Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

etcdctl: add a new option --open-ended for unlimited range permission #7649

Merged
merged 2 commits into from
Apr 5, 2017
Merged

etcdctl: add a new option --open-ended for unlimited range permission #7649

merged 2 commits into from
Apr 5, 2017

Conversation

mitake
Copy link
Contributor

@mitake mitake commented Apr 3, 2017

This commit adds a new option --open-ended to the command etcdctl role
grant-permission. If the option is passed, an open ended permission
will be granted to a role e.g. from start-key to any keys those are
larger than start-key.

Example:
$ ETCDCTL_API=3 bin/etcdctl --user root:p role grant r1 readwrite a b
$ ETCDCTL_API=3 bin/etcdctl --user root:p role grant --open-ended r1 readwrite c
$ ETCDCTL_API=3 bin/etcdctl --user root:p role get r1
Role r1
KV Read:
        [a, b) (prefix a)
        [c, <open ended>
KV Write:
        [a, b) (prefix a)
        [c, <open ended>

Note that a closed parenthesis doesn't follow the above
for indicating that the role has an open ended permission ("" is a valid range end).

Fixes #7468

heyitsanthony
heyitsanthony suggested changes Apr 3, 2017
View reviewed changes
e2e/ctl_v3_role_test.go Outdated
key string
rangeEnd string
prefix bool
openEnded bool
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just use rangeEnd == "\x00" to represent this instead of a special flag?

etcdctl/ctlv3/command/printer_simple.go Outdated
@@ -141,7 +141,11 @@ func (s *simplePrinter) RoleGet(role string, r v3.AuthRoleGetResponse) {
printRange := func(perm *v3.Permission) {
sKey := string(perm.Key)
sRangeEnd := string(perm.RangeEnd)
fmt.Printf("\t[%s, %s)", sKey, sRangeEnd)
if strings.Compare(sRangeEnd, "\xff") != 0 {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should this be sRangeEnd != "\x00"?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, my understanding of Range interface was very wrong... any byte sequences (other than ascii strings) are allowed to be a key so 0xff cannot be the largest key. I'll follow your suggestions and use StringAffineComparable for the purpose.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just checking against "\x00" here should be OK, no need for the adt/affine stuff. RangeEnd == "\x00" meaning >= is already part of the RPC wire protocol.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for my confusing writing. Yes, I'll just add the checking against "\x00" here. The idea of the affine stuff will be implemented in the perm cache side. My comment wasn't limited to the above line.

etcdctl/ctlv3/command/printer_simple.go Outdated
@@ -188,7 +192,11 @@ func (s *simplePrinter) RoleRevokePermission(role string, key string, end string
fmt.Printf("Permission of key %s is revoked from role %s\n", key, role)
return
}
fmt.Printf("Permission of range [%s, %s) is revoked from role %s\n", key, end, role)
if strings.Compare(end, "\xff") != 0 {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same here, check end is "\x00"?

etcdctl/ctlv3/command/role_command.go Outdated
@@ -83,16 +84,21 @@ func newRoleGrantPermissionCommand() *cobra.Command {
}

cmd.Flags().BoolVar(&grantPermissionPrefix, "prefix", false, "grant a prefix permission")
cmd.Flags().BoolVar(&openEnded, "open-ended", false, "grant an open ended range permission")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

probably should be from-key to match etcdctl get flags

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I'll use the name as the option.

etcdctl/ctlv3/command/role_command.go Outdated
rangeEnd = clientv3.GetPrefixRangeEnd(args[2])
} else if openEnded {
rangeEnd = "\xff"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

rangeEnd = "\x00"?

etcdctl/ctlv3/command/role_command.go Outdated
@@ -190,6 +207,8 @@ func roleRevokePermissionCommandFunc(cmd *cobra.Command, args []string) {
rangeEnd := ""
if 3 <= len(args) {
rangeEnd = args[2]
} else if openEnded {
rangeEnd = "\xff"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

rangeEnd = "\x00"?

etcdctl/ctlv3/command/role_command.go Outdated
Use: "revoke-permission <role name> <key> [endkey]",
Short: "Revokes a key from a role",
Run: roleRevokePermissionCommandFunc,
}

cmd.Flags().BoolVar(&openEnded, "open-ended", false, "revoke an open ended range permission")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

from-key here too

e2e/ctl_v3_auth_test.go
// try the granted open ended permission
cx.user, cx.pass = "test-user", "pass"
for i := 0; i < 10; i++ {
key := fmt.Sprintf("z%d", i)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can stress the >= range a bit more with \xff's:

key := "\xff"
for j := 0; j < i; j++ {
    key += "\xff"
}

@mitake
Copy link
Contributor Author

mitake commented Apr 4, 2017

@heyitsanthony updated based on your comments, especially for changing the option name (--open-ended -> --from-key) and following the wire RPC protocol (\xff -> \x00). Could you take a look?

@mitake
etcdctl: add a new option --from-key for unlimited range permission
0a7fc7c 
This commit adds a new option --from-key to the command etcdctl role
grant-permission. If the option is passed, an open ended permission
will be granted to a role e.g. from start-key to any keys those are
larger than start-key.

Example:
$ ETCDCTL_API=3 bin/etcdctl --user root:p role grant r1 readwrite a b
$ ETCDCTL_API=3 bin/etcdctl --user root:p role grant --from-key r1 readwrite c
$ ETCDCTL_API=3 bin/etcdctl --user root:p role get r1
Role r1
KV Read:
        [a, b) (prefix a)
        [c, <open ended>
KV Write:
        [a, b) (prefix a)
        [c, <open ended>

Note that a closed parenthesis doesn't follow the above <open ended>
for indicating that the role has an open ended permission ("<open
ended>" is a valid range end).

Fixes etcd-io#7468
@mitake
e2e: add a test case for the --open-ended option
a204b14
@heyitsanthony
Copy link
Contributor

lgtm. Thanks!

@mitake
Copy link
Contributor Author

mitake commented Apr 5, 2017

@heyitsanthony thanks, I'm merging it

@mitake mitake merged commit 6335506 into etcd-io:master Apr 5, 2017
@mitake mitake deleted the range-open-ended branch April 5, 2017 02:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@heyitsanthony heyitsanthony heyitsanthony approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

auth: support accessing all keys for non-root roles
3 participants
@mitake @heyitsanthony @gyuho