Skip to content

Commit

Permalink
etcdserver: let maintenance services require root role
Browse files Browse the repository at this point in the history
  • Loading branch information
mitake committed Nov 24, 2016
1 parent c31b1ab commit 7a81f49
Show file tree
Hide file tree
Showing 2 changed files with 41 additions and 4 deletions.
39 changes: 38 additions & 1 deletion etcdserver/api/v3rpc/maintenance.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import (
"crypto/sha256"
"io"

"github.com/coreos/etcd/auth"
"github.com/coreos/etcd/etcdserver"
pb "github.com/coreos/etcd/etcdserver/etcdserverpb"
"github.com/coreos/etcd/mvcc"
Expand Down Expand Up @@ -45,19 +46,45 @@ type RaftStatusGetter interface {
Leader() types.ID
}

type AuthGetter interface {
AuthInfoFromCtx(ctx context.Context) (*auth.AuthInfo, error)
AuthStore() auth.AuthStore
}

type maintenanceServer struct {
rg RaftStatusGetter
kg KVGetter
bg BackendGetter
a Alarmer
ag AuthGetter
hdr header
}

func NewMaintenanceServer(s *etcdserver.EtcdServer) pb.MaintenanceServer {
return &maintenanceServer{rg: s, kg: s, bg: s, a: s, hdr: newHeader(s)}
return &maintenanceServer{rg: s, kg: s, bg: s, a: s, ag: s, hdr: newHeader(s)}
}

func (ms *maintenanceServer) isAuthenticated(ctx context.Context) error {
authInfo, err := ms.ag.AuthInfoFromCtx(ctx)
if err != nil {
return err
}

as := ms.ag.AuthStore()
err = as.IsAdminPermitted(authInfo)
if err != nil {
return err
}

return nil
}

func (ms *maintenanceServer) Defragment(ctx context.Context, sr *pb.DefragmentRequest) (*pb.DefragmentResponse, error) {
if err := ms.isAuthenticated(ctx); err != nil {
plog.Warningf("invalid Degragment request was issued: %s", err)
return nil, err
}

plog.Noticef("starting to defragment the storage backend...")
err := ms.bg.Backend().Defrag()
if err != nil {
Expand Down Expand Up @@ -114,6 +141,11 @@ func (ms *maintenanceServer) Snapshot(sr *pb.SnapshotRequest, srv pb.Maintenance
}

func (ms *maintenanceServer) Hash(ctx context.Context, r *pb.HashRequest) (*pb.HashResponse, error) {
if err := ms.isAuthenticated(ctx); err != nil {
plog.Warningf("invalid Hash request was issued: %s", err)
return nil, err
}

h, rev, err := ms.kg.KV().Hash()
if err != nil {
return nil, togRPCError(err)
Expand All @@ -128,6 +160,11 @@ func (ms *maintenanceServer) Alarm(ctx context.Context, ar *pb.AlarmRequest) (*p
}

func (ms *maintenanceServer) Status(ctx context.Context, ar *pb.StatusRequest) (*pb.StatusResponse, error) {
if err := ms.isAuthenticated(ctx); err != nil {
plog.Warningf("invalid Status request was issued: %s", err)
return nil, err
}

resp := &pb.StatusResponse{
Header: &pb.ResponseHeader{Revision: ms.hdr.rev()},
Version: version.Version,
Expand Down
6 changes: 3 additions & 3 deletions etcdserver/v3_server.go
Original file line number Diff line number Diff line change
Expand Up @@ -639,7 +639,7 @@ func (s *EtcdServer) isValidSimpleToken(token string) bool {
}
}

func (s *EtcdServer) authInfoFromCtx(ctx context.Context) (*auth.AuthInfo, error) {
func (s *EtcdServer) AuthInfoFromCtx(ctx context.Context) (*auth.AuthInfo, error) {
md, ok := metadata.FromContext(ctx)
if !ok {
return nil, nil
Expand All @@ -666,7 +666,7 @@ func (s *EtcdServer) authInfoFromCtx(ctx context.Context) (*auth.AuthInfo, error
// doSerialize handles the auth logic, with permissions checked by "chk", for a serialized request "get". Returns a non-nil error on authentication failure.
func (s *EtcdServer) doSerialize(ctx context.Context, chk func(*auth.AuthInfo) error, get func()) error {
for {
ai, err := s.authInfoFromCtx(ctx)
ai, err := s.AuthInfoFromCtx(ctx)
if err != nil {
return err
}
Expand Down Expand Up @@ -701,7 +701,7 @@ func (s *EtcdServer) processInternalRaftRequestOnce(ctx context.Context, r pb.In
ID: s.reqIDGen.Next(),
}

authInfo, err := s.authInfoFromCtx(ctx)
authInfo, err := s.AuthInfoFromCtx(ctx)
if err != nil {
return nil, err
}
Expand Down

0 comments on commit 7a81f49

Please sign in to comment.