Skip to content

Commit

Permalink
etcdserver: protect lease timetilive with auth
Browse files Browse the repository at this point in the history
Signed-off-by: Hitoshi Mitake <[email protected]>
Co-authored-by: Benjamin Wang <[email protected]>
  • Loading branch information
mitake and ahrtr committed May 8, 2023
1 parent c0f2954 commit d1b1aa9
Showing 1 changed file with 51 additions and 1 deletion.
52 changes: 51 additions & 1 deletion server/etcdserver/v3_server.go
Original file line number Diff line number Diff line change
Expand Up @@ -336,7 +336,32 @@ func (s *EtcdServer) LeaseRenew(ctx context.Context, id lease.LeaseID) (int64, e
return -1, ErrCanceled
}

func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) {
func (s *EtcdServer) checkLeaseTimeToLive(ctx context.Context, leaseID lease.LeaseID) (uint64, error) {
rev := s.AuthStore().Revision()
if !s.AuthStore().IsAuthEnabled() {
return rev, nil
}
authInfo, err := s.AuthInfoFromCtx(ctx)
if err != nil {
return rev, err
}
if authInfo == nil {
return rev, auth.ErrUserEmpty
}

l := s.lessor.Lookup(leaseID)
if l != nil {
for _, key := range l.Keys() {
if err := s.AuthStore().IsRangePermitted(authInfo, []byte(key), []byte{}); err != nil {
return 0, err
}
}
}

return rev, nil
}

func (s *EtcdServer) leaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) {
if s.isLeader() {
if err := s.waitAppliedIndex(); err != nil {
return nil, err
Expand Down Expand Up @@ -386,6 +411,31 @@ func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveR
return nil, ErrCanceled
}

func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) {
var rev uint64
var err error
if r.Keys {
// check RBAC permission only if Keys is true
rev, err = s.checkLeaseTimeToLive(ctx, lease.LeaseID(r.ID))
if err != nil {
return nil, err
}
}

resp, err := s.leaseTimeToLive(ctx, r)
if err != nil {
return nil, err
}

if r.Keys {
if s.AuthStore().IsAuthEnabled() && rev != s.AuthStore().Revision() {
return nil, auth.ErrAuthOldRevision
}
}
return resp, nil
}

// LeaseLeases is really ListLeases !???
func (s *EtcdServer) LeaseLeases(ctx context.Context, r *pb.LeaseLeasesRequest) (*pb.LeaseLeasesResponse, error) {
ls := s.lessor.Leases()
lss := make([]*pb.LeaseStatus, len(ls))
Expand Down

0 comments on commit d1b1aa9

Please sign in to comment.