vitalif
/
etcd
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #5623 from xiang90/get_role 

auth: add getRole
release-3.0
Xiang Li 2016-06-10 11:17:59 -07:00 committed by GitHub
parent c459073c6d 1958598a18
commit 247103c40b
2 changed files with 30 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
auth/range_perm_cache.go
View File

@ -85,17 +85,9 @@ func (as *authStore) makeUnifiedPerms(tx backend.BatchTx, userName string) *unif
var readPerms, writePerms []*rangePerm var readPerms, writePerms []*rangePerm
for _, roleName := range user.Roles { for _, roleName := range user.Roles {
_, vs := tx.UnsafeRange(authRolesBucketName, []byte(roleName), nil, 0) role := getRole(tx, roleName)
if len(vs) != 1 { if role == nil {
plog.Errorf("invalid role name %s", roleName) continue
return nil
}
role := &authpb.Role{}
err := role.Unmarshal(vs[0])
if err != nil {
plog.Errorf("failed to unmarshal a role %s: %s", roleName, err)
return nil
} }
for _, perm := range role.KeyPermission { for _, perm := range role.KeyPermission {

67
auth/store.go
View File

@ -411,17 +411,11 @@ func (as *authStore) RoleGet(r *pb.AuthRoleGetRequest) (*pb.AuthRoleGetResponse,
tx.Lock() tx.Lock()
defer tx.Unlock() defer tx.Unlock()
_, vs := tx.UnsafeRange(authRolesBucketName, []byte(r.Role), nil, 0) role := getRole(tx, r.Role)
if len(vs) != 1 { if role == nil {
return nil, ErrRoleNotFound return nil, ErrRoleNotFound
} }
role := &authpb.Role{}
err := role.Unmarshal(vs[0])
if err != nil {
return nil, err
}
var resp pb.AuthRoleGetResponse var resp pb.AuthRoleGetResponse
for _, perm := range role.KeyPermission { for _, perm := range role.KeyPermission {
resp.Perm = append(resp.Perm, perm) resp.Perm = append(resp.Perm, perm)
@ -435,17 +429,11 @@ func (as *authStore) RoleRevokePermission(r *pb.AuthRoleRevokePermissionRequest)
tx.Lock() tx.Lock()
defer tx.Unlock() defer tx.Unlock()
_, vs := tx.UnsafeRange(authRolesBucketName, []byte(r.Role), nil, 0) role := getRole(tx, r.Role)
if len(vs) != 1 { if role == nil {
return nil, ErrRoleNotFound return nil, ErrRoleNotFound
} }
role := &authpb.Role{}
err := role.Unmarshal(vs[0])
if err != nil {
return nil, err
}
updatedRole := &authpb.Role{} updatedRole := &authpb.Role{}
updatedRole.Name = role.Name updatedRole.Name = role.Name
@ -494,8 +482,8 @@ func (as *authStore) RoleDelete(r *pb.AuthRoleDeleteRequest) (*pb.AuthRoleDelete
tx.Lock() tx.Lock()
defer tx.Unlock() defer tx.Unlock()
_, vs := tx.UnsafeRange(authRolesBucketName, []byte(r.Role), nil, 0) role := getRole(tx, r.Role)
if len(vs) != 1 { if role == nil {
return nil, ErrRoleNotFound return nil, ErrRoleNotFound
} }
@ -510,8 +498,8 @@ func (as *authStore) RoleAdd(r *pb.AuthRoleAddRequest) (*pb.AuthRoleAddResponse,
tx.Lock() tx.Lock()
defer tx.Unlock() defer tx.Unlock()
_, vs := tx.UnsafeRange(authRolesBucketName, []byte(r.Name), nil, 0) role := getRole(tx, r.Name)
if len(vs) != 0 { if role != nil {
return nil, ErrRoleAlreadyExist return nil, ErrRoleAlreadyExist
} }
@ -557,18 +545,11 @@ func (as *authStore) RoleGrantPermission(r *pb.AuthRoleGrantPermissionRequest) (
tx.Lock() tx.Lock()
defer tx.Unlock() defer tx.Unlock()
_, vs := tx.UnsafeRange(authRolesBucketName, []byte(r.Name), nil, 0) role := getRole(tx, r.Name)
if len(vs) != 1 { if role == nil {
return nil, ErrRoleNotFound return nil, ErrRoleNotFound
} }
role := &authpb.Role{}
err := role.Unmarshal(vs[0])
if err != nil {
plog.Errorf("failed to unmarshal a role %s: %s", r.Name, err)
return nil, err
}
idx := sort.Search(len(role.KeyPermission), func(i int) bool { idx := sort.Search(len(role.KeyPermission), func(i int) bool {
return bytes.Compare(role.KeyPermission[i].Key, []byte(r.Perm.Key)) >= 0 return bytes.Compare(role.KeyPermission[i].Key, []byte(r.Perm.Key)) >= 0
}) })
@ -623,17 +604,9 @@ func (as *authStore) isOpPermitted(userName string, key, rangeEnd string, write
if strings.Compare(rangeEnd, "") == 0 { if strings.Compare(rangeEnd, "") == 0 {
for _, roleName := range user.Roles { for _, roleName := range user.Roles {
_, vs := tx.UnsafeRange(authRolesBucketName, []byte(roleName), nil, 0) role := getRole(tx, roleName)
if len(vs) != 1 { if role == nil {
plog.Errorf("invalid role name %s for permission checking", roleName) continue
return false
}
role := &authpb.Role{}
err := role.Unmarshal(vs[0])
if err != nil {
plog.Errorf("failed to unmarshal a role %s: %s", roleName, err)
return false
} }
for _, perm := range role.KeyPermission { for _, perm := range role.KeyPermission {
@ -702,6 +675,20 @@ func getUser(tx backend.BatchTx, username string) *authpb.User {
return user return user
} }
func getRole(tx backend.BatchTx, rolename string) *authpb.Role {
_, vs := tx.UnsafeRange(authRolesBucketName, []byte(rolename), nil, 0)
if len(vs) == 0 {
return nil
}
role := &authpb.Role{}
err := role.Unmarshal(vs[0])
if err != nil {
plog.Panicf("failed to unmarshal role struct (name: %s): %s", rolename, err)
}
return role
}
func (as *authStore) isAuthEnabled() bool { func (as *authStore) isAuthEnabled() bool {
as.enabledMu.RLock() as.enabledMu.RLock()
defer as.enabledMu.RUnlock() defer as.enabledMu.RUnlock()