From c75fa6fdc91918aef77d1ce1aa84a4999242755c Mon Sep 17 00:00:00 2001 From: Xiang Li Date: Mon, 13 Jun 2016 17:19:59 -0700 Subject: [PATCH] *: support deleteRange perm checking --- auth/store.go | 7 +++++++ etcdserver/apply.go | 6 +++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/auth/store.go b/auth/store.go index 62feed053..8a0a9863e 100644 --- a/auth/store.go +++ b/auth/store.go @@ -113,6 +113,9 @@ type AuthStore interface { // IsRangePermitted checks range permission of the user IsRangePermitted(header *pb.RequestHeader, key, rangeEnd []byte) bool + // IsDeleteRangePermitted checks delete-range permission of the user + IsDeleteRangePermitted(username string, key, rangeEnd []byte) bool + // IsAdminPermitted checks admin permission of the user IsAdminPermitted(username string) bool @@ -575,6 +578,10 @@ func (as *authStore) IsRangePermitted(header *pb.RequestHeader, key, rangeEnd [] return as.isOpPermitted(header.Username, key, rangeEnd, authpb.READ) } +func (as *authStore) IsDeleteRangePermitted(username string, key, rangeEnd []byte) bool { + return as.isOpPermitted(username, key, rangeEnd, authpb.WRITE) +} + func (as *authStore) IsAdminPermitted(username string) bool { if !as.isAuthEnabled() { return true diff --git a/etcdserver/apply.go b/etcdserver/apply.go index b25ce917a..f13c50e52 100644 --- a/etcdserver/apply.go +++ b/etcdserver/apply.go @@ -104,7 +104,11 @@ func (s *EtcdServer) applyV3Request(r *pb.InternalRaftRequest) *applyResult { ar.err = auth.ErrPermissionDenied } case r.DeleteRange != nil: - ar.resp, ar.err = s.applyV3.DeleteRange(noTxn, r.DeleteRange) + if s.AuthStore().IsDeleteRangePermitted(r.Header.Username, r.DeleteRange.Key, r.DeleteRange.RangeEnd) { + ar.resp, ar.err = s.applyV3.DeleteRange(noTxn, r.DeleteRange) + } else { + ar.err = auth.ErrPermissionDenied + } case r.Txn != nil: ar.resp, ar.err = s.applyV3.Txn(r.Txn) case r.Compaction != nil: