RPCs for getting user and role and support list up all users and roles. etcdctl v3 is now support getting all users and roles with the newly added option --all e.g. etcdctl user get --all
2016-06-15 09:11:27 +03:00
func (as *authStore) UserList(r *pb.AuthUserListRequest) (*pb.AuthUserListResponse, error) {
tx := as.be.BatchTx()
tx.Lock()
defer tx.Unlock()
var resp pb.AuthUserListResponse
users := getAllUsers(tx)
for _, u := range users {
resp.Users = append(resp.Users, string(u.Name))
}
return &resp, nil
}
*: rename RPCs and structs related to revoking This commit renames RPCs and structs related to revoking. 1. UserRevoke -> UserRevokeRole 2. RoleRevoke -> RoleRevokePermission
2016-06-05 10:57:23 +03:00
func (as *authStore) UserRevokeRole(r *pb.AuthUserRevokeRoleRequest) (*pb.AuthUserRevokeRoleResponse, error) {
auth, etcdserver: forbid invalid auth management If auth is enabled, 1. deleting the user root 2. revoking the role root from the user root must not be allowed. This commit forbids them.
2017-03-17 10:04:56 +03:00
if as.enabled && strings.Compare(r.Name, rootUser) == 0 && strings.Compare(r.Role, rootRole) == 0 {
plog.Errorf("the role root must not be revoked from the user root")
return nil, ErrInvalidAuthMgmt
}
*: support revoking a role from a user in auth v3 This commit implements UserRevoke() RPC for supporting revoking a role from a user in auth v3. It also adds a new subcommand "user revoke" to etcdctl.
2016-06-03 10:38:59 +03:00
tx := as.be.BatchTx()
tx.Lock()
defer tx.Unlock()
auth: add getuser
2016-06-08 08:42:39 +03:00
user := getUser(tx, r.Name)
if user == nil {
*: support revoking a role from a user in auth v3 This commit implements UserRevoke() RPC for supporting revoking a role from a user in auth v3. It also adds a new subcommand "user revoke" to etcdctl.
2016-06-03 10:38:59 +03:00
return nil, ErrUserNotFound
}
auth: cleanup store.go
2016-06-11 00:19:29 +03:00
updatedUser := &authpb.User{
Name: user.Name,
Password: user.Password,
}
*: support revoking a role from a user in auth v3 This commit implements UserRevoke() RPC for supporting revoking a role from a user in auth v3. It also adds a new subcommand "user revoke" to etcdctl.
2016-06-03 10:38:59 +03:00
for _, role := range user.Roles {
if strings.Compare(role, r.Role) != 0 {
updatedUser.Roles = append(updatedUser.Roles, role)
}
}
auth: cleanup store.go
2016-06-11 00:19:29 +03:00
if len(updatedUser.Roles) == len(user.Roles) {
auth, etcdserver: error codes for revoking non existing role and permission This commit adds error codes for representing revoking non existing role (from user) and permission (from role).
2016-06-05 10:41:10 +03:00
return nil, ErrRoleNotGranted
}
auth: add put_user
2016-06-10 21:27:42 +03:00
putUser(tx, updatedUser)
*: support revoking a role from a user in auth v3 This commit implements UserRevoke() RPC for supporting revoking a role from a user in auth v3. It also adds a new subcommand "user revoke" to etcdctl.
2016-06-03 10:38:59 +03:00
auth, etcdserver: permission of range requests Currently the auth mechanism doesn't support permissions of range request. It just checks exact matching of key names even for range queries. This commit adds a mechanism for setting permission to range queries. Range queries are allowed if a range of the query is [begin1, end1) and the user has a permission of reading [begin2, range2) and [begin1, end2) is a subset of [begin2, range2). Range delete requests will follow the same rule.
2016-06-07 21:45:29 +03:00
as.invalidateCachedPerm(r.Name)
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
as.commitRevision(tx)
*: support revoking a role from a user in auth v3 This commit implements UserRevoke() RPC for supporting revoking a role from a user in auth v3. It also adds a new subcommand "user revoke" to etcdctl.
2016-06-03 10:38:59 +03:00
plog.Noticef("revoked role %s from user %s", r.Role, r.Name)
*: rename RPCs and structs related to revoking This commit renames RPCs and structs related to revoking. 1. UserRevoke -> UserRevokeRole 2. RoleRevoke -> RoleRevokePermission
2016-06-05 10:57:23 +03:00
return &pb.AuthUserRevokeRoleResponse{}, nil
*: support revoking a role from a user in auth v3 This commit implements UserRevoke() RPC for supporting revoking a role from a user in auth v3. It also adds a new subcommand "user revoke" to etcdctl.
2016-06-03 10:38:59 +03:00
}
*: support getting role in auth v3 This commit implements RoleGet() RPC of etcdserver and adds a new subcommand "role get" to etcdctl v3. It will list up permissions that are granted to a given role. $ ETCDCTL_API=3 bin/etcdctl role get r1 Role r1 KV Read: b d KV Write: a c d
2016-06-02 17:25:15 +03:00
func (as *authStore) RoleGet(r *pb.AuthRoleGetRequest) (*pb.AuthRoleGetResponse, error) {
tx := as.be.BatchTx()
tx.Lock()
defer tx.Unlock()
*: support getting all users and roles in auth v3 This commit expands RPCs for getting user and role and support list up all users and roles. etcdctl v3 is now support getting all users and roles with the newly added option --all e.g. etcdctl user get --all
2016-06-15 09:11:27 +03:00
var resp pb.AuthRoleGetResponse
auth: add getRole
2016-06-10 20:59:34 +03:00
role := getRole(tx, r.Role)
if role == nil {
*: support getting role in auth v3 This commit implements RoleGet() RPC of etcdserver and adds a new subcommand "role get" to etcdctl v3. It will list up permissions that are granted to a given role. $ ETCDCTL_API=3 bin/etcdctl role get r1 Role r1 KV Read: b d KV Write: a c d
2016-06-02 17:25:15 +03:00
return nil, ErrRoleNotFound
}
auth: fix gosimple errors
2016-12-09 23:05:19 +03:00
resp.Perm = append(resp.Perm, role.KeyPermission...)
*: support getting role in auth v3 This commit implements RoleGet() RPC of etcdserver and adds a new subcommand "role get" to etcdctl v3. It will list up permissions that are granted to a given role. $ ETCDCTL_API=3 bin/etcdctl role get r1 Role r1 KV Read: b d KV Write: a c d
2016-06-02 17:25:15 +03:00
return &resp, nil
}
*: support getting all users and roles in auth v3 This commit expands RPCs for getting user and role and support list up all users and roles. etcdctl v3 is now support getting all users and roles with the newly added option --all e.g. etcdctl user get --all
2016-06-15 09:11:27 +03:00
func (as *authStore) RoleList(r *pb.AuthRoleListRequest) (*pb.AuthRoleListResponse, error) {
tx := as.be.BatchTx()
tx.Lock()
defer tx.Unlock()
var resp pb.AuthRoleListResponse
roles := getAllRoles(tx)
for _, r := range roles {
resp.Roles = append(resp.Roles, string(r.Name))
}
return &resp, nil
}
*: rename RPCs and structs related to revoking This commit renames RPCs and structs related to revoking. 1. UserRevoke -> UserRevokeRole 2. RoleRevoke -> RoleRevokePermission
2016-06-05 10:57:23 +03:00
func (as *authStore) RoleRevokePermission(r *pb.AuthRoleRevokePermissionRequest) (*pb.AuthRoleRevokePermissionResponse, error) {
*: support revoking a key from a role in auth v3 This commit implements RoleRevoke() RPC for supporting revoking a key from a role in auth v3. It also adds a new subcommand "role revoke" to etcdctl.
2016-06-03 11:10:08 +03:00
tx := as.be.BatchTx()
tx.Lock()
defer tx.Unlock()
auth: add getRole
2016-06-10 20:59:34 +03:00
role := getRole(tx, r.Role)
if role == nil {
*: support revoking a key from a role in auth v3 This commit implements RoleRevoke() RPC for supporting revoking a key from a role in auth v3. It also adds a new subcommand "role revoke" to etcdctl.
2016-06-03 11:10:08 +03:00
return nil, ErrRoleNotFound
}
auth: cleanup store.go
2016-06-11 00:19:29 +03:00
updatedRole := &authpb.Role{
Name: role.Name,
}
*: support revoking a key from a role in auth v3 This commit implements RoleRevoke() RPC for supporting revoking a key from a role in auth v3. It also adds a new subcommand "role revoke" to etcdctl.
2016-06-03 11:10:08 +03:00
for _, perm := range role.KeyPermission {
*: support granting and revoking range This commit adds a feature for granting and revoking range of keys, not a single key. Example: $ ETCDCTL_API=3 bin/etcdctl role grant r1 readwrite k1 k3 Role r1 updated $ ETCDCTL_API=3 bin/etcdctl role get r1 Role r1 KV Read: [a, b) [k1, k3) [k2, k4) KV Write: [a, b) [k1, k3) [k2, k4) $ ETCDCTL_API=3 bin/etcdctl --user u1:p get k1 k4 k1 v1 $ ETCDCTL_API=3 bin/etcdctl --user u1:p get k1 k5 Error: etcdserver: permission denied
2016-06-08 21:52:57 +03:00
if !bytes.Equal(perm.Key, []byte(r.Key)) || !bytes.Equal(perm.RangeEnd, []byte(r.RangeEnd)) {
*: support revoking a key from a role in auth v3 This commit implements RoleRevoke() RPC for supporting revoking a key from a role in auth v3. It also adds a new subcommand "role revoke" to etcdctl.
2016-06-03 11:10:08 +03:00
updatedRole.KeyPermission = append(updatedRole.KeyPermission, perm)
}
}
auth: cleanup store.go
2016-06-11 00:19:29 +03:00
if len(role.KeyPermission) == len(updatedRole.KeyPermission) {
auth, etcdserver: error codes for revoking non existing role and permission This commit adds error codes for representing revoking non existing role (from user) and permission (from role).
2016-06-05 10:41:10 +03:00
return nil, ErrPermissionNotGranted
}
auth: add put role
2016-06-10 23:20:48 +03:00
putRole(tx, updatedRole)
*: support revoking a key from a role in auth v3 This commit implements RoleRevoke() RPC for supporting revoking a key from a role in auth v3. It also adds a new subcommand "role revoke" to etcdctl.
2016-06-03 11:10:08 +03:00
auth, etcdserver: permission of range requests Currently the auth mechanism doesn't support permissions of range request. It just checks exact matching of key names even for range queries. This commit adds a mechanism for setting permission to range queries. Range queries are allowed if a range of the query is [begin1, end1) and the user has a permission of reading [begin2, range2) and [begin1, end2) is a subset of [begin2, range2). Range delete requests will follow the same rule.
2016-06-07 21:45:29 +03:00
// TODO(mitake): currently single role update invalidates every cache
// It should be optimized.
as.clearCachedPerm()
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
as.commitRevision(tx)
*: support revoking a key from a role in auth v3 This commit implements RoleRevoke() RPC for supporting revoking a key from a role in auth v3. It also adds a new subcommand "role revoke" to etcdctl.
2016-06-03 11:10:08 +03:00
plog.Noticef("revoked key %s from role %s", r.Key, r.Role)
*: rename RPCs and structs related to revoking This commit renames RPCs and structs related to revoking. 1. UserRevoke -> UserRevokeRole 2. RoleRevoke -> RoleRevokePermission
2016-06-05 10:57:23 +03:00
return &pb.AuthRoleRevokePermissionResponse{}, nil
*: support revoking a key from a role in auth v3 This commit implements RoleRevoke() RPC for supporting revoking a key from a role in auth v3. It also adds a new subcommand "role revoke" to etcdctl.
2016-06-03 11:10:08 +03:00
}
*: support deleting a role in auth v3 This commit implements RoleDelete() RPC for supporting deleting a role in auth v3. It also adds a new subcommand "role delete" to etcdctl.
2016-06-03 11:33:05 +03:00
func (as *authStore) RoleDelete(r *pb.AuthRoleDeleteRequest) (*pb.AuthRoleDeleteResponse, error) {
auth, etcdserver: forbid invalid auth management If auth is enabled, 1. deleting the user root 2. revoking the role root from the user root must not be allowed. This commit forbids them.
2017-03-17 10:04:56 +03:00
if as.enabled && strings.Compare(r.Role, rootRole) == 0 {
plog.Errorf("the role root must not be deleted")
return nil, ErrInvalidAuthMgmt
}
*: support deleting a role in auth v3 This commit implements RoleDelete() RPC for supporting deleting a role in auth v3. It also adds a new subcommand "role delete" to etcdctl.
2016-06-03 11:33:05 +03:00
tx := as.be.BatchTx()
tx.Lock()
defer tx.Unlock()
auth: add getRole
2016-06-10 20:59:34 +03:00
role := getRole(tx, r.Role)
if role == nil {
*: support deleting a role in auth v3 This commit implements RoleDelete() RPC for supporting deleting a role in auth v3. It also adds a new subcommand "role delete" to etcdctl.
2016-06-03 11:33:05 +03:00
return nil, ErrRoleNotFound
}
auth: add del functions for user/role
2016-06-11 00:11:00 +03:00
delRole(tx, r.Role)
*: support deleting a role in auth v3 This commit implements RoleDelete() RPC for supporting deleting a role in auth v3. It also adds a new subcommand "role delete" to etcdctl.
2016-06-03 11:33:05 +03:00
*: revoke a deleted role This commit resolves a TODO of auth store: Current scheme of role deletion allows existing users to have the deleted roles. Assume a case like below: create a role r1 create a user u1 and grant r1 to u1 delete r1 After this sequence, u1 is still granted the role r1. So if admin create a new role with the name r1, The new r1 is automatically granted u1. In some cases, it would be confusing. So we need to revoke the deleted role from all users.
2017-03-17 09:18:40 +03:00
users := getAllUsers(tx)
for _, user := range users {
updatedUser := &authpb.User{
Name: user.Name,
Password: user.Password,
}
for _, role := range user.Roles {
if strings.Compare(role, r.Role) != 0 {
updatedUser.Roles = append(updatedUser.Roles, role)
}
}
if len(updatedUser.Roles) == len(user.Roles) {
continue
}
putUser(tx, updatedUser)
as.invalidateCachedPerm(string(user.Name))
}
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
as.commitRevision(tx)
*: support deleting a role in auth v3 This commit implements RoleDelete() RPC for supporting deleting a role in auth v3. It also adds a new subcommand "role delete" to etcdctl.
2016-06-03 11:33:05 +03:00
plog.Noticef("deleted role %s", r.Role)
return &pb.AuthRoleDeleteResponse{}, nil
}
*: support adding role in auth v3
2016-04-01 05:07:43 +03:00
func (as *authStore) RoleAdd(r *pb.AuthRoleAddRequest) (*pb.AuthRoleAddResponse, error) {
tx := as.be.BatchTx()
tx.Lock()
defer tx.Unlock()
auth: add getRole
2016-06-10 20:59:34 +03:00
role := getRole(tx, r.Name)
if role != nil {
*: support adding role in auth v3
2016-04-01 05:07:43 +03:00
return nil, ErrRoleAlreadyExist
}
newRole := &authpb.Role{
Name: []byte(r.Name),
}
auth: add put role
2016-06-10 23:20:48 +03:00
putRole(tx, newRole)
*: support adding role in auth v3
2016-04-01 05:07:43 +03:00
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
as.commitRevision(tx)
*: support adding role in auth v3
2016-04-01 05:07:43 +03:00
plog.Noticef("Role %s is created", r.Name)
return &pb.AuthRoleAddResponse{}, nil
}
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
func (as *authStore) authInfoFromToken(ctx context.Context, token string) (*AuthInfo, bool) {
return as.tokenProvider.info(ctx, token, as.revision)
*: do permission check in raft log apply phase This commit lets etcdserver check permission during its log applying phase. With this change, permission checking of operations is supported. Currently, put and range are supported. In addition, multi key permission check of range isn't supported yet.
2016-05-17 09:20:50 +03:00
}
auth: sort key permissions of role struct for effective searching
2016-04-12 08:14:15 +03:00
type permSlice []*authpb.Permission
func (perms permSlice) Len() int {
return len(perms)
}
func (perms permSlice) Less(i, j int) bool {
return bytes.Compare(perms[i].Key, perms[j].Key) < 0
}
func (perms permSlice) Swap(i, j int) {
perms[i], perms[j] = perms[j], perms[i]
}
auth: make naming consistent
2016-06-07 06:17:28 +03:00
func (as *authStore) RoleGrantPermission(r *pb.AuthRoleGrantPermissionRequest) (*pb.AuthRoleGrantPermissionResponse, error) {
*: support granting key permission to role in v3 auth
2016-04-05 09:42:38 +03:00
tx := as.be.BatchTx()
tx.Lock()
defer tx.Unlock()
auth: add getRole
2016-06-10 20:59:34 +03:00
role := getRole(tx, r.Name)
if role == nil {
*: support granting key permission to role in v3 auth
2016-04-05 09:42:38 +03:00
return nil, ErrRoleNotFound
}
auth: sort key permissions of role struct for effective searching
2016-04-12 08:14:15 +03:00
idx := sort.Search(len(role.KeyPermission), func(i int) bool {
return bytes.Compare(role.KeyPermission[i].Key, []byte(r.Perm.Key)) >= 0
})
*: support granting and revoking range This commit adds a feature for granting and revoking range of keys, not a single key. Example: $ ETCDCTL_API=3 bin/etcdctl role grant r1 readwrite k1 k3 Role r1 updated $ ETCDCTL_API=3 bin/etcdctl role get r1 Role r1 KV Read: [a, b) [k1, k3) [k2, k4) KV Write: [a, b) [k1, k3) [k2, k4) $ ETCDCTL_API=3 bin/etcdctl --user u1:p get k1 k4 k1 v1 $ ETCDCTL_API=3 bin/etcdctl --user u1:p get k1 k5 Error: etcdserver: permission denied
2016-06-08 21:52:57 +03:00
if idx < len(role.KeyPermission) && bytes.Equal(role.KeyPermission[idx].Key, r.Perm.Key) && bytes.Equal(role.KeyPermission[idx].RangeEnd, r.Perm.RangeEnd) {
auth: sort key permissions of role struct for effective searching
2016-04-12 08:14:15 +03:00
// update existing permission
role.KeyPermission[idx].PermType = r.Perm.PermType
} else {
// append new permission to the role
*: support granting key permission to role in v3 auth
2016-04-05 09:42:38 +03:00
newPerm := &authpb.Permission{
Key: []byte(r.Perm.Key),
*: support granting and revoking range This commit adds a feature for granting and revoking range of keys, not a single key. Example: $ ETCDCTL_API=3 bin/etcdctl role grant r1 readwrite k1 k3 Role r1 updated $ ETCDCTL_API=3 bin/etcdctl role get r1 Role r1 KV Read: [a, b) [k1, k3) [k2, k4) KV Write: [a, b) [k1, k3) [k2, k4) $ ETCDCTL_API=3 bin/etcdctl --user u1:p get k1 k4 k1 v1 $ ETCDCTL_API=3 bin/etcdctl --user u1:p get k1 k5 Error: etcdserver: permission denied
2016-06-08 21:52:57 +03:00
RangeEnd: []byte(r.Perm.RangeEnd),
*: support granting key permission to role in v3 auth
2016-04-05 09:42:38 +03:00
PermType: r.Perm.PermType,
}
role.KeyPermission = append(role.KeyPermission, newPerm)
auth: sort key permissions of role struct for effective searching
2016-04-12 08:14:15 +03:00
sort.Sort(permSlice(role.KeyPermission))
*: support granting key permission to role in v3 auth
2016-04-05 09:42:38 +03:00
}
auth: add put role
2016-06-10 23:20:48 +03:00
putRole(tx, role)
*: support granting key permission to role in v3 auth
2016-04-05 09:42:38 +03:00
auth, etcdserver: permission of range requests Currently the auth mechanism doesn't support permissions of range request. It just checks exact matching of key names even for range queries. This commit adds a mechanism for setting permission to range queries. Range queries are allowed if a range of the query is [begin1, end1) and the user has a permission of reading [begin2, range2) and [begin1, end2) is a subset of [begin2, range2). Range delete requests will follow the same rule.
2016-06-07 21:45:29 +03:00
// TODO(mitake): currently single role update invalidates every cache
// It should be optimized.
as.clearCachedPerm()
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
as.commitRevision(tx)
*: support granting key permission to role in v3 auth
2016-04-05 09:42:38 +03:00
plog.Noticef("role %s's permission of key %s is updated as %s", r.Name, r.Perm.Key, authpb.Permission_Type_name[int32(r.Perm.PermType)])
auth: make naming consistent
2016-06-07 06:17:28 +03:00
return &pb.AuthRoleGrantPermissionResponse{}, nil
*: support granting key permission to role in v3 auth
2016-04-05 09:42:38 +03:00
}
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
func (as *authStore) isOpPermitted(userName string, revision uint64, key, rangeEnd []byte, permTyp authpb.Permission_Type) error {
*: do permission check in raft log apply phase This commit lets etcdserver check permission during its log applying phase. With this change, permission checking of operations is supported. Currently, put and range are supported. In addition, multi key permission check of range isn't supported yet.
2016-05-17 09:20:50 +03:00
// TODO(mitake): this function would be costly so we need a caching mechanism
if !as.isAuthEnabled() {
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
return nil
}
auth: reject empty user name when checking op permissions Passing AuthInfo{} to permission checking was causing an infinite loop because it would always return an old revision error. Fixes #7124
2017-01-10 02:27:09 +03:00
// only gets rev == 0 when passed AuthInfo{}; no user given
if revision == 0 {
return ErrUserEmpty
}
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
if revision < as.revision {
return ErrAuthOldRevision
*: do permission check in raft log apply phase This commit lets etcdserver check permission during its log applying phase. With this change, permission checking of operations is supported. Currently, put and range are supported. In addition, multi key permission check of range isn't supported yet.
2016-05-17 09:20:50 +03:00
}
tx := as.be.BatchTx()
tx.Lock()
defer tx.Unlock()
auth: add getuser
2016-06-08 08:42:39 +03:00
user := getUser(tx, userName)
if user == nil {
*: do permission check in raft log apply phase This commit lets etcdserver check permission during its log applying phase. With this change, permission checking of operations is supported. Currently, put and range are supported. In addition, multi key permission check of range isn't supported yet.
2016-05-17 09:20:50 +03:00
plog.Errorf("invalid user name %s for permission checking", userName)
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
return ErrPermissionDenied
*: do permission check in raft log apply phase This commit lets etcdserver check permission during its log applying phase. With this change, permission checking of operations is supported. Currently, put and range are supported. In addition, multi key permission check of range isn't supported yet.
2016-05-17 09:20:50 +03:00
}
auth, e2e, clientv3: the root role should be granted access to every key This commit changes the semantics of the root role. The role should be able to access to every key. Partially fixes https://github.com/coreos/etcd/issues/6355
2016-09-06 05:32:25 +03:00
// root role should have permission on all ranges
if hasRootRole(user) {
return nil
}
auth: store cached permission information in a form of interval tree This commit change the type of cached permission information from the home made thing to interval tree. It improves computational complexity of permission checking from O(n) to O(lg n).
2017-03-22 11:29:48 +03:00
if as.isRangeOpPermitted(tx, userName, string(key), string(rangeEnd), permTyp) {
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
return nil
auth, etcdserver: permission of range requests Currently the auth mechanism doesn't support permissions of range request. It just checks exact matching of key names even for range queries. This commit adds a mechanism for setting permission to range queries. Range queries are allowed if a range of the query is [begin1, end1) and the user has a permission of reading [begin2, range2) and [begin1, end2) is a subset of [begin2, range2). Range delete requests will follow the same rule.
2016-06-07 21:45:29 +03:00
}
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
return ErrPermissionDenied
*: do permission check in raft log apply phase This commit lets etcdserver check permission during its log applying phase. With this change, permission checking of operations is supported. Currently, put and range are supported. In addition, multi key permission check of range isn't supported yet.
2016-05-17 09:20:50 +03:00
}
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
func (as *authStore) IsPutPermitted(authInfo *AuthInfo, key []byte) error {
return as.isOpPermitted(authInfo.Username, authInfo.Revision, key, nil, authpb.WRITE)
*: do permission check in raft log apply phase This commit lets etcdserver check permission during its log applying phase. With this change, permission checking of operations is supported. Currently, put and range are supported. In addition, multi key permission check of range isn't supported yet.
2016-05-17 09:20:50 +03:00
}
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
func (as *authStore) IsRangePermitted(authInfo *AuthInfo, key, rangeEnd []byte) error {
return as.isOpPermitted(authInfo.Username, authInfo.Revision, key, rangeEnd, authpb.READ)
*: do permission check in raft log apply phase This commit lets etcdserver check permission during its log applying phase. With this change, permission checking of operations is supported. Currently, put and range are supported. In addition, multi key permission check of range isn't supported yet.
2016-05-17 09:20:50 +03:00
}
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
func (as *authStore) IsDeleteRangePermitted(authInfo *AuthInfo, key, rangeEnd []byte) error {
return as.isOpPermitted(authInfo.Username, authInfo.Revision, key, rangeEnd, authpb.WRITE)
*: support deleteRange perm checking
2016-06-14 03:19:59 +03:00
}
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
func (as *authStore) IsAdminPermitted(authInfo *AuthInfo) error {
*: add admin permission checking
2016-06-09 23:40:26 +03:00
if !as.isAuthEnabled() {
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
return nil
*: add admin permission checking
2016-06-09 23:40:26 +03:00
}
auth: nil check AuthInfo when checking admin permissions If the context does not include auth information, get authinfo will return a nil auth info and a nil error. This is then passed to IsAdminPermitted, which would dereference the nil auth info.
2017-03-10 22:07:11 +03:00
if authInfo == nil {
return ErrUserEmpty
}
*: add admin permission checking
2016-06-09 23:40:26 +03:00
tx := as.be.BatchTx()
tx.Lock()
defer tx.Unlock()
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
u := getUser(tx, authInfo.Username)
*: add admin permission checking
2016-06-09 23:40:26 +03:00
if u == nil {
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
return ErrUserNotFound
}
if !hasRootRole(u) {
return ErrPermissionDenied
*: add admin permission checking
2016-06-09 23:40:26 +03:00
}
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
return nil
*: add admin permission checking
2016-06-09 23:40:26 +03:00
}
auth: add getuser
2016-06-08 08:42:39 +03:00
func getUser(tx backend.BatchTx, username string) *authpb.User {
_, vs := tx.UnsafeRange(authUsersBucketName, []byte(username), nil, 0)
if len(vs) == 0 {
return nil
}
user := &authpb.User{}
err := user.Unmarshal(vs[0])
if err != nil {
plog.Panicf("failed to unmarshal user struct (name: %s): %s", username, err)
}
return user
}
*: support getting all users and roles in auth v3 This commit expands RPCs for getting user and role and support list up all users and roles. etcdctl v3 is now support getting all users and roles with the newly added option --all e.g. etcdctl user get --all
2016-06-15 09:11:27 +03:00
func getAllUsers(tx backend.BatchTx) []*authpb.User {
_, vs := tx.UnsafeRange(authUsersBucketName, []byte{0}, []byte{0xff}, -1)
if len(vs) == 0 {
return nil
}
var users []*authpb.User
for _, v := range vs {
user := &authpb.User{}
err := user.Unmarshal(v)
if err != nil {
plog.Panicf("failed to unmarshal user struct: %s", err)
}
users = append(users, user)
}
return users
}
auth: add put_user
2016-06-10 21:27:42 +03:00
func putUser(tx backend.BatchTx, user *authpb.User) {
b, err := user.Marshal()
if err != nil {
plog.Panicf("failed to marshal user struct (name: %s): %s", user.Name, err)
}
tx.UnsafePut(authUsersBucketName, user.Name, b)
}
auth: add del functions for user/role
2016-06-11 00:11:00 +03:00
func delUser(tx backend.BatchTx, username string) {
tx.UnsafeDelete(authUsersBucketName, []byte(username))
}
auth: add getRole
2016-06-10 20:59:34 +03:00
func getRole(tx backend.BatchTx, rolename string) *authpb.Role {
_, vs := tx.UnsafeRange(authRolesBucketName, []byte(rolename), nil, 0)
if len(vs) == 0 {
return nil
}
role := &authpb.Role{}
err := role.Unmarshal(vs[0])
if err != nil {
plog.Panicf("failed to unmarshal role struct (name: %s): %s", rolename, err)
}
return role
}
*: support getting all users and roles in auth v3 This commit expands RPCs for getting user and role and support list up all users and roles. etcdctl v3 is now support getting all users and roles with the newly added option --all e.g. etcdctl user get --all
2016-06-15 09:11:27 +03:00
func getAllRoles(tx backend.BatchTx) []*authpb.Role {
_, vs := tx.UnsafeRange(authRolesBucketName, []byte{0}, []byte{0xff}, -1)
if len(vs) == 0 {
return nil
}
var roles []*authpb.Role
for _, v := range vs {
role := &authpb.Role{}
err := role.Unmarshal(v)
if err != nil {
plog.Panicf("failed to unmarshal role struct: %s", err)
}
roles = append(roles, role)
}
return roles
}
auth: add put role
2016-06-10 23:20:48 +03:00
func putRole(tx backend.BatchTx, role *authpb.Role) {
b, err := role.Marshal()
if err != nil {
plog.Panicf("failed to marshal role struct (name: %s): %s", role.Name, err)
}
tx.UnsafePut(authRolesBucketName, []byte(role.Name), b)
}
auth: add del functions for user/role
2016-06-11 00:11:00 +03:00
func delRole(tx backend.BatchTx, rolename string) {
tx.UnsafeDelete(authRolesBucketName, []byte(rolename))
}
*: do permission check in raft log apply phase This commit lets etcdserver check permission during its log applying phase. With this change, permission checking of operations is supported. Currently, put and range are supported. In addition, multi key permission check of range isn't supported yet.
2016-05-17 09:20:50 +03:00
func (as *authStore) isAuthEnabled() bool {
as.enabledMu.RLock()
defer as.enabledMu.RUnlock()
return as.enabled
}
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
func NewAuthStore(be backend.Backend, tp TokenProvider) *authStore {
auth, etcdserver: add a method for recoverying from backend during apply snapshot This commit adds a new method Recovery() to auth.AuthStore for recoverying auth state from backend during apply snapshot. It follows a manner of the lessor.
2016-03-21 16:43:41 +03:00
tx := be.BatchTx()
etcdserver, auth: new package auth for the auth feature This commit adds a new package auth. Its role is persisting auth related metadata. This commit also connects its main interface AuthStore and v3 server.
2016-03-08 11:31:48 +03:00
tx.Lock()
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation:
2016-03-23 07:25:48 +03:00
etcdserver, auth: new package auth for the auth feature This commit adds a new package auth. Its role is persisting auth related metadata. This commit also connects its main interface AuthStore and v3 server.
2016-03-08 11:31:48 +03:00
tx.UnsafeCreateBucket(authBucketName)
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation:
2016-03-23 07:25:48 +03:00
tx.UnsafeCreateBucket(authUsersBucketName)
*: support adding role in auth v3
2016-04-01 05:07:43 +03:00
tx.UnsafeCreateBucket(authRolesBucketName)
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation:
2016-03-23 07:25:48 +03:00
auth: correct initialization in NewAuthStore() Because of my own silly mistake, current NewAuthStore() doesn't initialize authStore in a correct manner. For example, after recovery from snapshot, it cannot revive the flag of enabled/disabled. This commit fixes the problem. Fix https://github.com/coreos/etcd/issues/7165
2017-02-01 11:47:09 +03:00
enabled := false
_, vs := tx.UnsafeRange(authBucketName, enableFlagKey, nil, 0)
if len(vs) == 1 {
if bytes.Equal(vs[0], authEnabled) {
enabled = true
}
}
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
as := &authStore{
auth: correct initialization in NewAuthStore() Because of my own silly mistake, current NewAuthStore() doesn't initialize authStore in a correct manner. For example, after recovery from snapshot, it cannot revive the flag of enabled/disabled. This commit fixes the problem. Fix https://github.com/coreos/etcd/issues/7165
2017-02-01 11:47:09 +03:00
be: be,
revision: getRevision(tx),
enabled: enabled,
rangePermCache: make(map[string]*unifiedRangePermissions),
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
tokenProvider: tp,
auth: correct initialization in NewAuthStore() Because of my own silly mistake, current NewAuthStore() doesn't initialize authStore in a correct manner. For example, after recovery from snapshot, it cannot revive the flag of enabled/disabled. This commit fixes the problem. Fix https://github.com/coreos/etcd/issues/7165
2017-02-01 11:47:09 +03:00
}
if enabled {
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
as.tokenProvider.enable()
etcdserver, auth: new package auth for the auth feature This commit adds a new package auth. Its role is persisting auth related metadata. This commit also connects its main interface AuthStore and v3 server.
2016-03-08 11:31:48 +03:00
}
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
auth: keep old revision in 'NewAuthStore' When there's no changes yet (right after auth store initialization), we should commit old revision. Fix https://github.com/coreos/etcd/issues/7359.
2017-02-22 01:37:15 +03:00
if as.revision == 0 {
as.commitRevision(tx)
}
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
tx.Unlock()
be.ForceCommit()
return as
etcdserver, auth: new package auth for the auth feature This commit adds a new package auth. Its role is persisting auth related metadata. This commit also connects its main interface AuthStore and v3 server.
2016-03-08 11:31:48 +03:00
}
*: add admin permission checking
2016-06-09 23:40:26 +03:00
func hasRootRole(u *authpb.User) bool {
for _, r := range u.Roles {
if r == rootRole {
return true
}
}
return false
}
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
func (as *authStore) commitRevision(tx backend.BatchTx) {
as.revision++
revBytes := make([]byte, revBytesLen)
binary.BigEndian.PutUint64(revBytes, as.revision)
tx.UnsafePut(authBucketName, revisionKey, revBytes)
}
func getRevision(tx backend.BatchTx) uint64 {
_, vs := tx.UnsafeRange(authBucketName, []byte(revisionKey), nil, 0)
if len(vs) != 1 {
auth: correct initialization in NewAuthStore() Because of my own silly mistake, current NewAuthStore() doesn't initialize authStore in a correct manner. For example, after recovery from snapshot, it cannot revive the flag of enabled/disabled. This commit fixes the problem. Fix https://github.com/coreos/etcd/issues/7165
2017-02-01 11:47:09 +03:00
// this can happen in the initialization phase
return 0
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
}
return binary.BigEndian.Uint64(vs[0])
}
func (as *authStore) Revision() uint64 {
return as.revision
}
auth, etcdserver: let maintenance services require root role This commit lets maintenance services require root privilege. It also moves AuthInfoFromCtx() from etcdserver to auth pkg for cleaning purpose.
2016-11-24 10:34:29 +03:00
auth, etcdserver: authenticate clients based on certificate CommonName This commit lets v3 auth mechanism authenticate clients based on CommonName of certificate like v2 auth.
2016-11-21 07:47:29 +03:00
func (as *authStore) AuthInfoFromTLS(ctx context.Context) *AuthInfo {
peer, ok := peer.FromContext(ctx)
if !ok || peer == nil || peer.AuthInfo == nil {
return nil
}
tlsInfo := peer.AuthInfo.(credentials.TLSInfo)
for _, chains := range tlsInfo.State.VerifiedChains {
for _, chain := range chains {
cn := chain.Subject.CommonName
plog.Debugf("found common name %s", cn)
return &AuthInfo{
Username: cn,
Revision: as.Revision(),
}
}
}
return nil
}
auth, etcdserver: let maintenance services require root role This commit lets maintenance services require root privilege. It also moves AuthInfoFromCtx() from etcdserver to auth pkg for cleaning purpose.
2016-11-24 10:34:29 +03:00
func (as *authStore) AuthInfoFromCtx(ctx context.Context) (*AuthInfo, error) {
md, ok := metadata.FromContext(ctx)
if !ok {
return nil, nil
}
ts, tok := md["token"]
if !tok {
return nil, nil
}
token := ts[0]
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
authInfo, uok := as.authInfoFromToken(ctx, token)
auth, etcdserver: let maintenance services require root role This commit lets maintenance services require root privilege. It also moves AuthInfoFromCtx() from etcdserver to auth pkg for cleaning purpose.
2016-11-24 10:34:29 +03:00
if !uok {
plog.Warningf("invalid auth token: %s", token)
return nil, ErrInvalidAuthToken
}
return authInfo, nil
}
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
func (as *authStore) GenTokenPrefix() (string, error) {
return as.tokenProvider.genTokenPrefix()
}
func decomposeOpts(optstr string) (string, map[string]string, error) {
opts := strings.Split(optstr, ",")
tokenType := opts[0]
typeSpecificOpts := make(map[string]string)
for i := 1; i < len(opts); i++ {
pair := strings.Split(opts[i], "=")
if len(pair) != 2 {
plog.Errorf("invalid token specific option: %s", optstr)
return "", nil, ErrInvalidAuthOpts
}
if _, ok := typeSpecificOpts[pair[0]]; ok {
plog.Errorf("invalid token specific option, duplicated parameters (%s): %s", pair[0], optstr)
return "", nil, ErrInvalidAuthOpts
}
typeSpecificOpts[pair[0]] = pair[1]
}
return tokenType, typeSpecificOpts, nil
}
func NewTokenProvider(tokenOpts string, indexWaiter func(uint64) <-chan struct{}) (TokenProvider, error) {
tokenType, typeSpecificOpts, err := decomposeOpts(tokenOpts)
if err != nil {
return nil, ErrInvalidAuthOpts
}
switch tokenType {
case "simple":
plog.Warningf("simple token is not cryptographically signed")
return newTokenProviderSimple(indexWaiter), nil
case "jwt":
return newTokenProviderJWT(typeSpecificOpts)
default:
plog.Errorf("unknown token type: %s", tokenType)
return nil, ErrInvalidAuthOpts
}
}