commit
6958334db2
|
@ -113,6 +113,9 @@ type AuthStore interface {
|
|||
// IsRangePermitted checks range permission of the user
|
||||
IsRangePermitted(header *pb.RequestHeader, key, rangeEnd []byte) bool
|
||||
|
||||
// IsDeleteRangePermitted checks delete-range permission of the user
|
||||
IsDeleteRangePermitted(username string, key, rangeEnd []byte) bool
|
||||
|
||||
// IsAdminPermitted checks admin permission of the user
|
||||
IsAdminPermitted(username string) bool
|
||||
|
||||
|
@ -575,6 +578,10 @@ func (as *authStore) IsRangePermitted(header *pb.RequestHeader, key, rangeEnd []
|
|||
return as.isOpPermitted(header.Username, key, rangeEnd, authpb.READ)
|
||||
}
|
||||
|
||||
func (as *authStore) IsDeleteRangePermitted(username string, key, rangeEnd []byte) bool {
|
||||
return as.isOpPermitted(username, key, rangeEnd, authpb.WRITE)
|
||||
}
|
||||
|
||||
func (as *authStore) IsAdminPermitted(username string) bool {
|
||||
if !as.isAuthEnabled() {
|
||||
return true
|
||||
|
|
|
@ -104,7 +104,11 @@ func (s *EtcdServer) applyV3Request(r *pb.InternalRaftRequest) *applyResult {
|
|||
ar.err = auth.ErrPermissionDenied
|
||||
}
|
||||
case r.DeleteRange != nil:
|
||||
ar.resp, ar.err = s.applyV3.DeleteRange(noTxn, r.DeleteRange)
|
||||
if s.AuthStore().IsDeleteRangePermitted(r.Header.Username, r.DeleteRange.Key, r.DeleteRange.RangeEnd) {
|
||||
ar.resp, ar.err = s.applyV3.DeleteRange(noTxn, r.DeleteRange)
|
||||
} else {
|
||||
ar.err = auth.ErrPermissionDenied
|
||||
}
|
||||
case r.Txn != nil:
|
||||
ar.resp, ar.err = s.applyV3.Txn(r.Txn)
|
||||
case r.Compaction != nil:
|
||||
|
|
Loading…
Reference in New Issue