v2http: use guest access in non-TLS mode
Fix https://github.com/coreos/etcd/issues/6075.release-3.1
parent
59ac42ff38
commit
87498e0209
|
@ -116,10 +116,11 @@ func hasKeyPrefixAccess(sec auth.Store, r *http.Request, key string, recursive,
|
||||||
}
|
}
|
||||||
|
|
||||||
var user *auth.User
|
var user *auth.User
|
||||||
if r.Header.Get("Authorization") == "" && clientCertAuthEnabled {
|
if r.Header.Get("Authorization") == "" {
|
||||||
user = userFromClientCertificate(sec, r)
|
if clientCertAuthEnabled {
|
||||||
|
user = userFromClientCertificate(sec, r)
|
||||||
|
}
|
||||||
if user == nil {
|
if user == nil {
|
||||||
plog.Warningf("auth: no authorization provided, checking guest access")
|
|
||||||
return hasGuestAccess(sec, r, key)
|
return hasGuestAccess(sec, r, key)
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
|
|
|
@ -717,6 +717,36 @@ func TestPrefixAccess(t *testing.T) {
|
||||||
hasKeyPrefixAccess: false,
|
hasKeyPrefixAccess: false,
|
||||||
hasRecursiveAccess: false,
|
hasRecursiveAccess: false,
|
||||||
},
|
},
|
||||||
|
{ // guest access in non-TLS mode
|
||||||
|
key: "/foo",
|
||||||
|
req: (func() *http.Request {
|
||||||
|
return mustJSONRequest(t, "GET", "somepath", "")
|
||||||
|
})(),
|
||||||
|
store: &mockAuthStore{
|
||||||
|
enabled: true,
|
||||||
|
users: map[string]*auth.User{
|
||||||
|
"root": {
|
||||||
|
User: "root",
|
||||||
|
Password: goodPassword,
|
||||||
|
Roles: []string{"root"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
roles: map[string]*auth.Role{
|
||||||
|
"guest": {
|
||||||
|
Role: "guest",
|
||||||
|
Permissions: auth.Permissions{
|
||||||
|
KV: auth.RWPermission{
|
||||||
|
Read: []string{"/foo*"},
|
||||||
|
Write: []string{"/foo*"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
hasRoot: false,
|
||||||
|
hasKeyPrefixAccess: true,
|
||||||
|
hasRecursiveAccess: true,
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
for i, tt := range table {
|
for i, tt := range table {
|
||||||
|
|
Loading…
Reference in New Issue