vitalif
/
etcd
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
etcd/auth/store.go

1416 lines
35 KiB
Go
Raw Normal View History

auth: update LICENSE header
2016-05-13 06:51:14 +03:00
// Copyright 2016 The etcd Authors
etcdserver, auth: new package auth for the auth feature This commit adds a new package auth. Its role is persisting auth related metadata. This commit also connects its main interface AuthStore and v3 server.
2016-03-08 11:31:48 +03:00
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package auth
import (
auth: sort key permissions of role struct for effective searching
2016-04-12 08:14:15 +03:00
"bytes"
*: replace 'golang.org/x/net/context' with 'context' Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-09-07 00:57:25 +03:00
"context"
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
"encoding/binary"
etcdserver: return internal error in a case of not auth specific errors
2016-03-28 07:00:10 +03:00
"errors"
*: support granting a role to a user in v3 auth
2016-04-11 08:34:13 +03:00
"sort"
*: support granting key permission to role in v3 auth
2016-04-05 09:42:38 +03:00
"strings"
*: do permission check in raft log apply phase This commit lets etcdserver check permission during its log applying phase. With this change, permission checking of operations is supported. Currently, put and range are supported. In addition, multi key permission check of range isn't supported yet.
2016-05-17 09:20:50 +03:00
"sync"
auth: use atomic access to 'authStore.revision' Fix https://github.com/coreos/etcd/issues/7660. Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-04-04 21:58:49 +03:00
"sync/atomic"
etcdserver: return internal error in a case of not auth specific errors
2016-03-28 07:00:10 +03:00
*: revert module import paths Signed-off-by: Gyuho Lee <leegyuho@amazon.com>
2019-05-29 00:59:02 +03:00
"go.etcd.io/etcd/auth/authpb"
"go.etcd.io/etcd/etcdserver/api/v3rpc/rpctypes"
pb "go.etcd.io/etcd/etcdserver/etcdserverpb"
"go.etcd.io/etcd/mvcc/backend"
*: replace 'golang.org/x/net/context' with 'context' Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-09-07 00:57:25 +03:00
*: migrate Godeps to vendor/
2016-03-23 03:10:28 +03:00
"github.com/coreos/pkg/capnslog"
auth: support structured logger Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-16 13:59:26 +03:00
"go.uber.org/zap"
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation:
2016-03-23 07:25:48 +03:00
"golang.org/x/crypto/bcrypt"
auth, etcdserver: authenticate clients based on certificate CommonName This commit lets v3 auth mechanism authenticate clients based on CommonName of certificate like v2 auth.
2016-11-21 07:47:29 +03:00
"google.golang.org/grpc/credentials"
auth, etcdserver: let maintenance services require root role This commit lets maintenance services require root privilege. It also moves AuthInfoFromCtx() from etcdserver to auth pkg for cleaning purpose.
2016-11-24 10:34:29 +03:00
"google.golang.org/grpc/metadata"
auth, etcdserver: authenticate clients based on certificate CommonName This commit lets v3 auth mechanism authenticate clients based on CommonName of certificate like v2 auth.
2016-11-21 07:47:29 +03:00
"google.golang.org/grpc/peer"
etcdserver, auth: new package auth for the auth feature This commit adds a new package auth. Its role is persisting auth related metadata. This commit also connects its main interface AuthStore and v3 server.
2016-03-08 11:31:48 +03:00
)
var (
*: support adding role in auth v3
2016-04-01 05:07:43 +03:00
enableFlagKey = []byte("authEnabled")
auth: implement recover
2016-06-10 19:37:37 +03:00
authEnabled = []byte{1}
authDisabled = []byte{0}
*: support adding role in auth v3
2016-04-01 05:07:43 +03:00
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
revisionKey = []byte("authRevision")
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation:
2016-03-23 07:25:48 +03:00
authBucketName = []byte("auth")
authUsersBucketName = []byte("authUsers")
*: support adding role in auth v3
2016-04-01 05:07:43 +03:00
authRolesBucketName = []byte("authRoles")
etcdserver, auth: new package auth for the auth feature This commit adds a new package auth. Its role is persisting auth related metadata. This commit also connects its main interface AuthStore and v3 server.
2016-03-08 11:31:48 +03:00
auth: update Go import paths to "go.etcd.io" Signed-off-by: Gyuho Lee <leegyuho@amazon.com>
2018-08-29 03:12:52 +03:00
plog = capnslog.NewPackageLogger("go.etcd.io/etcd", "auth")
etcdserver: return internal error in a case of not auth specific errors
2016-03-28 07:00:10 +03:00
auth: add root user and root role
2016-06-08 07:44:54 +03:00
ErrRootUserNotExist = errors.New("auth: root user does not exist")
ErrRootRoleNotExist = errors.New("auth: root user does not have root role")
auth, etcdserver: error codes for revoking non existing role and permission This commit adds error codes for representing revoking non existing role (from user) and permission (from role).
2016-06-05 10:41:10 +03:00
ErrUserAlreadyExist = errors.New("auth: user already exists")
auth, etcdserver: forbid adding a user with empty name
2016-11-02 07:37:37 +03:00
ErrUserEmpty = errors.New("auth: user name is empty")
auth, etcdserver: error codes for revoking non existing role and permission This commit adds error codes for representing revoking non existing role (from user) and permission (from role).
2016-06-05 10:41:10 +03:00
ErrUserNotFound = errors.New("auth: user not found")
ErrRoleAlreadyExist = errors.New("auth: role already exists")
ErrRoleNotFound = errors.New("auth: role not found")
ErrAuthFailed = errors.New("auth: authentication failed, invalid user ID or password")
ErrPermissionDenied = errors.New("auth: permission denied")
ErrRoleNotGranted = errors.New("auth: role is not granted to the user")
ErrPermissionNotGranted = errors.New("auth: permission is not granted to the role")
auth, etcdserver: let Authenticate() fail if auth isn't enabled Successful Authenticate() would be confusing and make trouble shooting harder if auth isn't enabled in a cluster.
2016-06-20 11:09:13 +03:00
ErrAuthNotEnabled = errors.New("auth: authentication is not enabled")
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
ErrAuthOldRevision = errors.New("auth: revision in header is old")
auth, etcdserver: let maintenance services require root role This commit lets maintenance services require root privilege. It also moves AuthInfoFromCtx() from etcdserver to auth pkg for cleaning purpose.
2016-11-24 10:34:29 +03:00
ErrInvalidAuthToken = errors.New("auth: invalid auth token")
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
ErrInvalidAuthOpts = errors.New("auth: invalid auth options")
auth, etcdserver: forbid invalid auth management If auth is enabled, 1. deleting the user root 2. revoking the role root from the user root must not be allowed. This commit forbids them.
2017-03-17 10:04:56 +03:00
ErrInvalidAuthMgmt = errors.New("auth: invalid auth management")
auth: Support all JWT algorithms This change adds support to etcd for all of the JWT algorithms included in the underlying JWT library.
2018-06-22 19:21:40 +03:00
ErrInvalidAuthMethod = errors.New("auth: invalid auth signature method")
ErrMissingKey = errors.New("auth: missing key data")
ErrKeyMismatch = errors.New("auth: public and private keys don't match")
ErrVerifyOnly = errors.New("auth: token signing attempted with verify-only key")
etcdserver, auth: new package auth for the auth feature This commit adds a new package auth. Its role is persisting auth related metadata. This commit also connects its main interface AuthStore and v3 server.
2016-03-08 11:31:48 +03:00
)
auth: add root user and root role
2016-06-08 07:44:54 +03:00
const (
rootUser = "root"
rootRole = "root"
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
auth: fix panic using WithRoot and improve JWT coverage
2018-05-04 23:16:39 +03:00
tokenTypeSimple = "simple"
tokenTypeJWT = "jwt"
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
revBytesLen = 8
auth: add root user and root role
2016-06-08 07:44:54 +03:00
)
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
type AuthInfo struct {
Username string
Revision uint64
}
auth, etcdserver: follow the correct usage of context The keys of context shouldn't be string. They should be a struct of their own type. Fix https://github.com/coreos/etcd/issues/8826
2017-11-21 09:00:13 +03:00
// AuthenticateParamIndex is used for a key of context in the parameters of Authenticate()
type AuthenticateParamIndex struct{}
// AuthenticateParamSimpleTokenPrefix is used for a key of context in the parameters of Authenticate()
type AuthenticateParamSimpleTokenPrefix struct{}
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
// AuthStore defines auth storage interface.
etcdserver, auth: new package auth for the auth feature This commit adds a new package auth. Its role is persisting auth related metadata. This commit also connects its main interface AuthStore and v3 server.
2016-03-08 11:31:48 +03:00
type AuthStore interface {
auth: add tests
2016-04-27 19:15:23 +03:00
// AuthEnable turns on the authentication feature
auth: add root user and root role
2016-06-08 07:44:54 +03:00
AuthEnable() error
auth, etcdserver: add a method for recoverying from backend during apply snapshot This commit adds a new method Recovery() to auth.AuthStore for recoverying auth state from backend during apply snapshot. It follows a manner of the lessor.
2016-03-21 16:43:41 +03:00
auth: Adding support for "auth disable" command. Added support for the auth disable command in the server, added the etcdctl command and a respective testcase.
2016-05-07 21:24:43 +03:00
// AuthDisable turns off the authentication feature
AuthDisable()
auth: add "IsAuthEnabled" method Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-02-28 02:37:01 +03:00
// IsAuthEnabled returns true if the authentication feature is enabled.
IsAuthEnabled() bool
auth, etcdserver: make auth tokens consistent for all nodes Currently auth tokens are generated in the replicated state machine layer randomly. It means one auth token generated in node A cannot be used for node B. It is problematic for load balancing and fail over. This commit moves the token generation logic from the state machine to API layer (before raft) and let all nodes share a single token. Log index of Raft is also added to a token for ensuring uniqueness of the token and detecting activation of the token in the cluster (some nodes can receive the token before generating and installing the token in its state machine). This commit also lets authStore have simple token related things. It is required because of unit test. The test requires cleaning of the state of the simple token things after one test (succeeding test can create duplicated token and it causes panic).
2016-06-09 03:11:26 +03:00
// Authenticate does authentication based on given user name and password
Authenticate(ctx context.Context, username, password string) (*pb.AuthenticateResponse, error)
*: support authenticate in v3 auth This commit implements Authenticate() API of the auth package. It does authentication based on its authUsers bucket and generate a token for succeeding RPCs.
2016-04-13 07:44:53 +03:00
auth, etcdserver: add a method for recoverying from backend during apply snapshot This commit adds a new method Recovery() to auth.AuthStore for recoverying auth state from backend during apply snapshot. It follows a manner of the lessor.
2016-03-21 16:43:41 +03:00
// Recover recovers the state of auth store from the given backend
Recover(b backend.Backend)
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation:
2016-03-23 07:25:48 +03:00
// UserAdd adds a new user
*: add Auth prefix to auth related requests and responses
2016-03-29 08:32:19 +03:00
UserAdd(r *pb.AuthUserAddRequest) (*pb.AuthUserAddResponse, error)
*: support deleting user in v3 auth This commit adds a functionality of user deletion. It can be invoked with the new user delete command. Example usage: $ ETCDCTL_API=3 etcdctl user delete usr1
2016-03-31 05:29:47 +03:00
// UserDelete deletes a user
UserDelete(r *pb.AuthUserDeleteRequest) (*pb.AuthUserDeleteResponse, error)
*: support changing password in v3 auth This commit adds a functionality for updating password of existing users.
2016-03-31 08:31:07 +03:00
// UserChangePassword changes a password of a user
UserChangePassword(r *pb.AuthUserChangePasswordRequest) (*pb.AuthUserChangePasswordResponse, error)
*: support adding role in auth v3
2016-04-01 05:07:43 +03:00
auth: make naming consistent
2016-06-07 06:17:28 +03:00
// UserGrantRole grants a role to the user
UserGrantRole(r *pb.AuthUserGrantRoleRequest) (*pb.AuthUserGrantRoleResponse, error)
*: support granting a role to a user in v3 auth
2016-04-11 08:34:13 +03:00
*: support getting all users and roles in auth v3 This commit expands RPCs for getting user and role and support list up all users and roles. etcdctl v3 is now support getting all users and roles with the newly added option --all e.g. etcdctl user get --all
2016-06-15 09:11:27 +03:00
// UserGet gets the detailed information of a users
*: support getting user in etcdctl v3 This commit adds a new subcommand "user get" to etcdctl v3. It will list up roles that are granted to a given user. Example: $ ETCDCTL_API=3 bin/etcdctl user get u1 User: u1 Roles: r1 r2 r3 This commit also modifies the layout of InternalRaftRequest for frequent update of auth related members.
2016-05-30 11:21:11 +03:00
UserGet(r *pb.AuthUserGetRequest) (*pb.AuthUserGetResponse, error)
*: rename RPCs and structs related to revoking This commit renames RPCs and structs related to revoking. 1. UserRevoke -> UserRevokeRole 2. RoleRevoke -> RoleRevokePermission
2016-06-05 10:57:23 +03:00
// UserRevokeRole revokes a role of a user
UserRevokeRole(r *pb.AuthUserRevokeRoleRequest) (*pb.AuthUserRevokeRoleResponse, error)
*: support revoking a role from a user in auth v3 This commit implements UserRevoke() RPC for supporting revoking a role from a user in auth v3. It also adds a new subcommand "user revoke" to etcdctl.
2016-06-03 10:38:59 +03:00
*: support adding role in auth v3
2016-04-01 05:07:43 +03:00
// RoleAdd adds a new role
RoleAdd(r *pb.AuthRoleAddRequest) (*pb.AuthRoleAddResponse, error)
*: support granting key permission to role in v3 auth
2016-04-05 09:42:38 +03:00
auth: make naming consistent
2016-06-07 06:17:28 +03:00
// RoleGrantPermission grants a permission to a role
RoleGrantPermission(r *pb.AuthRoleGrantPermissionRequest) (*pb.AuthRoleGrantPermissionResponse, error)
*: do permission check in raft log apply phase This commit lets etcdserver check permission during its log applying phase. With this change, permission checking of operations is supported. Currently, put and range are supported. In addition, multi key permission check of range isn't supported yet.
2016-05-17 09:20:50 +03:00
*: support getting role in auth v3 This commit implements RoleGet() RPC of etcdserver and adds a new subcommand "role get" to etcdctl v3. It will list up permissions that are granted to a given role. $ ETCDCTL_API=3 bin/etcdctl role get r1 Role r1 KV Read: b d KV Write: a c d
2016-06-02 17:25:15 +03:00
// RoleGet gets the detailed information of a role
RoleGet(r *pb.AuthRoleGetRequest) (*pb.AuthRoleGetResponse, error)
*: rename RPCs and structs related to revoking This commit renames RPCs and structs related to revoking. 1. UserRevoke -> UserRevokeRole 2. RoleRevoke -> RoleRevokePermission
2016-06-05 10:57:23 +03:00
// RoleRevokePermission gets the detailed information of a role
RoleRevokePermission(r *pb.AuthRoleRevokePermissionRequest) (*pb.AuthRoleRevokePermissionResponse, error)
*: support revoking a key from a role in auth v3 This commit implements RoleRevoke() RPC for supporting revoking a key from a role in auth v3. It also adds a new subcommand "role revoke" to etcdctl.
2016-06-03 11:10:08 +03:00
*: support deleting a role in auth v3 This commit implements RoleDelete() RPC for supporting deleting a role in auth v3. It also adds a new subcommand "role delete" to etcdctl.
2016-06-03 11:33:05 +03:00
// RoleDelete gets the detailed information of a role
RoleDelete(r *pb.AuthRoleDeleteRequest) (*pb.AuthRoleDeleteResponse, error)
*: support getting all users and roles in auth v3 This commit expands RPCs for getting user and role and support list up all users and roles. etcdctl v3 is now support getting all users and roles with the newly added option --all e.g. etcdctl user get --all
2016-06-15 09:11:27 +03:00
// UserList gets a list of all users
UserList(r *pb.AuthUserListRequest) (*pb.AuthUserListResponse, error)
// RoleList gets a list of all roles
RoleList(r *pb.AuthRoleListRequest) (*pb.AuthRoleListResponse, error)
*: do permission check in raft log apply phase This commit lets etcdserver check permission during its log applying phase. With this change, permission checking of operations is supported. Currently, put and range are supported. In addition, multi key permission check of range isn't supported yet.
2016-05-17 09:20:50 +03:00
// IsPutPermitted checks put permission of the user
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
IsPutPermitted(authInfo *AuthInfo, key []byte) error
*: do permission check in raft log apply phase This commit lets etcdserver check permission during its log applying phase. With this change, permission checking of operations is supported. Currently, put and range are supported. In addition, multi key permission check of range isn't supported yet.
2016-05-17 09:20:50 +03:00
// IsRangePermitted checks range permission of the user
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
IsRangePermitted(authInfo *AuthInfo, key, rangeEnd []byte) error
*: add admin permission checking
2016-06-09 23:40:26 +03:00
*: support deleteRange perm checking
2016-06-14 03:19:59 +03:00
// IsDeleteRangePermitted checks delete-range permission of the user
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
IsDeleteRangePermitted(authInfo *AuthInfo, key, rangeEnd []byte) error
*: support deleteRange perm checking
2016-06-14 03:19:59 +03:00
*: add admin permission checking
2016-06-09 23:40:26 +03:00
// IsAdminPermitted checks admin permission of the user
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
IsAdminPermitted(authInfo *AuthInfo) error
auth, etcdserver: make auth tokens consistent for all nodes Currently auth tokens are generated in the replicated state machine layer randomly. It means one auth token generated in node A cannot be used for node B. It is problematic for load balancing and fail over. This commit moves the token generation logic from the state machine to API layer (before raft) and let all nodes share a single token. Log index of Raft is also added to a token for ensuring uniqueness of the token and detecting activation of the token in the cluster (some nodes can receive the token before generating and installing the token in its state machine). This commit also lets authStore have simple token related things. It is required because of unit test. The test requires cleaning of the state of the simple token things after one test (succeeding test can create duplicated token and it causes panic).
2016-06-09 03:11:26 +03:00
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
// GenTokenPrefix produces a random string in a case of simple token
// in a case of JWT, it produces an empty string
GenTokenPrefix() (string, error)
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
// Revision gets current revision of authStore
Revision() uint64
auth, etcdserver: check password at API layer The cost of bcrypt password checking is quite high (almost 100ms on a modern machine) so executing it in apply loop will be problematic. This commit exclude the checking mechanism to the API layer. The password checking is validated with the OCC like way similar to the auth of serializable get. This commit also removes a unit test of Authenticate RPC from auth/store_test.go. It is because the RPC now accepts an auth request unconditionally and delegates the checking functionality to authStore.CheckPassword() (so a unit test for CheckPassword() is added). The combination of the two functionalities can be tested by e2e (e.g. TestCtlV3AuthWriteKey). Fixes https://github.com/coreos/etcd/issues/6530
2016-10-13 13:30:35 +03:00
// CheckPassword checks a given pair of username and password is correct
CheckPassword(username, password string) (uint64, error)
auth: add a timeout mechanism to simple token
2016-11-14 22:17:55 +03:00
// Close does cleanup of AuthStore
Close() error
auth, etcdserver: let maintenance services require root role This commit lets maintenance services require root privilege. It also moves AuthInfoFromCtx() from etcdserver to auth pkg for cleaning purpose.
2016-11-24 10:34:29 +03:00
// AuthInfoFromCtx gets AuthInfo from gRPC's context
AuthInfoFromCtx(ctx context.Context) (*AuthInfo, error)
auth, etcdserver: authenticate clients based on certificate CommonName This commit lets v3 auth mechanism authenticate clients based on CommonName of certificate like v2 auth.
2016-11-21 07:47:29 +03:00
// AuthInfoFromTLS gets AuthInfo from TLS info of gRPC's context
AuthInfoFromTLS(ctx context.Context) *AuthInfo
auth, etcdserver: protect revoking lease with auth Currently clients can revoke any lease without permission. This commit lets etcdserver protect revoking with write permission. This commit adds a mechanism for generating internal token. It is used for indicating that LeaseRevoke was issued internally so it should be able to delete any attached keys.
2017-06-05 10:20:09 +03:00
// WithRoot generates and installs a token that can be used as a root credential
WithRoot(ctx context.Context) context.Context
auth, etcdserver: allow users to know their roles and permissions Current UserGet() and RoleGet() RPCs require admin permission. It means that users cannot know which roles they belong to and what permissions the roles have. This commit change the semantics and now users can know their roles and permissions.
2017-06-23 08:40:37 +03:00
// HasRole checks that user has role
HasRole(user, role string) bool
etcdserver, auth: new package auth for the auth feature This commit adds a new package auth. Its role is persisting auth related metadata. This commit also connects its main interface AuthStore and v3 server.
2016-03-08 11:31:48 +03:00
}
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
type TokenProvider interface {
info(ctx context.Context, token string, revision uint64) (*AuthInfo, bool)
assign(ctx context.Context, username string, revision uint64) (string, error)
enable()
disable()
invalidateUser(string)
genTokenPrefix() (string, error)
}
etcdserver, auth: new package auth for the auth feature This commit adds a new package auth. Its role is persisting auth related metadata. This commit also connects its main interface AuthStore and v3 server.
2016-03-08 11:31:48 +03:00
type authStore struct {
auth: use atomic access to 'authStore.revision' Fix https://github.com/coreos/etcd/issues/7660. Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-04-04 21:58:49 +03:00
// atomic operations; need 64-bit align, or 32-bit tests will crash
revision uint64
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
lg *zap.Logger
*: do permission check in raft log apply phase This commit lets etcdserver check permission during its log applying phase. With this change, permission checking of operations is supported. Currently, put and range are supported. In addition, multi key permission check of range isn't supported yet.
2016-05-17 09:20:50 +03:00
be backend.Backend
enabled bool
enabledMu sync.RWMutex
auth, etcdserver: permission of range requests Currently the auth mechanism doesn't support permissions of range request. It just checks exact matching of key names even for range queries. This commit adds a mechanism for setting permission to range queries. Range queries are allowed if a range of the query is [begin1, end1) and the user has a permission of reading [begin2, range2) and [begin1, end2) is a subset of [begin2, range2). Range delete requests will follow the same rule.
2016-06-07 21:45:29 +03:00
rangePermCache map[string]*unifiedRangePermissions // username -> unifiedRangePermissions
auth, etcdserver: make auth tokens consistent for all nodes Currently auth tokens are generated in the replicated state machine layer randomly. It means one auth token generated in node A cannot be used for node B. It is problematic for load balancing and fail over. This commit moves the token generation logic from the state machine to API layer (before raft) and let all nodes share a single token. Log index of Raft is also added to a token for ensuring uniqueness of the token and detecting activation of the token in the cluster (some nodes can receive the token before generating and installing the token in its state machine). This commit also lets authStore have simple token related things. It is required because of unit test. The test requires cleaning of the state of the simple token things after one test (succeeding test can create duplicated token and it causes panic).
2016-06-09 03:11:26 +03:00
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
tokenProvider TokenProvider
*: make bcrypt-cost configurable
2018-05-03 21:43:32 +03:00
bcryptCost int // the algorithm cost / strength for hashing auth passwords
auth: correct initialization in NewAuthStore() Because of my own silly mistake, current NewAuthStore() doesn't initialize authStore in a correct manner. For example, after recovery from snapshot, it cannot revive the flag of enabled/disabled. This commit fixes the problem. Fix https://github.com/coreos/etcd/issues/7165
2017-02-01 11:47:09 +03:00
}
auth: add root user and root role
2016-06-08 07:44:54 +03:00
func (as *authStore) AuthEnable() error {
auth: add a timeout mechanism to simple token
2016-11-14 22:17:55 +03:00
as.enabledMu.Lock()
defer as.enabledMu.Unlock()
if as.enabled {
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
if as.lg != nil {
as.lg.Info("authentication is already enabled; ignored auth enable request")
} else {
plog.Noticef("Authentication already enabled")
}
auth: add a timeout mechanism to simple token
2016-11-14 22:17:55 +03:00
return nil
}
auth, etcdserver: add a method for recoverying from backend during apply snapshot This commit adds a new method Recovery() to auth.AuthStore for recoverying auth state from backend during apply snapshot. It follows a manner of the lessor.
2016-03-21 16:43:41 +03:00
b := as.be
etcdserver, auth: new package auth for the auth feature This commit adds a new package auth. Its role is persisting auth related metadata. This commit also connects its main interface AuthStore and v3 server.
2016-03-08 11:31:48 +03:00
tx := b.BatchTx()
tx.Lock()
auth: add root user and root role
2016-06-08 07:44:54 +03:00
defer func() {
tx.Unlock()
b.ForceCommit()
}()
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
u := getUser(as.lg, tx, rootUser)
auth: add root user and root role
2016-06-08 07:44:54 +03:00
if u == nil {
return ErrRootUserNotExist
}
*: add admin permission checking
2016-06-09 23:40:26 +03:00
if !hasRootRole(u) {
auth: add root user and root role
2016-06-08 07:44:54 +03:00
return ErrRootRoleNotExist
}
auth: implement recover
2016-06-10 19:37:37 +03:00
tx.UnsafePut(authBucketName, enableFlagKey, authEnabled)
etcdserver, auth: new package auth for the auth feature This commit adds a new package auth. Its role is persisting auth related metadata. This commit also connects its main interface AuthStore and v3 server.
2016-03-08 11:31:48 +03:00
*: do permission check in raft log apply phase This commit lets etcdserver check permission during its log applying phase. With this change, permission checking of operations is supported. Currently, put and range are supported. In addition, multi key permission check of range isn't supported yet.
2016-05-17 09:20:50 +03:00
as.enabled = true
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
as.tokenProvider.enable()
*: do permission check in raft log apply phase This commit lets etcdserver check permission during its log applying phase. With this change, permission checking of operations is supported. Currently, put and range are supported. In addition, multi key permission check of range isn't supported yet.
2016-05-17 09:20:50 +03:00
auth, etcdserver: permission of range requests Currently the auth mechanism doesn't support permissions of range request. It just checks exact matching of key names even for range queries. This commit adds a mechanism for setting permission to range queries. Range queries are allowed if a range of the query is [begin1, end1) and the user has a permission of reading [begin2, range2) and [begin1, end2) is a subset of [begin2, range2). Range delete requests will follow the same rule.
2016-06-07 21:45:29 +03:00
as.rangePermCache = make(map[string]*unifiedRangePermissions)
auth: use atomic access to 'authStore.revision' Fix https://github.com/coreos/etcd/issues/7660. Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-04-04 21:58:49 +03:00
as.setRevision(getRevision(tx))
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
if as.lg != nil {
as.lg.Info("enabled authentication")
} else {
plog.Noticef("Authentication enabled")
}
auth: add root user and root role
2016-06-08 07:44:54 +03:00
return nil
etcdserver, auth: new package auth for the auth feature This commit adds a new package auth. Its role is persisting auth related metadata. This commit also connects its main interface AuthStore and v3 server.
2016-03-08 11:31:48 +03:00
}
auth: Adding support for "auth disable" command. Added support for the auth disable command in the server, added the etcdctl command and a respective testcase.
2016-05-07 21:24:43 +03:00
func (as *authStore) AuthDisable() {
auth: add a timeout mechanism to simple token
2016-11-14 22:17:55 +03:00
as.enabledMu.Lock()
defer as.enabledMu.Unlock()
if !as.enabled {
return
}
auth: Adding support for "auth disable" command. Added support for the auth disable command in the server, added the etcdctl command and a respective testcase.
2016-05-07 21:24:43 +03:00
b := as.be
tx := b.BatchTx()
tx.Lock()
auth: implement recover
2016-06-10 19:37:37 +03:00
tx.UnsafePut(authBucketName, enableFlagKey, authDisabled)
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
as.commitRevision(tx)
auth: Adding support for "auth disable" command. Added support for the auth disable command in the server, added the etcdctl command and a respective testcase.
2016-05-07 21:24:43 +03:00
tx.Unlock()
b.ForceCommit()
*: do permission check in raft log apply phase This commit lets etcdserver check permission during its log applying phase. With this change, permission checking of operations is supported. Currently, put and range are supported. In addition, multi key permission check of range isn't supported yet.
2016-05-17 09:20:50 +03:00
as.enabled = false
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
as.tokenProvider.disable()
auth: invalidate every token in disabling auth
2016-06-22 09:43:43 +03:00
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
if as.lg != nil {
as.lg.Info("disabled authentication")
} else {
plog.Noticef("Authentication disabled")
}
auth: Adding support for "auth disable" command. Added support for the auth disable command in the server, added the etcdctl command and a respective testcase.
2016-05-07 21:24:43 +03:00
}
auth: add a timeout mechanism to simple token
2016-11-14 22:17:55 +03:00
func (as *authStore) Close() error {
as.enabledMu.Lock()
defer as.enabledMu.Unlock()
if !as.enabled {
return nil
}
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
as.tokenProvider.disable()
auth: add a timeout mechanism to simple token
2016-11-14 22:17:55 +03:00
return nil
}
auth, etcdserver: make auth tokens consistent for all nodes Currently auth tokens are generated in the replicated state machine layer randomly. It means one auth token generated in node A cannot be used for node B. It is problematic for load balancing and fail over. This commit moves the token generation logic from the state machine to API layer (before raft) and let all nodes share a single token. Log index of Raft is also added to a token for ensuring uniqueness of the token and detecting activation of the token in the cluster (some nodes can receive the token before generating and installing the token in its state machine). This commit also lets authStore have simple token related things. It is required because of unit test. The test requires cleaning of the state of the simple token things after one test (succeeding test can create duplicated token and it causes panic).
2016-06-09 03:11:26 +03:00
func (as *authStore) Authenticate(ctx context.Context, username, password string) (*pb.AuthenticateResponse, error) {
auth: add "IsAuthEnabled" method Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-02-28 02:37:01 +03:00
if !as.IsAuthEnabled() {
auth, etcdserver: let Authenticate() fail if auth isn't enabled Successful Authenticate() would be confusing and make trouble shooting harder if auth isn't enabled in a cluster.
2016-06-20 11:09:13 +03:00
return nil, ErrAuthNotEnabled
}
*: support authenticate in v3 auth This commit implements Authenticate() API of the auth package. It does authentication based on its authUsers bucket and generate a token for succeeding RPCs.
2016-04-13 07:44:53 +03:00
tx := as.be.BatchTx()
tx.Lock()
defer tx.Unlock()
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
user := getUser(as.lg, tx, username)
auth: cleanup get user and get role usage
2016-06-10 23:23:28 +03:00
if user == nil {
return nil, ErrAuthFailed
*: support authenticate in v3 auth This commit implements Authenticate() API of the auth package. It does authentication based on its authUsers bucket and generate a token for succeeding RPCs.
2016-04-13 07:44:53 +03:00
}
*: support creating a user without password This commit adds a feature for creating a user without password. The purpose of the feature is reducing attack surface by configuring bad passwords (CN based auth will be allowed for the user). The feature can be used with `--no-password` of `etcdctl user add` command. Fix https://github.com/coreos/etcd/issues/9590
2018-06-06 10:18:28 +03:00
if user.Options.NoPassword {
return nil, ErrAuthFailed
}
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
// Password checking is already performed in the API layer, so we don't need to check for now.
// Staleness of password can be detected with OCC in the API layer, too.
auth: use atomic access to 'authStore.revision' Fix https://github.com/coreos/etcd/issues/7660. Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-04-04 21:58:49 +03:00
token, err := as.tokenProvider.assign(ctx, username, as.Revision())
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
if err != nil {
return nil, err
}
*: support authenticate in v3 auth This commit implements Authenticate() API of the auth package. It does authentication based on its authUsers bucket and generate a token for succeeding RPCs.
2016-04-13 07:44:53 +03:00
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
if as.lg != nil {
as.lg.Debug(
"authenticated a user",
zap.String("user-name", username),
zap.String("token", token),
)
} else {
plog.Debugf("authorized %s, token is %s", username, token)
}
*: support authenticate in v3 auth This commit implements Authenticate() API of the auth package. It does authentication based on its authUsers bucket and generate a token for succeeding RPCs.
2016-04-13 07:44:53 +03:00
return &pb.AuthenticateResponse{Token: token}, nil
}
auth, etcdserver: check password at API layer The cost of bcrypt password checking is quite high (almost 100ms on a modern machine) so executing it in apply loop will be problematic. This commit exclude the checking mechanism to the API layer. The password checking is validated with the OCC like way similar to the auth of serializable get. This commit also removes a unit test of Authenticate RPC from auth/store_test.go. It is because the RPC now accepts an auth request unconditionally and delegates the checking functionality to authStore.CheckPassword() (so a unit test for CheckPassword() is added). The combination of the two functionalities can be tested by e2e (e.g. TestCtlV3AuthWriteKey). Fixes https://github.com/coreos/etcd/issues/6530
2016-10-13 13:30:35 +03:00
func (as *authStore) CheckPassword(username, password string) (uint64, error) {
auth: add "IsAuthEnabled" method Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-02-28 02:37:01 +03:00
if !as.IsAuthEnabled() {
*: simply ignore ErrAuthNotEnabled in clientv3 if auth is not enabled Fix https://github.com/coreos/etcd/issues/7724
2017-04-18 10:00:53 +03:00
return 0, ErrAuthNotEnabled
}
auth, etcdserver: check password at API layer The cost of bcrypt password checking is quite high (almost 100ms on a modern machine) so executing it in apply loop will be problematic. This commit exclude the checking mechanism to the API layer. The password checking is validated with the OCC like way similar to the auth of serializable get. This commit also removes a unit test of Authenticate RPC from auth/store_test.go. It is because the RPC now accepts an auth request unconditionally and delegates the checking functionality to authStore.CheckPassword() (so a unit test for CheckPassword() is added). The combination of the two functionalities can be tested by e2e (e.g. TestCtlV3AuthWriteKey). Fixes https://github.com/coreos/etcd/issues/6530
2016-10-13 13:30:35 +03:00
tx := as.be.BatchTx()
tx.Lock()
defer tx.Unlock()
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
user := getUser(as.lg, tx, username)
auth, etcdserver: check password at API layer The cost of bcrypt password checking is quite high (almost 100ms on a modern machine) so executing it in apply loop will be problematic. This commit exclude the checking mechanism to the API layer. The password checking is validated with the OCC like way similar to the auth of serializable get. This commit also removes a unit test of Authenticate RPC from auth/store_test.go. It is because the RPC now accepts an auth request unconditionally and delegates the checking functionality to authStore.CheckPassword() (so a unit test for CheckPassword() is added). The combination of the two functionalities can be tested by e2e (e.g. TestCtlV3AuthWriteKey). Fixes https://github.com/coreos/etcd/issues/6530
2016-10-13 13:30:35 +03:00
if user == nil {
return 0, ErrAuthFailed
}
*: support creating a user without password This commit adds a feature for creating a user without password. The purpose of the feature is reducing attack surface by configuring bad passwords (CN based auth will be allowed for the user). The feature can be used with `--no-password` of `etcdctl user add` command. Fix https://github.com/coreos/etcd/issues/9590
2018-06-06 10:18:28 +03:00
if user.Options.NoPassword {
return 0, ErrAuthFailed
}
auth, etcdserver: check password at API layer The cost of bcrypt password checking is quite high (almost 100ms on a modern machine) so executing it in apply loop will be problematic. This commit exclude the checking mechanism to the API layer. The password checking is validated with the OCC like way similar to the auth of serializable get. This commit also removes a unit test of Authenticate RPC from auth/store_test.go. It is because the RPC now accepts an auth request unconditionally and delegates the checking functionality to authStore.CheckPassword() (so a unit test for CheckPassword() is added). The combination of the two functionalities can be tested by e2e (e.g. TestCtlV3AuthWriteKey). Fixes https://github.com/coreos/etcd/issues/6530
2016-10-13 13:30:35 +03:00
if bcrypt.CompareHashAndPassword(user.Password, []byte(password)) != nil {
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
if as.lg != nil {
as.lg.Info("invalid password", zap.String("user-name", username))
} else {
plog.Noticef("authentication failed, invalid password for user %s", username)
}
auth, etcdserver: check password at API layer The cost of bcrypt password checking is quite high (almost 100ms on a modern machine) so executing it in apply loop will be problematic. This commit exclude the checking mechanism to the API layer. The password checking is validated with the OCC like way similar to the auth of serializable get. This commit also removes a unit test of Authenticate RPC from auth/store_test.go. It is because the RPC now accepts an auth request unconditionally and delegates the checking functionality to authStore.CheckPassword() (so a unit test for CheckPassword() is added). The combination of the two functionalities can be tested by e2e (e.g. TestCtlV3AuthWriteKey). Fixes https://github.com/coreos/etcd/issues/6530
2016-10-13 13:30:35 +03:00
return 0, ErrAuthFailed
}
return getRevision(tx), nil
}
auth, etcdserver: add a method for recoverying from backend during apply snapshot This commit adds a new method Recovery() to auth.AuthStore for recoverying auth state from backend during apply snapshot. It follows a manner of the lessor.
2016-03-21 16:43:41 +03:00
func (as *authStore) Recover(be backend.Backend) {
auth: implement recover
2016-06-10 19:37:37 +03:00
enabled := false
auth, etcdserver: add a method for recoverying from backend during apply snapshot This commit adds a new method Recovery() to auth.AuthStore for recoverying auth state from backend during apply snapshot. It follows a manner of the lessor.
2016-03-21 16:43:41 +03:00
as.be = be
auth: implement recover
2016-06-10 19:37:37 +03:00
tx := be.BatchTx()
tx.Lock()
_, vs := tx.UnsafeRange(authBucketName, enableFlagKey, nil, 0)
if len(vs) == 1 {
if bytes.Equal(vs[0], authEnabled) {
enabled = true
}
}
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
auth: use atomic access to 'authStore.revision' Fix https://github.com/coreos/etcd/issues/7660. Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-04-04 21:58:49 +03:00
as.setRevision(getRevision(tx))
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
auth: implement recover
2016-06-10 19:37:37 +03:00
tx.Unlock()
as.enabledMu.Lock()
as.enabled = enabled
as.enabledMu.Unlock()
auth, etcdserver: add a method for recoverying from backend during apply snapshot This commit adds a new method Recovery() to auth.AuthStore for recoverying auth state from backend during apply snapshot. It follows a manner of the lessor.
2016-03-21 16:43:41 +03:00
}
*: add Auth prefix to auth related requests and responses
2016-03-29 08:32:19 +03:00
func (as *authStore) UserAdd(r *pb.AuthUserAddRequest) (*pb.AuthUserAddResponse, error) {
auth, etcdserver: forbid adding a user with empty name
2016-11-02 07:37:37 +03:00
if len(r.Name) == 0 {
return nil, ErrUserEmpty
}
*: support creating a user without password This commit adds a feature for creating a user without password. The purpose of the feature is reducing attack surface by configuring bad passwords (CN based auth will be allowed for the user). The feature can be used with `--no-password` of `etcdctl user add` command. Fix https://github.com/coreos/etcd/issues/9590
2018-06-06 10:18:28 +03:00
var hashed []byte
var err error
if !r.Options.NoPassword {
hashed, err = bcrypt.GenerateFromPassword([]byte(r.Password), as.bcryptCost)
if err != nil {
if as.lg != nil {
as.lg.Warn(
"failed to bcrypt hash password",
zap.String("user-name", r.Name),
zap.Error(err),
)
} else {
plog.Errorf("failed to hash password: %s", err)
}
return nil, err
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
}
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation:
2016-03-23 07:25:48 +03:00
}
tx := as.be.BatchTx()
tx.Lock()
defer tx.Unlock()
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
user := getUser(as.lg, tx, r.Name)
auth: add getuser
2016-06-08 08:42:39 +03:00
if user != nil {
return nil, ErrUserAlreadyExist
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation:
2016-03-23 07:25:48 +03:00
}
*: support creating a user without password This commit adds a feature for creating a user without password. The purpose of the feature is reducing attack surface by configuring bad passwords (CN based auth will be allowed for the user). The feature can be used with `--no-password` of `etcdctl user add` command. Fix https://github.com/coreos/etcd/issues/9590
2018-06-06 10:18:28 +03:00
options := r.Options
if options == nil {
options = &authpb.UserAddOptions{
NoPassword: false,
}
}
auth: add put_user
2016-06-10 21:27:42 +03:00
newUser := &authpb.User{
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation:
2016-03-23 07:25:48 +03:00
Name: []byte(r.Name),
Password: hashed,
*: support creating a user without password This commit adds a feature for creating a user without password. The purpose of the feature is reducing attack surface by configuring bad passwords (CN based auth will be allowed for the user). The feature can be used with `--no-password` of `etcdctl user add` command. Fix https://github.com/coreos/etcd/issues/9590
2018-06-06 10:18:28 +03:00
Options: options,
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation:
2016-03-23 07:25:48 +03:00
}
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
putUser(as.lg, tx, newUser)
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation:
2016-03-23 07:25:48 +03:00
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
as.commitRevision(tx)
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
if as.lg != nil {
as.lg.Info("added a user", zap.String("user-name", r.Name))
} else {
plog.Noticef("added a new user: %s", r.Name)
}
*: add Auth prefix to auth related requests and responses
2016-03-29 08:32:19 +03:00
return &pb.AuthUserAddResponse{}, nil
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation:
2016-03-23 07:25:48 +03:00
}
*: support deleting user in v3 auth This commit adds a functionality of user deletion. It can be invoked with the new user delete command. Example usage: $ ETCDCTL_API=3 etcdctl user delete usr1
2016-03-31 05:29:47 +03:00
func (as *authStore) UserDelete(r *pb.AuthUserDeleteRequest) (*pb.AuthUserDeleteResponse, error) {
auth: remove "strings.Compare == 0" Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-05-01 01:10:56 +03:00
if as.enabled && r.Name == rootUser {
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
if as.lg != nil {
as.lg.Warn("cannot delete 'root' user", zap.String("user-name", r.Name))
} else {
plog.Errorf("the user root must not be deleted")
}
auth, etcdserver: forbid invalid auth management If auth is enabled, 1. deleting the user root 2. revoking the role root from the user root must not be allowed. This commit forbids them.
2017-03-17 10:04:56 +03:00
return nil, ErrInvalidAuthMgmt
}
*: support deleting user in v3 auth This commit adds a functionality of user deletion. It can be invoked with the new user delete command. Example usage: $ ETCDCTL_API=3 etcdctl user delete usr1
2016-03-31 05:29:47 +03:00
tx := as.be.BatchTx()
tx.Lock()
defer tx.Unlock()
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
user := getUser(as.lg, tx, r.Name)
auth: add getuser
2016-06-08 08:42:39 +03:00
if user == nil {
return nil, ErrUserNotFound
*: support deleting user in v3 auth This commit adds a functionality of user deletion. It can be invoked with the new user delete command. Example usage: $ ETCDCTL_API=3 etcdctl user delete usr1
2016-03-31 05:29:47 +03:00
}
auth: add del functions for user/role
2016-06-11 00:11:00 +03:00
delUser(tx, r.Name)
*: support deleting user in v3 auth This commit adds a functionality of user deletion. It can be invoked with the new user delete command. Example usage: $ ETCDCTL_API=3 etcdctl user delete usr1
2016-03-31 05:29:47 +03:00
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
as.commitRevision(tx)
as.invalidateCachedPerm(r.Name)
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
as.tokenProvider.invalidateUser(r.Name)
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
if as.lg != nil {
as.lg.Info(
"deleted a user",
zap.String("user-name", r.Name),
zap.Strings("user-roles", user.Roles),
)
} else {
plog.Noticef("deleted a user: %s", r.Name)
}
*: support deleting user in v3 auth This commit adds a functionality of user deletion. It can be invoked with the new user delete command. Example usage: $ ETCDCTL_API=3 etcdctl user delete usr1
2016-03-31 05:29:47 +03:00
return &pb.AuthUserDeleteResponse{}, nil
}
*: support changing password in v3 auth This commit adds a functionality for updating password of existing users.
2016-03-31 08:31:07 +03:00
func (as *authStore) UserChangePassword(r *pb.AuthUserChangePasswordRequest) (*pb.AuthUserChangePasswordResponse, error) {
// TODO(mitake): measure the cost of bcrypt.GenerateFromPassword()
// If the cost is too high, we should move the encryption to outside of the raft
*: make bcrypt-cost configurable
2018-05-03 21:43:32 +03:00
hashed, err := bcrypt.GenerateFromPassword([]byte(r.Password), as.bcryptCost)
*: support changing password in v3 auth This commit adds a functionality for updating password of existing users.
2016-03-31 08:31:07 +03:00
if err != nil {
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
if as.lg != nil {
as.lg.Warn(
"failed to bcrypt hash password",
zap.String("user-name", r.Name),
zap.Error(err),
)
} else {
plog.Errorf("failed to hash password: %s", err)
}
*: support changing password in v3 auth This commit adds a functionality for updating password of existing users.
2016-03-31 08:31:07 +03:00
return nil, err
}
tx := as.be.BatchTx()
tx.Lock()
defer tx.Unlock()
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
user := getUser(as.lg, tx, r.Name)
auth: add getuser
2016-06-08 08:42:39 +03:00
if user == nil {
return nil, ErrUserNotFound
*: support changing password in v3 auth This commit adds a functionality for updating password of existing users.
2016-03-31 08:31:07 +03:00
}
auth: add put_user
2016-06-10 21:27:42 +03:00
updatedUser := &authpb.User{
*: support changing password in v3 auth This commit adds a functionality for updating password of existing users.
2016-03-31 08:31:07 +03:00
Name: []byte(r.Name),
auth: add put_user
2016-06-10 21:27:42 +03:00
Roles: user.Roles,
*: support changing password in v3 auth This commit adds a functionality for updating password of existing users.
2016-03-31 08:31:07 +03:00
Password: hashed,
*: support creating a user without password This commit adds a feature for creating a user without password. The purpose of the feature is reducing attack surface by configuring bad passwords (CN based auth will be allowed for the user). The feature can be used with `--no-password` of `etcdctl user add` command. Fix https://github.com/coreos/etcd/issues/9590
2018-06-06 10:18:28 +03:00
Options: user.Options,
*: support changing password in v3 auth This commit adds a functionality for updating password of existing users.
2016-03-31 08:31:07 +03:00
}
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
putUser(as.lg, tx, updatedUser)
*: support changing password in v3 auth This commit adds a functionality for updating password of existing users.
2016-03-31 08:31:07 +03:00
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
as.commitRevision(tx)
as.invalidateCachedPerm(r.Name)
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
as.tokenProvider.invalidateUser(r.Name)
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
if as.lg != nil {
as.lg.Info(
"changed a password of a user",
zap.String("user-name", r.Name),
zap.Strings("user-roles", user.Roles),
)
} else {
plog.Noticef("changed a password of a user: %s", r.Name)
}
*: support changing password in v3 auth This commit adds a functionality for updating password of existing users.
2016-03-31 08:31:07 +03:00
return &pb.AuthUserChangePasswordResponse{}, nil
}
auth: make naming consistent
2016-06-07 06:17:28 +03:00
func (as *authStore) UserGrantRole(r *pb.AuthUserGrantRoleRequest) (*pb.AuthUserGrantRoleResponse, error) {
*: support granting a role to a user in v3 auth
2016-04-11 08:34:13 +03:00
tx := as.be.BatchTx()
tx.Lock()
defer tx.Unlock()
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
user := getUser(as.lg, tx, r.User)
auth: add getuser
2016-06-08 08:42:39 +03:00
if user == nil {
*: support granting a role to a user in v3 auth
2016-04-11 08:34:13 +03:00
return nil, ErrUserNotFound
}
auth: add root user and root role
2016-06-08 07:44:54 +03:00
if r.Role != rootRole {
auth: cleanup get user and get role usage
2016-06-10 23:23:28 +03:00
role := getRole(tx, r.Role)
if role == nil {
auth: add root user and root role
2016-06-08 07:44:54 +03:00
return nil, ErrRoleNotFound
}
*: support granting a role to a user in v3 auth
2016-04-11 08:34:13 +03:00
}
idx := sort.SearchStrings(user.Roles, r.Role)
auth: remove "strings.Compare == 0" Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-05-01 01:10:56 +03:00
if idx < len(user.Roles) && user.Roles[idx] == r.Role {
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
if as.lg != nil {
as.lg.Warn(
"ignored grant role request to a user",
zap.String("user-name", r.User),
zap.Strings("user-roles", user.Roles),
zap.String("duplicate-role-name", r.Role),
)
} else {
plog.Warningf("user %s is already granted role %s", r.User, r.Role)
}
auth: make naming consistent
2016-06-07 06:17:28 +03:00
return &pb.AuthUserGrantRoleResponse{}, nil
*: support granting a role to a user in v3 auth
2016-04-11 08:34:13 +03:00
}
user.Roles = append(user.Roles, r.Role)
auth: use "sort.Strings" instead of StringSlice Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2017-12-05 01:09:27 +03:00
sort.Strings(user.Roles)
*: support granting a role to a user in v3 auth
2016-04-11 08:34:13 +03:00
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
putUser(as.lg, tx, user)
*: support granting a role to a user in v3 auth
2016-04-11 08:34:13 +03:00
auth, etcdserver: permission of range requests Currently the auth mechanism doesn't support permissions of range request. It just checks exact matching of key names even for range queries. This commit adds a mechanism for setting permission to range queries. Range queries are allowed if a range of the query is [begin1, end1) and the user has a permission of reading [begin2, range2) and [begin1, end2) is a subset of [begin2, range2). Range delete requests will follow the same rule.
2016-06-07 21:45:29 +03:00
as.invalidateCachedPerm(r.User)
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
as.commitRevision(tx)
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
if as.lg != nil {
as.lg.Info(
"granted a role to a user",
zap.String("user-name", r.User),
zap.Strings("user-roles", user.Roles),
zap.String("added-role-name", r.Role),
)
} else {
plog.Noticef("granted role %s to user %s", r.Role, r.User)
}
auth: make naming consistent
2016-06-07 06:17:28 +03:00
return &pb.AuthUserGrantRoleResponse{}, nil
*: support granting a role to a user in v3 auth
2016-04-11 08:34:13 +03:00
}
*: support getting user in etcdctl v3 This commit adds a new subcommand "user get" to etcdctl v3. It will list up roles that are granted to a given user. Example: $ ETCDCTL_API=3 bin/etcdctl user get u1 User: u1 Roles: r1 r2 r3 This commit also modifies the layout of InternalRaftRequest for frequent update of auth related members.
2016-05-30 11:21:11 +03:00
func (as *authStore) UserGet(r *pb.AuthUserGetRequest) (*pb.AuthUserGetResponse, error) {
tx := as.be.BatchTx()
tx.Lock()
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
user := getUser(as.lg, tx, r.Name)
auth: clean up mutex lock/unlocks Only hold locks when needed. Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-11-06 20:26:20 +03:00
tx.Unlock()
auth: add getuser
2016-06-08 08:42:39 +03:00
if user == nil {
*: support getting user in etcdctl v3 This commit adds a new subcommand "user get" to etcdctl v3. It will list up roles that are granted to a given user. Example: $ ETCDCTL_API=3 bin/etcdctl user get u1 User: u1 Roles: r1 r2 r3 This commit also modifies the layout of InternalRaftRequest for frequent update of auth related members.
2016-05-30 11:21:11 +03:00
return nil, ErrUserNotFound
}
auth: clean up mutex lock/unlocks Only hold locks when needed. Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-11-06 20:26:20 +03:00
var resp pb.AuthUserGetResponse
auth: fix gosimple errors
2016-12-09 23:05:19 +03:00
resp.Roles = append(resp.Roles, user.Roles...)
*: support getting user in etcdctl v3 This commit adds a new subcommand "user get" to etcdctl v3. It will list up roles that are granted to a given user. Example: $ ETCDCTL_API=3 bin/etcdctl user get u1 User: u1 Roles: r1 r2 r3 This commit also modifies the layout of InternalRaftRequest for frequent update of auth related members.
2016-05-30 11:21:11 +03:00
return &resp, nil
}
*: support getting all users and roles in auth v3 This commit expands RPCs for getting user and role and support list up all users and roles. etcdctl v3 is now support getting all users and roles with the newly added option --all e.g. etcdctl user get --all
2016-06-15 09:11:27 +03:00
func (as *authStore) UserList(r *pb.AuthUserListRequest) (*pb.AuthUserListResponse, error) {
tx := as.be.BatchTx()
tx.Lock()
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
users := getAllUsers(as.lg, tx)
auth: clean up mutex lock/unlocks Only hold locks when needed. Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-11-06 20:26:20 +03:00
tx.Unlock()
*: support getting all users and roles in auth v3 This commit expands RPCs for getting user and role and support list up all users and roles. etcdctl v3 is now support getting all users and roles with the newly added option --all e.g. etcdctl user get --all
2016-06-15 09:11:27 +03:00
auth: pre-allocate slices in store Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-11-06 20:16:15 +03:00
resp := &pb.AuthUserListResponse{Users: make([]string, len(users))}
for i := range users {
resp.Users[i] = string(users[i].Name)
*: support getting all users and roles in auth v3 This commit expands RPCs for getting user and role and support list up all users and roles. etcdctl v3 is now support getting all users and roles with the newly added option --all e.g. etcdctl user get --all
2016-06-15 09:11:27 +03:00
}
auth: pre-allocate slices in store Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-11-06 20:16:15 +03:00
return resp, nil
*: support getting all users and roles in auth v3 This commit expands RPCs for getting user and role and support list up all users and roles. etcdctl v3 is now support getting all users and roles with the newly added option --all e.g. etcdctl user get --all
2016-06-15 09:11:27 +03:00
}
*: rename RPCs and structs related to revoking This commit renames RPCs and structs related to revoking. 1. UserRevoke -> UserRevokeRole 2. RoleRevoke -> RoleRevokePermission
2016-06-05 10:57:23 +03:00
func (as *authStore) UserRevokeRole(r *pb.AuthUserRevokeRoleRequest) (*pb.AuthUserRevokeRoleResponse, error) {
auth: remove "strings.Compare == 0" Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-05-01 01:10:56 +03:00
if as.enabled && r.Name == rootUser && r.Role == rootRole {
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
if as.lg != nil {
as.lg.Warn(
"'root' user cannot revoke 'root' role",
zap.String("user-name", r.Name),
zap.String("role-name", r.Role),
)
} else {
plog.Errorf("the role root must not be revoked from the user root")
}
auth, etcdserver: forbid invalid auth management If auth is enabled, 1. deleting the user root 2. revoking the role root from the user root must not be allowed. This commit forbids them.
2017-03-17 10:04:56 +03:00
return nil, ErrInvalidAuthMgmt
}
*: support revoking a role from a user in auth v3 This commit implements UserRevoke() RPC for supporting revoking a role from a user in auth v3. It also adds a new subcommand "user revoke" to etcdctl.
2016-06-03 10:38:59 +03:00
tx := as.be.BatchTx()
tx.Lock()
defer tx.Unlock()
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
user := getUser(as.lg, tx, r.Name)
auth: add getuser
2016-06-08 08:42:39 +03:00
if user == nil {
*: support revoking a role from a user in auth v3 This commit implements UserRevoke() RPC for supporting revoking a role from a user in auth v3. It also adds a new subcommand "user revoke" to etcdctl.
2016-06-03 10:38:59 +03:00
return nil, ErrUserNotFound
}
auth: cleanup store.go
2016-06-11 00:19:29 +03:00
updatedUser := &authpb.User{
Name: user.Name,
Password: user.Password,
*: support creating a user without password This commit adds a feature for creating a user without password. The purpose of the feature is reducing attack surface by configuring bad passwords (CN based auth will be allowed for the user). The feature can be used with `--no-password` of `etcdctl user add` command. Fix https://github.com/coreos/etcd/issues/9590
2018-06-06 10:18:28 +03:00
Options: user.Options,
auth: cleanup store.go
2016-06-11 00:19:29 +03:00
}
*: support revoking a role from a user in auth v3 This commit implements UserRevoke() RPC for supporting revoking a role from a user in auth v3. It also adds a new subcommand "user revoke" to etcdctl.
2016-06-03 10:38:59 +03:00
for _, role := range user.Roles {
auth: remove "strings.Compare == 0" Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-05-01 01:10:56 +03:00
if role != r.Role {
*: support revoking a role from a user in auth v3 This commit implements UserRevoke() RPC for supporting revoking a role from a user in auth v3. It also adds a new subcommand "user revoke" to etcdctl.
2016-06-03 10:38:59 +03:00
updatedUser.Roles = append(updatedUser.Roles, role)
}
}
auth: cleanup store.go
2016-06-11 00:19:29 +03:00
if len(updatedUser.Roles) == len(user.Roles) {
auth, etcdserver: error codes for revoking non existing role and permission This commit adds error codes for representing revoking non existing role (from user) and permission (from role).
2016-06-05 10:41:10 +03:00
return nil, ErrRoleNotGranted
}
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
putUser(as.lg, tx, updatedUser)
*: support revoking a role from a user in auth v3 This commit implements UserRevoke() RPC for supporting revoking a role from a user in auth v3. It also adds a new subcommand "user revoke" to etcdctl.
2016-06-03 10:38:59 +03:00
auth, etcdserver: permission of range requests Currently the auth mechanism doesn't support permissions of range request. It just checks exact matching of key names even for range queries. This commit adds a mechanism for setting permission to range queries. Range queries are allowed if a range of the query is [begin1, end1) and the user has a permission of reading [begin2, range2) and [begin1, end2) is a subset of [begin2, range2). Range delete requests will follow the same rule.
2016-06-07 21:45:29 +03:00
as.invalidateCachedPerm(r.Name)
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
as.commitRevision(tx)
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
if as.lg != nil {
as.lg.Info(
"revoked a role from a user",
zap.String("user-name", r.Name),
zap.Strings("old-user-roles", user.Roles),
zap.Strings("new-user-roles", updatedUser.Roles),
zap.String("revoked-role-name", r.Role),
)
} else {
plog.Noticef("revoked role %s from user %s", r.Role, r.Name)
}
*: rename RPCs and structs related to revoking This commit renames RPCs and structs related to revoking. 1. UserRevoke -> UserRevokeRole 2. RoleRevoke -> RoleRevokePermission
2016-06-05 10:57:23 +03:00
return &pb.AuthUserRevokeRoleResponse{}, nil
*: support revoking a role from a user in auth v3 This commit implements UserRevoke() RPC for supporting revoking a role from a user in auth v3. It also adds a new subcommand "user revoke" to etcdctl.
2016-06-03 10:38:59 +03:00
}
*: support getting role in auth v3 This commit implements RoleGet() RPC of etcdserver and adds a new subcommand "role get" to etcdctl v3. It will list up permissions that are granted to a given role. $ ETCDCTL_API=3 bin/etcdctl role get r1 Role r1 KV Read: b d KV Write: a c d
2016-06-02 17:25:15 +03:00
func (as *authStore) RoleGet(r *pb.AuthRoleGetRequest) (*pb.AuthRoleGetResponse, error) {
tx := as.be.BatchTx()
tx.Lock()
defer tx.Unlock()
*: support getting all users and roles in auth v3 This commit expands RPCs for getting user and role and support list up all users and roles. etcdctl v3 is now support getting all users and roles with the newly added option --all e.g. etcdctl user get --all
2016-06-15 09:11:27 +03:00
var resp pb.AuthRoleGetResponse
auth: add getRole
2016-06-10 20:59:34 +03:00
role := getRole(tx, r.Role)
if role == nil {
*: support getting role in auth v3 This commit implements RoleGet() RPC of etcdserver and adds a new subcommand "role get" to etcdctl v3. It will list up permissions that are granted to a given role. $ ETCDCTL_API=3 bin/etcdctl role get r1 Role r1 KV Read: b d KV Write: a c d
2016-06-02 17:25:15 +03:00
return nil, ErrRoleNotFound
}
auth: fix gosimple errors
2016-12-09 23:05:19 +03:00
resp.Perm = append(resp.Perm, role.KeyPermission...)
*: support getting role in auth v3 This commit implements RoleGet() RPC of etcdserver and adds a new subcommand "role get" to etcdctl v3. It will list up permissions that are granted to a given role. $ ETCDCTL_API=3 bin/etcdctl role get r1 Role r1 KV Read: b d KV Write: a c d
2016-06-02 17:25:15 +03:00
return &resp, nil
}
*: support getting all users and roles in auth v3 This commit expands RPCs for getting user and role and support list up all users and roles. etcdctl v3 is now support getting all users and roles with the newly added option --all e.g. etcdctl user get --all
2016-06-15 09:11:27 +03:00
func (as *authStore) RoleList(r *pb.AuthRoleListRequest) (*pb.AuthRoleListResponse, error) {
tx := as.be.BatchTx()
tx.Lock()
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
roles := getAllRoles(as.lg, tx)
auth: clean up mutex lock/unlocks Only hold locks when needed. Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-11-06 20:26:20 +03:00
tx.Unlock()
*: support getting all users and roles in auth v3 This commit expands RPCs for getting user and role and support list up all users and roles. etcdctl v3 is now support getting all users and roles with the newly added option --all e.g. etcdctl user get --all
2016-06-15 09:11:27 +03:00
auth: pre-allocate slices in store Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-11-06 20:16:15 +03:00
resp := &pb.AuthRoleListResponse{Roles: make([]string, len(roles))}
for i := range roles {
resp.Roles[i] = string(roles[i].Name)
*: support getting all users and roles in auth v3 This commit expands RPCs for getting user and role and support list up all users and roles. etcdctl v3 is now support getting all users and roles with the newly added option --all e.g. etcdctl user get --all
2016-06-15 09:11:27 +03:00
}
auth: pre-allocate slices in store Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-11-06 20:16:15 +03:00
return resp, nil
*: support getting all users and roles in auth v3 This commit expands RPCs for getting user and role and support list up all users and roles. etcdctl v3 is now support getting all users and roles with the newly added option --all e.g. etcdctl user get --all
2016-06-15 09:11:27 +03:00
}
*: rename RPCs and structs related to revoking This commit renames RPCs and structs related to revoking. 1. UserRevoke -> UserRevokeRole 2. RoleRevoke -> RoleRevokePermission
2016-06-05 10:57:23 +03:00
func (as *authStore) RoleRevokePermission(r *pb.AuthRoleRevokePermissionRequest) (*pb.AuthRoleRevokePermissionResponse, error) {
*: support revoking a key from a role in auth v3 This commit implements RoleRevoke() RPC for supporting revoking a key from a role in auth v3. It also adds a new subcommand "role revoke" to etcdctl.
2016-06-03 11:10:08 +03:00
tx := as.be.BatchTx()
tx.Lock()
defer tx.Unlock()
auth: add getRole
2016-06-10 20:59:34 +03:00
role := getRole(tx, r.Role)
if role == nil {
*: support revoking a key from a role in auth v3 This commit implements RoleRevoke() RPC for supporting revoking a key from a role in auth v3. It also adds a new subcommand "role revoke" to etcdctl.
2016-06-03 11:10:08 +03:00
return nil, ErrRoleNotFound
}
auth: cleanup store.go
2016-06-11 00:19:29 +03:00
updatedRole := &authpb.Role{
Name: role.Name,
}
*: support revoking a key from a role in auth v3 This commit implements RoleRevoke() RPC for supporting revoking a key from a role in auth v3. It also adds a new subcommand "role revoke" to etcdctl.
2016-06-03 11:10:08 +03:00
for _, perm := range role.KeyPermission {
auth: fix "unconvert" warnings Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-30 23:55:44 +03:00
if !bytes.Equal(perm.Key, r.Key) || !bytes.Equal(perm.RangeEnd, r.RangeEnd) {
*: support revoking a key from a role in auth v3 This commit implements RoleRevoke() RPC for supporting revoking a key from a role in auth v3. It also adds a new subcommand "role revoke" to etcdctl.
2016-06-03 11:10:08 +03:00
updatedRole.KeyPermission = append(updatedRole.KeyPermission, perm)
}
}
auth: cleanup store.go
2016-06-11 00:19:29 +03:00
if len(role.KeyPermission) == len(updatedRole.KeyPermission) {
auth, etcdserver: error codes for revoking non existing role and permission This commit adds error codes for representing revoking non existing role (from user) and permission (from role).
2016-06-05 10:41:10 +03:00
return nil, ErrPermissionNotGranted
}
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
putRole(as.lg, tx, updatedRole)
*: support revoking a key from a role in auth v3 This commit implements RoleRevoke() RPC for supporting revoking a key from a role in auth v3. It also adds a new subcommand "role revoke" to etcdctl.
2016-06-03 11:10:08 +03:00
auth, etcdserver: permission of range requests Currently the auth mechanism doesn't support permissions of range request. It just checks exact matching of key names even for range queries. This commit adds a mechanism for setting permission to range queries. Range queries are allowed if a range of the query is [begin1, end1) and the user has a permission of reading [begin2, range2) and [begin1, end2) is a subset of [begin2, range2). Range delete requests will follow the same rule.
2016-06-07 21:45:29 +03:00
// TODO(mitake): currently single role update invalidates every cache
// It should be optimized.
as.clearCachedPerm()
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
as.commitRevision(tx)
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
if as.lg != nil {
as.lg.Info(
"revoked a permission on range",
zap.String("role-name", r.Role),
zap.String("key", string(r.Key)),
zap.String("range-end", string(r.RangeEnd)),
)
} else {
plog.Noticef("revoked key %s from role %s", r.Key, r.Role)
}
*: rename RPCs and structs related to revoking This commit renames RPCs and structs related to revoking. 1. UserRevoke -> UserRevokeRole 2. RoleRevoke -> RoleRevokePermission
2016-06-05 10:57:23 +03:00
return &pb.AuthRoleRevokePermissionResponse{}, nil
*: support revoking a key from a role in auth v3 This commit implements RoleRevoke() RPC for supporting revoking a key from a role in auth v3. It also adds a new subcommand "role revoke" to etcdctl.
2016-06-03 11:10:08 +03:00
}
*: support deleting a role in auth v3 This commit implements RoleDelete() RPC for supporting deleting a role in auth v3. It also adds a new subcommand "role delete" to etcdctl.
2016-06-03 11:33:05 +03:00
func (as *authStore) RoleDelete(r *pb.AuthRoleDeleteRequest) (*pb.AuthRoleDeleteResponse, error) {
auth: remove "strings.Compare == 0" Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-05-01 01:10:56 +03:00
if as.enabled && r.Role == rootRole {
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
if as.lg != nil {
as.lg.Warn("cannot delete 'root' role", zap.String("role-name", r.Role))
} else {
plog.Errorf("the role root must not be deleted")
}
auth, etcdserver: forbid invalid auth management If auth is enabled, 1. deleting the user root 2. revoking the role root from the user root must not be allowed. This commit forbids them.
2017-03-17 10:04:56 +03:00
return nil, ErrInvalidAuthMgmt
}
*: support deleting a role in auth v3 This commit implements RoleDelete() RPC for supporting deleting a role in auth v3. It also adds a new subcommand "role delete" to etcdctl.
2016-06-03 11:33:05 +03:00
tx := as.be.BatchTx()
tx.Lock()
defer tx.Unlock()
auth: add getRole
2016-06-10 20:59:34 +03:00
role := getRole(tx, r.Role)
if role == nil {
*: support deleting a role in auth v3 This commit implements RoleDelete() RPC for supporting deleting a role in auth v3. It also adds a new subcommand "role delete" to etcdctl.
2016-06-03 11:33:05 +03:00
return nil, ErrRoleNotFound
}
auth: add del functions for user/role
2016-06-11 00:11:00 +03:00
delRole(tx, r.Role)
*: support deleting a role in auth v3 This commit implements RoleDelete() RPC for supporting deleting a role in auth v3. It also adds a new subcommand "role delete" to etcdctl.
2016-06-03 11:33:05 +03:00
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
users := getAllUsers(as.lg, tx)
*: revoke a deleted role This commit resolves a TODO of auth store: Current scheme of role deletion allows existing users to have the deleted roles. Assume a case like below: create a role r1 create a user u1 and grant r1 to u1 delete r1 After this sequence, u1 is still granted the role r1. So if admin create a new role with the name r1, The new r1 is automatically granted u1. In some cases, it would be confusing. So we need to revoke the deleted role from all users.
2017-03-17 09:18:40 +03:00
for _, user := range users {
updatedUser := &authpb.User{
Name: user.Name,
Password: user.Password,
*: support creating a user without password This commit adds a feature for creating a user without password. The purpose of the feature is reducing attack surface by configuring bad passwords (CN based auth will be allowed for the user). The feature can be used with `--no-password` of `etcdctl user add` command. Fix https://github.com/coreos/etcd/issues/9590
2018-06-06 10:18:28 +03:00
Options: user.Options,
*: revoke a deleted role This commit resolves a TODO of auth store: Current scheme of role deletion allows existing users to have the deleted roles. Assume a case like below: create a role r1 create a user u1 and grant r1 to u1 delete r1 After this sequence, u1 is still granted the role r1. So if admin create a new role with the name r1, The new r1 is automatically granted u1. In some cases, it would be confusing. So we need to revoke the deleted role from all users.
2017-03-17 09:18:40 +03:00
}
for _, role := range user.Roles {
auth: remove "strings.Compare == 0" Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-05-01 01:10:56 +03:00
if role != r.Role {
*: revoke a deleted role This commit resolves a TODO of auth store: Current scheme of role deletion allows existing users to have the deleted roles. Assume a case like below: create a role r1 create a user u1 and grant r1 to u1 delete r1 After this sequence, u1 is still granted the role r1. So if admin create a new role with the name r1, The new r1 is automatically granted u1. In some cases, it would be confusing. So we need to revoke the deleted role from all users.
2017-03-17 09:18:40 +03:00
updatedUser.Roles = append(updatedUser.Roles, role)
}
}
if len(updatedUser.Roles) == len(user.Roles) {
continue
}
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
putUser(as.lg, tx, updatedUser)
*: revoke a deleted role This commit resolves a TODO of auth store: Current scheme of role deletion allows existing users to have the deleted roles. Assume a case like below: create a role r1 create a user u1 and grant r1 to u1 delete r1 After this sequence, u1 is still granted the role r1. So if admin create a new role with the name r1, The new r1 is automatically granted u1. In some cases, it would be confusing. So we need to revoke the deleted role from all users.
2017-03-17 09:18:40 +03:00
as.invalidateCachedPerm(string(user.Name))
}
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
as.commitRevision(tx)
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
if as.lg != nil {
as.lg.Info("deleted a role", zap.String("role-name", r.Role))
} else {
plog.Noticef("deleted role %s", r.Role)
}
*: support deleting a role in auth v3 This commit implements RoleDelete() RPC for supporting deleting a role in auth v3. It also adds a new subcommand "role delete" to etcdctl.
2016-06-03 11:33:05 +03:00
return &pb.AuthRoleDeleteResponse{}, nil
}
*: support adding role in auth v3
2016-04-01 05:07:43 +03:00
func (as *authStore) RoleAdd(r *pb.AuthRoleAddRequest) (*pb.AuthRoleAddResponse, error) {
tx := as.be.BatchTx()
tx.Lock()
defer tx.Unlock()
auth: add getRole
2016-06-10 20:59:34 +03:00
role := getRole(tx, r.Name)
if role != nil {
*: support adding role in auth v3
2016-04-01 05:07:43 +03:00
return nil, ErrRoleAlreadyExist
}
newRole := &authpb.Role{
Name: []byte(r.Name),
}
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
putRole(as.lg, tx, newRole)
*: support adding role in auth v3
2016-04-01 05:07:43 +03:00
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
as.commitRevision(tx)
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
if as.lg != nil {
as.lg.Info("created a role", zap.String("role-name", r.Name))
} else {
plog.Noticef("Role %s is created", r.Name)
}
*: support adding role in auth v3
2016-04-01 05:07:43 +03:00
return &pb.AuthRoleAddResponse{}, nil
}
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
func (as *authStore) authInfoFromToken(ctx context.Context, token string) (*AuthInfo, bool) {
auth: use atomic access to 'authStore.revision' Fix https://github.com/coreos/etcd/issues/7660. Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-04-04 21:58:49 +03:00
return as.tokenProvider.info(ctx, token, as.Revision())
*: do permission check in raft log apply phase This commit lets etcdserver check permission during its log applying phase. With this change, permission checking of operations is supported. Currently, put and range are supported. In addition, multi key permission check of range isn't supported yet.
2016-05-17 09:20:50 +03:00
}
auth: sort key permissions of role struct for effective searching
2016-04-12 08:14:15 +03:00
type permSlice []*authpb.Permission
func (perms permSlice) Len() int {
return len(perms)
}
func (perms permSlice) Less(i, j int) bool {
return bytes.Compare(perms[i].Key, perms[j].Key) < 0
}
func (perms permSlice) Swap(i, j int) {
perms[i], perms[j] = perms[j], perms[i]
}
auth: make naming consistent
2016-06-07 06:17:28 +03:00
func (as *authStore) RoleGrantPermission(r *pb.AuthRoleGrantPermissionRequest) (*pb.AuthRoleGrantPermissionResponse, error) {
*: support granting key permission to role in v3 auth
2016-04-05 09:42:38 +03:00
tx := as.be.BatchTx()
tx.Lock()
defer tx.Unlock()
auth: add getRole
2016-06-10 20:59:34 +03:00
role := getRole(tx, r.Name)
if role == nil {
*: support granting key permission to role in v3 auth
2016-04-05 09:42:38 +03:00
return nil, ErrRoleNotFound
}
auth: sort key permissions of role struct for effective searching
2016-04-12 08:14:15 +03:00
idx := sort.Search(len(role.KeyPermission), func(i int) bool {
auth: fix "unconvert" warnings Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-30 23:55:44 +03:00
return bytes.Compare(role.KeyPermission[i].Key, r.Perm.Key) >= 0
auth: sort key permissions of role struct for effective searching
2016-04-12 08:14:15 +03:00
})
*: support granting and revoking range This commit adds a feature for granting and revoking range of keys, not a single key. Example: $ ETCDCTL_API=3 bin/etcdctl role grant r1 readwrite k1 k3 Role r1 updated $ ETCDCTL_API=3 bin/etcdctl role get r1 Role r1 KV Read: [a, b) [k1, k3) [k2, k4) KV Write: [a, b) [k1, k3) [k2, k4) $ ETCDCTL_API=3 bin/etcdctl --user u1:p get k1 k4 k1 v1 $ ETCDCTL_API=3 bin/etcdctl --user u1:p get k1 k5 Error: etcdserver: permission denied
2016-06-08 21:52:57 +03:00
if idx < len(role.KeyPermission) && bytes.Equal(role.KeyPermission[idx].Key, r.Perm.Key) && bytes.Equal(role.KeyPermission[idx].RangeEnd, r.Perm.RangeEnd) {
auth: sort key permissions of role struct for effective searching
2016-04-12 08:14:15 +03:00
// update existing permission
role.KeyPermission[idx].PermType = r.Perm.PermType
} else {
// append new permission to the role
*: support granting key permission to role in v3 auth
2016-04-05 09:42:38 +03:00
newPerm := &authpb.Permission{
auth: fix "unconvert" warnings Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-30 23:55:44 +03:00
Key: r.Perm.Key,
RangeEnd: r.Perm.RangeEnd,
*: support granting key permission to role in v3 auth
2016-04-05 09:42:38 +03:00
PermType: r.Perm.PermType,
}
role.KeyPermission = append(role.KeyPermission, newPerm)
auth: sort key permissions of role struct for effective searching
2016-04-12 08:14:15 +03:00
sort.Sort(permSlice(role.KeyPermission))
*: support granting key permission to role in v3 auth
2016-04-05 09:42:38 +03:00
}
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
putRole(as.lg, tx, role)
*: support granting key permission to role in v3 auth
2016-04-05 09:42:38 +03:00
auth, etcdserver: permission of range requests Currently the auth mechanism doesn't support permissions of range request. It just checks exact matching of key names even for range queries. This commit adds a mechanism for setting permission to range queries. Range queries are allowed if a range of the query is [begin1, end1) and the user has a permission of reading [begin2, range2) and [begin1, end2) is a subset of [begin2, range2). Range delete requests will follow the same rule.
2016-06-07 21:45:29 +03:00
// TODO(mitake): currently single role update invalidates every cache
// It should be optimized.
as.clearCachedPerm()
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
as.commitRevision(tx)
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
if as.lg != nil {
as.lg.Info(
"granted/updated a permission to a user",
zap.String("user-name", r.Name),
zap.String("permission-name", authpb.Permission_Type_name[int32(r.Perm.PermType)]),
)
} else {
plog.Noticef("role %s's permission of key %s is updated as %s", r.Name, r.Perm.Key, authpb.Permission_Type_name[int32(r.Perm.PermType)])
}
auth: make naming consistent
2016-06-07 06:17:28 +03:00
return &pb.AuthRoleGrantPermissionResponse{}, nil
*: support granting key permission to role in v3 auth
2016-04-05 09:42:38 +03:00
}
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
func (as *authStore) isOpPermitted(userName string, revision uint64, key, rangeEnd []byte, permTyp authpb.Permission_Type) error {
*: do permission check in raft log apply phase This commit lets etcdserver check permission during its log applying phase. With this change, permission checking of operations is supported. Currently, put and range are supported. In addition, multi key permission check of range isn't supported yet.
2016-05-17 09:20:50 +03:00
// TODO(mitake): this function would be costly so we need a caching mechanism
auth: add "IsAuthEnabled" method Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-02-28 02:37:01 +03:00
if !as.IsAuthEnabled() {
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
return nil
}
auth: reject empty user name when checking op permissions Passing AuthInfo{} to permission checking was causing an infinite loop because it would always return an old revision error. Fixes #7124
2017-01-10 02:27:09 +03:00
// only gets rev == 0 when passed AuthInfo{}; no user given
if revision == 0 {
return ErrUserEmpty
}
auth: use atomic access to 'authStore.revision' Fix https://github.com/coreos/etcd/issues/7660. Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-04-04 21:58:49 +03:00
if revision < as.Revision() {
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
return ErrAuthOldRevision
*: do permission check in raft log apply phase This commit lets etcdserver check permission during its log applying phase. With this change, permission checking of operations is supported. Currently, put and range are supported. In addition, multi key permission check of range isn't supported yet.
2016-05-17 09:20:50 +03:00
}
tx := as.be.BatchTx()
tx.Lock()
defer tx.Unlock()
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
user := getUser(as.lg, tx, userName)
auth: add getuser
2016-06-08 08:42:39 +03:00
if user == nil {
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
if as.lg != nil {
as.lg.Warn("cannot find a user for permission check", zap.String("user-name", userName))
} else {
plog.Errorf("invalid user name %s for permission checking", userName)
}
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
return ErrPermissionDenied
*: do permission check in raft log apply phase This commit lets etcdserver check permission during its log applying phase. With this change, permission checking of operations is supported. Currently, put and range are supported. In addition, multi key permission check of range isn't supported yet.
2016-05-17 09:20:50 +03:00
}
auth, e2e, clientv3: the root role should be granted access to every key This commit changes the semantics of the root role. The role should be able to access to every key. Partially fixes https://github.com/coreos/etcd/issues/6355
2016-09-06 05:32:25 +03:00
// root role should have permission on all ranges
if hasRootRole(user) {
return nil
}
auth, adt: introduce a new type BytesAffineComparable It will be useful for avoiding a cost of casting from string to []byte. The permission checker is the first user of the type.
2017-04-05 05:41:17 +03:00
if as.isRangeOpPermitted(tx, userName, key, rangeEnd, permTyp) {
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
return nil
auth, etcdserver: permission of range requests Currently the auth mechanism doesn't support permissions of range request. It just checks exact matching of key names even for range queries. This commit adds a mechanism for setting permission to range queries. Range queries are allowed if a range of the query is [begin1, end1) and the user has a permission of reading [begin2, range2) and [begin1, end2) is a subset of [begin2, range2). Range delete requests will follow the same rule.
2016-06-07 21:45:29 +03:00
}
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
return ErrPermissionDenied
*: do permission check in raft log apply phase This commit lets etcdserver check permission during its log applying phase. With this change, permission checking of operations is supported. Currently, put and range are supported. In addition, multi key permission check of range isn't supported yet.
2016-05-17 09:20:50 +03:00
}
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
func (as *authStore) IsPutPermitted(authInfo *AuthInfo, key []byte) error {
return as.isOpPermitted(authInfo.Username, authInfo.Revision, key, nil, authpb.WRITE)
*: do permission check in raft log apply phase This commit lets etcdserver check permission during its log applying phase. With this change, permission checking of operations is supported. Currently, put and range are supported. In addition, multi key permission check of range isn't supported yet.
2016-05-17 09:20:50 +03:00
}
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
func (as *authStore) IsRangePermitted(authInfo *AuthInfo, key, rangeEnd []byte) error {
return as.isOpPermitted(authInfo.Username, authInfo.Revision, key, rangeEnd, authpb.READ)
*: do permission check in raft log apply phase This commit lets etcdserver check permission during its log applying phase. With this change, permission checking of operations is supported. Currently, put and range are supported. In addition, multi key permission check of range isn't supported yet.
2016-05-17 09:20:50 +03:00
}
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
func (as *authStore) IsDeleteRangePermitted(authInfo *AuthInfo, key, rangeEnd []byte) error {
return as.isOpPermitted(authInfo.Username, authInfo.Revision, key, rangeEnd, authpb.WRITE)
*: support deleteRange perm checking
2016-06-14 03:19:59 +03:00
}
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
func (as *authStore) IsAdminPermitted(authInfo *AuthInfo) error {
auth: add "IsAuthEnabled" method Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-02-28 02:37:01 +03:00
if !as.IsAuthEnabled() {
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
return nil
*: add admin permission checking
2016-06-09 23:40:26 +03:00
}
auth: nil check AuthInfo when checking admin permissions If the context does not include auth information, get authinfo will return a nil auth info and a nil error. This is then passed to IsAdminPermitted, which would dereference the nil auth info.
2017-03-10 22:07:11 +03:00
if authInfo == nil {
return ErrUserEmpty
}
*: add admin permission checking
2016-06-09 23:40:26 +03:00
tx := as.be.BatchTx()
tx.Lock()
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
u := getUser(as.lg, tx, authInfo.Username)
auth: clean up mutex lock/unlocks Only hold locks when needed. Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-11-06 20:26:20 +03:00
tx.Unlock()
*: add admin permission checking
2016-06-09 23:40:26 +03:00
if u == nil {
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
return ErrUserNotFound
}
if !hasRootRole(u) {
return ErrPermissionDenied
*: add admin permission checking
2016-06-09 23:40:26 +03:00
}
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
return nil
*: add admin permission checking
2016-06-09 23:40:26 +03:00
}
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
func getUser(lg *zap.Logger, tx backend.BatchTx, username string) *authpb.User {
auth: add getuser
2016-06-08 08:42:39 +03:00
_, vs := tx.UnsafeRange(authUsersBucketName, []byte(username), nil, 0)
if len(vs) == 0 {
return nil
}
user := &authpb.User{}
err := user.Unmarshal(vs[0])
if err != nil {
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
if lg != nil {
lg.Panic(
"failed to unmarshal 'authpb.User'",
zap.String("user-name", username),
zap.Error(err),
)
} else {
plog.Panicf("failed to unmarshal user struct (name: %s): %s", username, err)
}
auth: add getuser
2016-06-08 08:42:39 +03:00
}
return user
}
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
func getAllUsers(lg *zap.Logger, tx backend.BatchTx) []*authpb.User {
*: support getting all users and roles in auth v3 This commit expands RPCs for getting user and role and support list up all users and roles. etcdctl v3 is now support getting all users and roles with the newly added option --all e.g. etcdctl user get --all
2016-06-15 09:11:27 +03:00
_, vs := tx.UnsafeRange(authUsersBucketName, []byte{0}, []byte{0xff}, -1)
if len(vs) == 0 {
return nil
}
auth: pre-allocate slices in store Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-11-06 20:16:15 +03:00
users := make([]*authpb.User, len(vs))
for i := range vs {
*: support getting all users and roles in auth v3 This commit expands RPCs for getting user and role and support list up all users and roles. etcdctl v3 is now support getting all users and roles with the newly added option --all e.g. etcdctl user get --all
2016-06-15 09:11:27 +03:00
user := &authpb.User{}
auth: pre-allocate slices in store Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-11-06 20:16:15 +03:00
err := user.Unmarshal(vs[i])
*: support getting all users and roles in auth v3 This commit expands RPCs for getting user and role and support list up all users and roles. etcdctl v3 is now support getting all users and roles with the newly added option --all e.g. etcdctl user get --all
2016-06-15 09:11:27 +03:00
if err != nil {
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
if lg != nil {
lg.Panic("failed to unmarshal 'authpb.User'", zap.Error(err))
} else {
plog.Panicf("failed to unmarshal user struct: %s", err)
}
*: support getting all users and roles in auth v3 This commit expands RPCs for getting user and role and support list up all users and roles. etcdctl v3 is now support getting all users and roles with the newly added option --all e.g. etcdctl user get --all
2016-06-15 09:11:27 +03:00
}
auth: pre-allocate slices in store Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-11-06 20:16:15 +03:00
users[i] = user
*: support getting all users and roles in auth v3 This commit expands RPCs for getting user and role and support list up all users and roles. etcdctl v3 is now support getting all users and roles with the newly added option --all e.g. etcdctl user get --all
2016-06-15 09:11:27 +03:00
}
return users
}
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
func putUser(lg *zap.Logger, tx backend.BatchTx, user *authpb.User) {
auth: add put_user
2016-06-10 21:27:42 +03:00
b, err := user.Marshal()
if err != nil {
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
if lg != nil {
lg.Panic("failed to unmarshal 'authpb.User'", zap.Error(err))
} else {
plog.Panicf("failed to marshal user struct (name: %s): %s", user.Name, err)
}
auth: add put_user
2016-06-10 21:27:42 +03:00
}
tx.UnsafePut(authUsersBucketName, user.Name, b)
}
auth: add del functions for user/role
2016-06-11 00:11:00 +03:00
func delUser(tx backend.BatchTx, username string) {
tx.UnsafeDelete(authUsersBucketName, []byte(username))
}
auth: add getRole
2016-06-10 20:59:34 +03:00
func getRole(tx backend.BatchTx, rolename string) *authpb.Role {
_, vs := tx.UnsafeRange(authRolesBucketName, []byte(rolename), nil, 0)
if len(vs) == 0 {
return nil
}
role := &authpb.Role{}
err := role.Unmarshal(vs[0])
if err != nil {
plog.Panicf("failed to unmarshal role struct (name: %s): %s", rolename, err)
}
return role
}
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
func getAllRoles(lg *zap.Logger, tx backend.BatchTx) []*authpb.Role {
*: support getting all users and roles in auth v3 This commit expands RPCs for getting user and role and support list up all users and roles. etcdctl v3 is now support getting all users and roles with the newly added option --all e.g. etcdctl user get --all
2016-06-15 09:11:27 +03:00
_, vs := tx.UnsafeRange(authRolesBucketName, []byte{0}, []byte{0xff}, -1)
if len(vs) == 0 {
return nil
}
auth: pre-allocate slices in store Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-11-06 20:16:15 +03:00
roles := make([]*authpb.Role, len(vs))
for i := range vs {
*: support getting all users and roles in auth v3 This commit expands RPCs for getting user and role and support list up all users and roles. etcdctl v3 is now support getting all users and roles with the newly added option --all e.g. etcdctl user get --all
2016-06-15 09:11:27 +03:00
role := &authpb.Role{}
auth: pre-allocate slices in store Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-11-06 20:16:15 +03:00
err := role.Unmarshal(vs[i])
*: support getting all users and roles in auth v3 This commit expands RPCs for getting user and role and support list up all users and roles. etcdctl v3 is now support getting all users and roles with the newly added option --all e.g. etcdctl user get --all
2016-06-15 09:11:27 +03:00
if err != nil {
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
if lg != nil {
lg.Panic("failed to unmarshal 'authpb.Role'", zap.Error(err))
} else {
plog.Panicf("failed to unmarshal role struct: %s", err)
}
*: support getting all users and roles in auth v3 This commit expands RPCs for getting user and role and support list up all users and roles. etcdctl v3 is now support getting all users and roles with the newly added option --all e.g. etcdctl user get --all
2016-06-15 09:11:27 +03:00
}
auth: pre-allocate slices in store Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-11-06 20:16:15 +03:00
roles[i] = role
*: support getting all users and roles in auth v3 This commit expands RPCs for getting user and role and support list up all users and roles. etcdctl v3 is now support getting all users and roles with the newly added option --all e.g. etcdctl user get --all
2016-06-15 09:11:27 +03:00
}
return roles
}
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
func putRole(lg *zap.Logger, tx backend.BatchTx, role *authpb.Role) {
auth: add put role
2016-06-10 23:20:48 +03:00
b, err := role.Marshal()
if err != nil {
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
if lg != nil {
lg.Panic(
"failed to marshal 'authpb.Role'",
zap.String("role-name", string(role.Name)),
zap.Error(err),
)
} else {
plog.Panicf("failed to marshal role struct (name: %s): %s", role.Name, err)
}
auth: add put role
2016-06-10 23:20:48 +03:00
}
auth: fix "unconvert" warnings Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-30 23:55:44 +03:00
tx.UnsafePut(authRolesBucketName, role.Name, b)
auth: add put role
2016-06-10 23:20:48 +03:00
}
auth: add del functions for user/role
2016-06-11 00:11:00 +03:00
func delRole(tx backend.BatchTx, rolename string) {
tx.UnsafeDelete(authRolesBucketName, []byte(rolename))
}
auth: add "IsAuthEnabled" method Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-02-28 02:37:01 +03:00
func (as *authStore) IsAuthEnabled() bool {
*: do permission check in raft log apply phase This commit lets etcdserver check permission during its log applying phase. With this change, permission checking of operations is supported. Currently, put and range are supported. In addition, multi key permission check of range isn't supported yet.
2016-05-17 09:20:50 +03:00
as.enabledMu.RLock()
defer as.enabledMu.RUnlock()
return as.enabled
}
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
// NewAuthStore creates a new AuthStore.
*: make bcrypt-cost configurable
2018-05-03 21:43:32 +03:00
func NewAuthStore(lg *zap.Logger, be backend.Backend, tp TokenProvider, bcryptCost int) *authStore {
if bcryptCost < bcrypt.MinCost || bcryptCost > bcrypt.MaxCost {
if lg != nil {
lg.Warn(
"use default bcrypt cost instead of the invalid given cost",
zap.Int("min-cost", bcrypt.MinCost),
zap.Int("max-cost", bcrypt.MaxCost),
zap.Int("default-cost", bcrypt.DefaultCost),
zap.Int("given-cost", bcryptCost))
} else {
plog.Warningf("Use default bcrypt-cost %d instead of the invalid value %d",
bcrypt.DefaultCost, bcryptCost)
}
bcryptCost = bcrypt.DefaultCost
}
auth, etcdserver: add a method for recoverying from backend during apply snapshot This commit adds a new method Recovery() to auth.AuthStore for recoverying auth state from backend during apply snapshot. It follows a manner of the lessor.
2016-03-21 16:43:41 +03:00
tx := be.BatchTx()
etcdserver, auth: new package auth for the auth feature This commit adds a new package auth. Its role is persisting auth related metadata. This commit also connects its main interface AuthStore and v3 server.
2016-03-08 11:31:48 +03:00
tx.Lock()
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation:
2016-03-23 07:25:48 +03:00
etcdserver, auth: new package auth for the auth feature This commit adds a new package auth. Its role is persisting auth related metadata. This commit also connects its main interface AuthStore and v3 server.
2016-03-08 11:31:48 +03:00
tx.UnsafeCreateBucket(authBucketName)
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation:
2016-03-23 07:25:48 +03:00
tx.UnsafeCreateBucket(authUsersBucketName)
*: support adding role in auth v3
2016-04-01 05:07:43 +03:00
tx.UnsafeCreateBucket(authRolesBucketName)
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation:
2016-03-23 07:25:48 +03:00
auth: correct initialization in NewAuthStore() Because of my own silly mistake, current NewAuthStore() doesn't initialize authStore in a correct manner. For example, after recovery from snapshot, it cannot revive the flag of enabled/disabled. This commit fixes the problem. Fix https://github.com/coreos/etcd/issues/7165
2017-02-01 11:47:09 +03:00
enabled := false
_, vs := tx.UnsafeRange(authBucketName, enableFlagKey, nil, 0)
if len(vs) == 1 {
if bytes.Equal(vs[0], authEnabled) {
enabled = true
}
}
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
as := &authStore{
auth: correct initialization in NewAuthStore() Because of my own silly mistake, current NewAuthStore() doesn't initialize authStore in a correct manner. For example, after recovery from snapshot, it cannot revive the flag of enabled/disabled. This commit fixes the problem. Fix https://github.com/coreos/etcd/issues/7165
2017-02-01 11:47:09 +03:00
revision: getRevision(tx),
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
lg: lg,
be: be,
auth: correct initialization in NewAuthStore() Because of my own silly mistake, current NewAuthStore() doesn't initialize authStore in a correct manner. For example, after recovery from snapshot, it cannot revive the flag of enabled/disabled. This commit fixes the problem. Fix https://github.com/coreos/etcd/issues/7165
2017-02-01 11:47:09 +03:00
enabled: enabled,
rangePermCache: make(map[string]*unifiedRangePermissions),
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
tokenProvider: tp,
*: make bcrypt-cost configurable
2018-05-03 21:43:32 +03:00
bcryptCost: bcryptCost,
auth: correct initialization in NewAuthStore() Because of my own silly mistake, current NewAuthStore() doesn't initialize authStore in a correct manner. For example, after recovery from snapshot, it cannot revive the flag of enabled/disabled. This commit fixes the problem. Fix https://github.com/coreos/etcd/issues/7165
2017-02-01 11:47:09 +03:00
}
if enabled {
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
as.tokenProvider.enable()
etcdserver, auth: new package auth for the auth feature This commit adds a new package auth. Its role is persisting auth related metadata. This commit also connects its main interface AuthStore and v3 server.
2016-03-08 11:31:48 +03:00
}
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
auth: use atomic access to 'authStore.revision' Fix https://github.com/coreos/etcd/issues/7660. Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-04-04 21:58:49 +03:00
if as.Revision() == 0 {
auth: keep old revision in 'NewAuthStore' When there's no changes yet (right after auth store initialization), we should commit old revision. Fix https://github.com/coreos/etcd/issues/7359.
2017-02-22 01:37:15 +03:00
as.commitRevision(tx)
}
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
tx.Unlock()
be.ForceCommit()
return as
etcdserver, auth: new package auth for the auth feature This commit adds a new package auth. Its role is persisting auth related metadata. This commit also connects its main interface AuthStore and v3 server.
2016-03-08 11:31:48 +03:00
}
*: add admin permission checking
2016-06-09 23:40:26 +03:00
func hasRootRole(u *authpb.User) bool {
auth: use binary search for checking root permission authpb.User.Roles is sorted so we don't need a linear search for checking the user has a root role or not.
2017-10-11 11:37:31 +03:00
// u.Roles is sorted in UserGrantRole(), so we can use binary search.
idx := sort.SearchStrings(u.Roles, rootRole)
return idx != len(u.Roles) && u.Roles[idx] == rootRole
*: add admin permission checking
2016-06-09 23:40:26 +03:00
}
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
func (as *authStore) commitRevision(tx backend.BatchTx) {
auth: use atomic access to 'authStore.revision' Fix https://github.com/coreos/etcd/issues/7660. Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-04-04 21:58:49 +03:00
atomic.AddUint64(&as.revision, 1)
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
revBytes := make([]byte, revBytesLen)
auth: use atomic access to 'authStore.revision' Fix https://github.com/coreos/etcd/issues/7660. Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-04-04 21:58:49 +03:00
binary.BigEndian.PutUint64(revBytes, as.Revision())
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
tx.UnsafePut(authBucketName, revisionKey, revBytes)
}
func getRevision(tx backend.BatchTx) uint64 {
auth: fix "unconvert" warnings Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-30 23:55:44 +03:00
_, vs := tx.UnsafeRange(authBucketName, revisionKey, nil, 0)
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
if len(vs) != 1 {
auth: correct initialization in NewAuthStore() Because of my own silly mistake, current NewAuthStore() doesn't initialize authStore in a correct manner. For example, after recovery from snapshot, it cannot revive the flag of enabled/disabled. This commit fixes the problem. Fix https://github.com/coreos/etcd/issues/7165
2017-02-01 11:47:09 +03:00
// this can happen in the initialization phase
return 0
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
}
return binary.BigEndian.Uint64(vs[0])
}
auth: use atomic access to 'authStore.revision' Fix https://github.com/coreos/etcd/issues/7660. Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-04-04 21:58:49 +03:00
func (as *authStore) setRevision(rev uint64) {
atomic.StoreUint64(&as.revision, rev)
}
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
func (as *authStore) Revision() uint64 {
auth: use atomic access to 'authStore.revision' Fix https://github.com/coreos/etcd/issues/7660. Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-04-04 21:58:49 +03:00
return atomic.LoadUint64(&as.revision)
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem This commit introduces revision of authStore. The revision number represents a version of authStore that is incremented by updating auth related information. The revision is required for avoiding TOCTOU problems. Currently there are two types of the TOCTOU problems in v3 auth. The first one is in ordinal linearizable requests with a sequence like below (): 1. Request from client CA is processed in follower FA. FA looks up the username (let it U) for the request from a token of the request. At this time, the request is authorized correctly. 2. Another request from client CB is processed in follower FB. CB is for changing U's password. 3. FB forwards the request from CB to the leader before FA. Now U's password is updated and the request from CA should be rejected. 4. However, the request from CA is processed by the leader because authentication is already done in FA. For avoiding the above sequence, this commit lets etcdserverpb.RequestHeader have a member revision. The member is initialized during authentication by followers and checked in a leader. If the revision in RequestHeader is lower than the leader's authStore revision, it means a sequence like above happened. In such a case, the state machine returns auth.ErrAuthRevisionObsolete. The error code lets nodes retry their requests. The second one, a case of serializable range and txn, is more subtle. Because these requests are processed in follower directly. The TOCTOU problem can be caused by a sequence like below: 1. Serializable request from client CA is processed in follower FA. At first, FA looks up the username (let it U) and its permission before actual access to KV. 2. Another request from client CB is processed in follower FB and forwarded to the leader. The cluster including FA now commits a log entry of the request from CB. Assume the request changed the permission or password of U. 3. Now the serializable request from CA is accessing to KV. Even if the access is allowed at the point of 1, now it can be invalid because of the change introduced in 2. For avoiding the above sequence, this commit lets the functions of serializable requests (EtcdServer.Range() and EtcdServer.Txn()) compare the revision in the request header with the latest revision of authStore after the actual access. If the saved revision is lower than the latest one, it means the permission can be changed. Although it would introduce false positives (e.g. changing other user's password), it prevents the TOCTOU problem. This idea is an implementation of Anthony's comment: https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
}
auth, etcdserver: let maintenance services require root role This commit lets maintenance services require root privilege. It also moves AuthInfoFromCtx() from etcdserver to auth pkg for cleaning purpose.
2016-11-24 10:34:29 +03:00
auth: break TLS VerifiedChains for-loop early Fix "auth/store.go:1147:4: the surrounding loop is unconditionally terminated (SA4004)" Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-30 20:33:59 +03:00
func (as *authStore) AuthInfoFromTLS(ctx context.Context) (ai *AuthInfo) {
auth, etcdserver: authenticate clients based on certificate CommonName This commit lets v3 auth mechanism authenticate clients based on CommonName of certificate like v2 auth.
2016-11-21 07:47:29 +03:00
peer, ok := peer.FromContext(ctx)
if !ok || peer == nil || peer.AuthInfo == nil {
return nil
}
tlsInfo := peer.AuthInfo.(credentials.TLSInfo)
for _, chains := range tlsInfo.State.VerifiedChains {
auth: break TLS VerifiedChains for-loop early Fix "auth/store.go:1147:4: the surrounding loop is unconditionally terminated (SA4004)" Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-30 20:33:59 +03:00
if len(chains) < 1 {
continue
}
ai = &AuthInfo{
Username: chains[0].Subject.CommonName,
Revision: as.Revision(),
}
auth: disable CommonName auth for gRPC-gateway Signed-off-by: Sam Batschelet <sbatsche@redhat.com>
2019-01-02 23:54:40 +03:00
md, ok := metadata.FromIncomingContext(ctx)
if !ok {
return nil
}
// gRPC-gateway proxy request to etcd server includes Grpcgateway-Accept
// header. The proxy uses etcd client server certificate. If the certificate
// has a CommonName we should never use this for authentication.
if gw := md["grpcgateway-accept"]; len(gw) > 0 {
if as.lg != nil {
as.lg.Warn(
"ignoring common name in gRPC-gateway proxy request",
zap.String("common-name", ai.Username),
zap.String("user-name", ai.Username),
zap.Uint64("revision", ai.Revision),
)
} else {
plog.Warningf("ignoring common name in gRPC-gateway proxy request %s", ai.Username)
}
return nil
}
auth: break TLS VerifiedChains for-loop early Fix "auth/store.go:1147:4: the surrounding loop is unconditionally terminated (SA4004)" Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-30 20:33:59 +03:00
if as.lg != nil {
as.lg.Debug(
"found command name",
zap.String("common-name", ai.Username),
zap.String("user-name", ai.Username),
zap.Uint64("revision", ai.Revision),
)
} else {
plog.Debugf("found common name %s", ai.Username)
auth, etcdserver: authenticate clients based on certificate CommonName This commit lets v3 auth mechanism authenticate clients based on CommonName of certificate like v2 auth.
2016-11-21 07:47:29 +03:00
}
auth: break TLS VerifiedChains for-loop early Fix "auth/store.go:1147:4: the surrounding loop is unconditionally terminated (SA4004)" Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-30 20:33:59 +03:00
break
auth, etcdserver: authenticate clients based on certificate CommonName This commit lets v3 auth mechanism authenticate clients based on CommonName of certificate like v2 auth.
2016-11-21 07:47:29 +03:00
}
auth: break TLS VerifiedChains for-loop early Fix "auth/store.go:1147:4: the surrounding loop is unconditionally terminated (SA4004)" Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-30 20:33:59 +03:00
return ai
auth, etcdserver: authenticate clients based on certificate CommonName This commit lets v3 auth mechanism authenticate clients based on CommonName of certificate like v2 auth.
2016-11-21 07:47:29 +03:00
}
auth, etcdserver: let maintenance services require root role This commit lets maintenance services require root privilege. It also moves AuthInfoFromCtx() from etcdserver to auth pkg for cleaning purpose.
2016-11-24 10:34:29 +03:00
func (as *authStore) AuthInfoFromCtx(ctx context.Context) (*AuthInfo, error) {
*: use metadata Incoming/OutgoingContext Fix https://github.com/coreos/etcd/issues/7888. Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-05-08 18:10:58 +03:00
md, ok := metadata.FromIncomingContext(ctx)
auth, etcdserver: let maintenance services require root role This commit lets maintenance services require root privilege. It also moves AuthInfoFromCtx() from etcdserver to auth pkg for cleaning purpose.
2016-11-24 10:34:29 +03:00
if !ok {
return nil, nil
}
auth: support "authorization" token for grpc-gateway
2017-06-10 18:58:39 +03:00
//TODO(mitake|hexfusion) review unifying key names
*: don't use string literals directly in grpc metadata Current etcd code uses the string literals ("token", "authorization") as field names of grpc and swappger metadata for passing token. It is difficult to maintain so this commit introduces new constants for the purpose.
2017-10-11 11:03:24 +03:00
ts, ok := md[rpctypes.TokenFieldNameGRPC]
auth: support "authorization" token for grpc-gateway
2017-06-10 18:58:39 +03:00
if !ok {
*: don't use string literals directly in grpc metadata Current etcd code uses the string literals ("token", "authorization") as field names of grpc and swappger metadata for passing token. It is difficult to maintain so this commit introduces new constants for the purpose.
2017-10-11 11:03:24 +03:00
ts, ok = md[rpctypes.TokenFieldNameSwagger]
auth: support "authorization" token for grpc-gateway
2017-06-10 18:58:39 +03:00
}
if !ok {
auth, etcdserver: let maintenance services require root role This commit lets maintenance services require root privilege. It also moves AuthInfoFromCtx() from etcdserver to auth pkg for cleaning purpose.
2016-11-24 10:34:29 +03:00
return nil, nil
}
token := ts[0]
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
authInfo, uok := as.authInfoFromToken(ctx, token)
auth, etcdserver: let maintenance services require root role This commit lets maintenance services require root privilege. It also moves AuthInfoFromCtx() from etcdserver to auth pkg for cleaning purpose.
2016-11-24 10:34:29 +03:00
if !uok {
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
if as.lg != nil {
as.lg.Warn("invalid auth token", zap.String("token", token))
} else {
plog.Warningf("invalid auth token: %s", token)
}
auth, etcdserver: let maintenance services require root role This commit lets maintenance services require root privilege. It also moves AuthInfoFromCtx() from etcdserver to auth pkg for cleaning purpose.
2016-11-24 10:34:29 +03:00
return nil, ErrInvalidAuthToken
}
auth: support "authorization" token for grpc-gateway
2017-06-10 18:58:39 +03:00
auth, etcdserver: let maintenance services require root role This commit lets maintenance services require root privilege. It also moves AuthInfoFromCtx() from etcdserver to auth pkg for cleaning purpose.
2016-11-24 10:34:29 +03:00
return authInfo, nil
}
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
func (as *authStore) GenTokenPrefix() (string, error) {
return as.tokenProvider.genTokenPrefix()
}
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
func decomposeOpts(lg *zap.Logger, optstr string) (string, map[string]string, error) {
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
opts := strings.Split(optstr, ",")
tokenType := opts[0]
typeSpecificOpts := make(map[string]string)
for i := 1; i < len(opts); i++ {
pair := strings.Split(opts[i], "=")
if len(pair) != 2 {
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
if lg != nil {
lg.Warn("invalid token option", zap.String("option", optstr))
} else {
plog.Errorf("invalid token specific option: %s", optstr)
}
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
return "", nil, ErrInvalidAuthOpts
}
if _, ok := typeSpecificOpts[pair[0]]; ok {
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
if lg != nil {
lg.Warn(
"invalid token option",
zap.String("option", optstr),
zap.String("duplicate-parameter", pair[0]),
)
} else {
plog.Errorf("invalid token specific option, duplicated parameters (%s): %s", pair[0], optstr)
}
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
return "", nil, ErrInvalidAuthOpts
}
typeSpecificOpts[pair[0]] = pair[1]
}
return tokenType, typeSpecificOpts, nil
}
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
// NewTokenProvider creates a new token provider.
func NewTokenProvider(
lg *zap.Logger,
tokenOpts string,
indexWaiter func(uint64) <-chan struct{}) (TokenProvider, error) {
tokenType, typeSpecificOpts, err := decomposeOpts(lg, tokenOpts)
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
if err != nil {
return nil, ErrInvalidAuthOpts
}
switch tokenType {
auth: fix panic using WithRoot and improve JWT coverage
2018-05-04 23:16:39 +03:00
case tokenTypeSimple:
auth: support structured logger Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-16 13:59:26 +03:00
if lg != nil {
lg.Warn("simple token is not cryptographically signed")
} else {
plog.Warningf("simple token is not cryptographically signed")
}
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
return newTokenProviderSimple(lg, indexWaiter), nil
auth: fix panic using WithRoot and improve JWT coverage
2018-05-04 23:16:39 +03:00
case tokenTypeJWT:
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
return newTokenProviderJWT(lg, typeSpecificOpts)
auth: a new auth token provider nop This commit adds a new auth token provider named nop. The nop provider refuses every Authenticate() request so CN based authentication can only be allowed. If the tokenOpts parameter of auth.NewTokenProvider() is empty, the provider will be used.
2018-02-27 10:05:27 +03:00
case "":
return newTokenProviderNop()
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
default:
auth: support structured logger Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-16 13:59:26 +03:00
if lg != nil {
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
lg.Warn(
"unknown token type",
zap.String("type", tokenType),
zap.Error(ErrInvalidAuthOpts),
)
auth: support structured logger Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-16 13:59:26 +03:00
} else {
plog.Errorf("unknown token type: %s", tokenType)
}
*: support jwt token in v3 auth API This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
2016-07-21 08:13:57 +03:00
return nil, ErrInvalidAuthOpts
}
}
auth, etcdserver: protect revoking lease with auth Currently clients can revoke any lease without permission. This commit lets etcdserver protect revoking with write permission. This commit adds a mechanism for generating internal token. It is used for indicating that LeaseRevoke was issued internally so it should be able to delete any attached keys.
2017-06-05 10:20:09 +03:00
func (as *authStore) WithRoot(ctx context.Context) context.Context {
auth: add "IsAuthEnabled" method Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-02-28 02:37:01 +03:00
if !as.IsAuthEnabled() {
auth, etcdserver: protect revoking lease with auth Currently clients can revoke any lease without permission. This commit lets etcdserver protect revoking with write permission. This commit adds a mechanism for generating internal token. It is used for indicating that LeaseRevoke was issued internally so it should be able to delete any attached keys.
2017-06-05 10:20:09 +03:00
return ctx
}
var ctxForAssign context.Context
auth: fix panic using WithRoot and improve JWT coverage
2018-05-04 23:16:39 +03:00
if ts, ok := as.tokenProvider.(*tokenSimple); ok && ts != nil {
auth, etcdserver: follow the correct usage of context The keys of context shouldn't be string. They should be a struct of their own type. Fix https://github.com/coreos/etcd/issues/8826
2017-11-21 09:00:13 +03:00
ctx1 := context.WithValue(ctx, AuthenticateParamIndex{}, uint64(0))
auth, etcdserver: protect revoking lease with auth Currently clients can revoke any lease without permission. This commit lets etcdserver protect revoking with write permission. This commit adds a mechanism for generating internal token. It is used for indicating that LeaseRevoke was issued internally so it should be able to delete any attached keys.
2017-06-05 10:20:09 +03:00
prefix, err := ts.genTokenPrefix()
if err != nil {
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
if as.lg != nil {
as.lg.Warn(
"failed to generate prefix of internally used token",
zap.Error(err),
)
} else {
plog.Errorf("failed to generate prefix of internally used token")
}
auth, etcdserver: protect revoking lease with auth Currently clients can revoke any lease without permission. This commit lets etcdserver protect revoking with write permission. This commit adds a mechanism for generating internal token. It is used for indicating that LeaseRevoke was issued internally so it should be able to delete any attached keys.
2017-06-05 10:20:09 +03:00
return ctx
}
auth, etcdserver: follow the correct usage of context The keys of context shouldn't be string. They should be a struct of their own type. Fix https://github.com/coreos/etcd/issues/8826
2017-11-21 09:00:13 +03:00
ctxForAssign = context.WithValue(ctx1, AuthenticateParamSimpleTokenPrefix{}, prefix)
auth, etcdserver: protect revoking lease with auth Currently clients can revoke any lease without permission. This commit lets etcdserver protect revoking with write permission. This commit adds a mechanism for generating internal token. It is used for indicating that LeaseRevoke was issued internally so it should be able to delete any attached keys.
2017-06-05 10:20:09 +03:00
} else {
ctxForAssign = ctx
}
token, err := as.tokenProvider.assign(ctxForAssign, "root", as.Revision())
if err != nil {
// this must not happen
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
if as.lg != nil {
as.lg.Warn(
"failed to assign token for lease revoking",
zap.Error(err),
)
} else {
plog.Errorf("failed to assign token for lease revoking: %s", err)
}
auth, etcdserver: protect revoking lease with auth Currently clients can revoke any lease without permission. This commit lets etcdserver protect revoking with write permission. This commit adds a mechanism for generating internal token. It is used for indicating that LeaseRevoke was issued internally so it should be able to delete any attached keys.
2017-06-05 10:20:09 +03:00
return ctx
}
mdMap := map[string]string{
*: don't use string literals directly in grpc metadata Current etcd code uses the string literals ("token", "authorization") as field names of grpc and swappger metadata for passing token. It is difficult to maintain so this commit introduces new constants for the purpose.
2017-10-11 11:03:24 +03:00
rpctypes.TokenFieldNameGRPC: token,
auth, etcdserver: protect revoking lease with auth Currently clients can revoke any lease without permission. This commit lets etcdserver protect revoking with write permission. This commit adds a mechanism for generating internal token. It is used for indicating that LeaseRevoke was issued internally so it should be able to delete any attached keys.
2017-06-05 10:20:09 +03:00
}
tokenMD := metadata.New(mdMap)
auth: use NewIncomingContext for "WithRoot" "WithRoot" is only used within local node, and "AuthInfoFromCtx" expects token from incoming context. Embed token with "NewIncomingContext" so that token can be found in "AuthInfoFromCtx". Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2017-12-15 07:07:46 +03:00
// use "mdIncomingKey{}" since it's called from local etcdserver
return metadata.NewIncomingContext(ctx, tokenMD)
auth, etcdserver: protect revoking lease with auth Currently clients can revoke any lease without permission. This commit lets etcdserver protect revoking with write permission. This commit adds a mechanism for generating internal token. It is used for indicating that LeaseRevoke was issued internally so it should be able to delete any attached keys.
2017-06-05 10:20:09 +03:00
}
auth, etcdserver: allow users to know their roles and permissions Current UserGet() and RoleGet() RPCs require admin permission. It means that users cannot know which roles they belong to and what permissions the roles have. This commit change the semantics and now users can know their roles and permissions.
2017-06-23 08:40:37 +03:00
func (as *authStore) HasRole(user, role string) bool {
tx := as.be.BatchTx()
tx.Lock()
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
u := getUser(as.lg, tx, user)
auth: clean up mutex lock/unlocks Only hold locks when needed. Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-11-06 20:26:20 +03:00
tx.Unlock()
auth, etcdserver: allow users to know their roles and permissions Current UserGet() and RoleGet() RPCs require admin permission. It means that users cannot know which roles they belong to and what permissions the roles have. This commit change the semantics and now users can know their roles and permissions.
2017-06-23 08:40:37 +03:00
if u == nil {
auth: support structured logging Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-04-28 00:07:22 +03:00
if as.lg != nil {
as.lg.Warn(
"'has-role' requested for non-existing user",
zap.String("user-name", user),
zap.String("role-name", role),
)
} else {
plog.Warningf("tried to check user %s has role %s, but user %s doesn't exist", user, role, user)
}
auth, etcdserver: allow users to know their roles and permissions Current UserGet() and RoleGet() RPCs require admin permission. It means that users cannot know which roles they belong to and what permissions the roles have. This commit change the semantics and now users can know their roles and permissions.
2017-06-23 08:40:37 +03:00
return false
}
for _, r := range u.Roles {
if role == r {
return true
}
}
return false
}
*: make bcrypt-cost configurable
2018-05-03 21:43:32 +03:00
func (as *authStore) BcryptCost() int {
return as.bcryptCost
}