Merge pull request #5662 from xiang90/auth_delete

*: support deleteRange perm checking

auth/store.go

@@ -113,6 +113,9 @@ type AuthStore interface {
 	// IsRangePermitted checks range permission of the user
 	IsRangePermitted(header *pb.RequestHeader, key, rangeEnd []byte) bool
 
+	// IsDeleteRangePermitted checks delete-range permission of the user
+	IsDeleteRangePermitted(username string, key, rangeEnd []byte) bool
+
 	// IsAdminPermitted checks admin permission of the user
 	IsAdminPermitted(username string) bool
 
@@ -575,6 +578,10 @@ func (as *authStore) IsRangePermitted(header *pb.RequestHeader, key, rangeEnd []
 	return as.isOpPermitted(header.Username, key, rangeEnd, authpb.READ)
 }
 
+func (as *authStore) IsDeleteRangePermitted(username string, key, rangeEnd []byte) bool {
+	return as.isOpPermitted(username, key, rangeEnd, authpb.WRITE)
+}
+
 func (as *authStore) IsAdminPermitted(username string) bool {
 	if !as.isAuthEnabled() {
 		return true

etcdserver/apply.go

@@ -104,7 +104,11 @@ func (s *EtcdServer) applyV3Request(r *pb.InternalRaftRequest) *applyResult {
 			ar.err = auth.ErrPermissionDenied
 		}
 	case r.DeleteRange != nil:
-		ar.resp, ar.err = s.applyV3.DeleteRange(noTxn, r.DeleteRange)
+		if s.AuthStore().IsDeleteRangePermitted(r.Header.Username, r.DeleteRange.Key, r.DeleteRange.RangeEnd) {
+			ar.resp, ar.err = s.applyV3.DeleteRange(noTxn, r.DeleteRange)
+		} else {
+			ar.err = auth.ErrPermissionDenied
+		}
 	case r.Txn != nil:
 		ar.resp, ar.err = s.applyV3.Txn(r.Txn)
 	case r.Compaction != nil: