blob: b438074a4498930dac07721cb0204d86c9a3cda2 [file] [log] [blame]
khenaidooab1f7bd2019-11-14 14:00:27 -05001// Copyright 2015 The etcd Authors
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15// Package v2auth implements etcd authentication.
16package v2auth
17
18import (
19 "context"
20 "encoding/json"
21 "fmt"
22 "net/http"
23 "path"
24 "reflect"
25 "sort"
26 "strings"
27 "time"
28
29 "go.etcd.io/etcd/etcdserver"
30 "go.etcd.io/etcd/etcdserver/api/v2error"
31 "go.etcd.io/etcd/etcdserver/etcdserverpb"
32 "go.etcd.io/etcd/pkg/types"
33
34 "github.com/coreos/pkg/capnslog"
35 "go.uber.org/zap"
36 "golang.org/x/crypto/bcrypt"
37)
38
39const (
40 // StorePermsPrefix is the internal prefix of the storage layer dedicated to storing user data.
41 StorePermsPrefix = "/2"
42
43 // RootRoleName is the name of the ROOT role, with privileges to manage the cluster.
44 RootRoleName = "root"
45
46 // GuestRoleName is the name of the role that defines the privileges of an unauthenticated user.
47 GuestRoleName = "guest"
48)
49
50var (
51 plog = capnslog.NewPackageLogger("go.etcd.io/etcd/v3", "etcdserver/auth")
52)
53
54var rootRole = Role{
55 Role: RootRoleName,
56 Permissions: Permissions{
57 KV: RWPermission{
58 Read: []string{"/*"},
59 Write: []string{"/*"},
60 },
61 },
62}
63
64var guestRole = Role{
65 Role: GuestRoleName,
66 Permissions: Permissions{
67 KV: RWPermission{
68 Read: []string{"/*"},
69 Write: []string{"/*"},
70 },
71 },
72}
73
74type doer interface {
75 Do(context.Context, etcdserverpb.Request) (etcdserver.Response, error)
76}
77
78type Store interface {
79 AllUsers() ([]string, error)
80 GetUser(name string) (User, error)
81 CreateOrUpdateUser(user User) (out User, created bool, err error)
82 CreateUser(user User) (User, error)
83 DeleteUser(name string) error
84 UpdateUser(user User) (User, error)
85 AllRoles() ([]string, error)
86 GetRole(name string) (Role, error)
87 CreateRole(role Role) error
88 DeleteRole(name string) error
89 UpdateRole(role Role) (Role, error)
90 AuthEnabled() bool
91 EnableAuth() error
92 DisableAuth() error
93 PasswordStore
94}
95
96type PasswordStore interface {
97 CheckPassword(user User, password string) bool
98 HashPassword(password string) (string, error)
99}
100
101type store struct {
102 lg *zap.Logger
103 server doer
104 timeout time.Duration
105 ensuredOnce bool
106
107 PasswordStore
108}
109
110type User struct {
111 User string `json:"user"`
112 Password string `json:"password,omitempty"`
113 Roles []string `json:"roles"`
114 Grant []string `json:"grant,omitempty"`
115 Revoke []string `json:"revoke,omitempty"`
116}
117
118type Role struct {
119 Role string `json:"role"`
120 Permissions Permissions `json:"permissions"`
121 Grant *Permissions `json:"grant,omitempty"`
122 Revoke *Permissions `json:"revoke,omitempty"`
123}
124
125type Permissions struct {
126 KV RWPermission `json:"kv"`
127}
128
129func (p *Permissions) IsEmpty() bool {
130 return p == nil || (len(p.KV.Read) == 0 && len(p.KV.Write) == 0)
131}
132
133type RWPermission struct {
134 Read []string `json:"read"`
135 Write []string `json:"write"`
136}
137
138type Error struct {
139 Status int
140 Errmsg string
141}
142
143func (ae Error) Error() string { return ae.Errmsg }
144func (ae Error) HTTPStatus() int { return ae.Status }
145
146func authErr(hs int, s string, v ...interface{}) Error {
147 return Error{Status: hs, Errmsg: fmt.Sprintf("auth: "+s, v...)}
148}
149
150func NewStore(lg *zap.Logger, server doer, timeout time.Duration) Store {
151 s := &store{
152 lg: lg,
153 server: server,
154 timeout: timeout,
155 PasswordStore: passwordStore{},
156 }
157 return s
158}
159
160// passwordStore implements PasswordStore using bcrypt to hash user passwords
161type passwordStore struct{}
162
163func (passwordStore) CheckPassword(user User, password string) bool {
164 err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password))
165 return err == nil
166}
167
168func (passwordStore) HashPassword(password string) (string, error) {
169 hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
170 return string(hash), err
171}
172
173func (s *store) AllUsers() ([]string, error) {
174 resp, err := s.requestResource("/users/", false)
175 if err != nil {
176 if e, ok := err.(*v2error.Error); ok {
177 if e.ErrorCode == v2error.EcodeKeyNotFound {
178 return []string{}, nil
179 }
180 }
181 return nil, err
182 }
183 var nodes []string
184 for _, n := range resp.Event.Node.Nodes {
185 _, user := path.Split(n.Key)
186 nodes = append(nodes, user)
187 }
188 sort.Strings(nodes)
189 return nodes, nil
190}
191
192func (s *store) GetUser(name string) (User, error) { return s.getUser(name, false) }
193
194// CreateOrUpdateUser should be only used for creating the new user or when you are not
195// sure if it is a create or update. (When only password is passed in, we are not sure
196// if it is a update or create)
197func (s *store) CreateOrUpdateUser(user User) (out User, created bool, err error) {
198 _, err = s.getUser(user.User, true)
199 if err == nil {
200 out, err = s.UpdateUser(user)
201 return out, false, err
202 }
203 u, err := s.CreateUser(user)
204 return u, true, err
205}
206
207func (s *store) CreateUser(user User) (User, error) {
208 // Attach root role to root user.
209 if user.User == "root" {
210 user = attachRootRole(user)
211 }
212 u, err := s.createUserInternal(user)
213 if err == nil {
214 if s.lg != nil {
215 s.lg.Info("created a user", zap.String("user-name", user.User))
216 } else {
217 plog.Noticef("created user %s", user.User)
218 }
219 }
220 return u, err
221}
222
223func (s *store) createUserInternal(user User) (User, error) {
224 if user.Password == "" {
225 return user, authErr(http.StatusBadRequest, "Cannot create user %s with an empty password", user.User)
226 }
227 hash, err := s.HashPassword(user.Password)
228 if err != nil {
229 return user, err
230 }
231 user.Password = hash
232
233 _, err = s.createResource("/users/"+user.User, user)
234 if err != nil {
235 if e, ok := err.(*v2error.Error); ok {
236 if e.ErrorCode == v2error.EcodeNodeExist {
237 return user, authErr(http.StatusConflict, "User %s already exists.", user.User)
238 }
239 }
240 }
241 return user, err
242}
243
244func (s *store) DeleteUser(name string) error {
245 if s.AuthEnabled() && name == "root" {
246 return authErr(http.StatusForbidden, "Cannot delete root user while auth is enabled.")
247 }
248 err := s.deleteResource("/users/" + name)
249 if err != nil {
250 if e, ok := err.(*v2error.Error); ok {
251 if e.ErrorCode == v2error.EcodeKeyNotFound {
252 return authErr(http.StatusNotFound, "User %s does not exist", name)
253 }
254 }
255 return err
256 }
257 if s.lg != nil {
258 s.lg.Info("deleted a user", zap.String("user-name", name))
259 } else {
260 plog.Noticef("deleted user %s", name)
261 }
262 return nil
263}
264
265func (s *store) UpdateUser(user User) (User, error) {
266 old, err := s.getUser(user.User, true)
267 if err != nil {
268 if e, ok := err.(*v2error.Error); ok {
269 if e.ErrorCode == v2error.EcodeKeyNotFound {
270 return user, authErr(http.StatusNotFound, "User %s doesn't exist.", user.User)
271 }
272 }
273 return old, err
274 }
275
276 newUser, err := old.merge(s.lg, user, s.PasswordStore)
277 if err != nil {
278 return old, err
279 }
280 if reflect.DeepEqual(old, newUser) {
281 return old, authErr(http.StatusBadRequest, "User not updated. Use grant/revoke/password to update the user.")
282 }
283 _, err = s.updateResource("/users/"+user.User, newUser)
284 if err == nil {
285 if s.lg != nil {
286 s.lg.Info("updated a user", zap.String("user-name", user.User))
287 } else {
288 plog.Noticef("updated user %s", user.User)
289 }
290 }
291 return newUser, err
292}
293
294func (s *store) AllRoles() ([]string, error) {
295 nodes := []string{RootRoleName}
296 resp, err := s.requestResource("/roles/", false)
297 if err != nil {
298 if e, ok := err.(*v2error.Error); ok {
299 if e.ErrorCode == v2error.EcodeKeyNotFound {
300 return nodes, nil
301 }
302 }
303 return nil, err
304 }
305 for _, n := range resp.Event.Node.Nodes {
306 _, role := path.Split(n.Key)
307 nodes = append(nodes, role)
308 }
309 sort.Strings(nodes)
310 return nodes, nil
311}
312
313func (s *store) GetRole(name string) (Role, error) { return s.getRole(name, false) }
314
315func (s *store) CreateRole(role Role) error {
316 if role.Role == RootRoleName {
317 return authErr(http.StatusForbidden, "Cannot modify role %s: is root role.", role.Role)
318 }
319 _, err := s.createResource("/roles/"+role.Role, role)
320 if err != nil {
321 if e, ok := err.(*v2error.Error); ok {
322 if e.ErrorCode == v2error.EcodeNodeExist {
323 return authErr(http.StatusConflict, "Role %s already exists.", role.Role)
324 }
325 }
326 }
327 if err == nil {
328 if s.lg != nil {
329 s.lg.Info("created a new role", zap.String("role-name", role.Role))
330 } else {
331 plog.Noticef("created new role %s", role.Role)
332 }
333 }
334 return err
335}
336
337func (s *store) DeleteRole(name string) error {
338 if name == RootRoleName {
339 return authErr(http.StatusForbidden, "Cannot modify role %s: is root role.", name)
340 }
341 err := s.deleteResource("/roles/" + name)
342 if err != nil {
343 if e, ok := err.(*v2error.Error); ok {
344 if e.ErrorCode == v2error.EcodeKeyNotFound {
345 return authErr(http.StatusNotFound, "Role %s doesn't exist.", name)
346 }
347 }
348 }
349 if err == nil {
350 if s.lg != nil {
351 s.lg.Info("delete a new role", zap.String("role-name", name))
352 } else {
353 plog.Noticef("deleted role %s", name)
354 }
355 }
356 return err
357}
358
359func (s *store) UpdateRole(role Role) (Role, error) {
360 if role.Role == RootRoleName {
361 return Role{}, authErr(http.StatusForbidden, "Cannot modify role %s: is root role.", role.Role)
362 }
363 old, err := s.getRole(role.Role, true)
364 if err != nil {
365 if e, ok := err.(*v2error.Error); ok {
366 if e.ErrorCode == v2error.EcodeKeyNotFound {
367 return role, authErr(http.StatusNotFound, "Role %s doesn't exist.", role.Role)
368 }
369 }
370 return old, err
371 }
372 newRole, err := old.merge(s.lg, role)
373 if err != nil {
374 return old, err
375 }
376 if reflect.DeepEqual(old, newRole) {
377 return old, authErr(http.StatusBadRequest, "Role not updated. Use grant/revoke to update the role.")
378 }
379 _, err = s.updateResource("/roles/"+role.Role, newRole)
380 if err == nil {
381 if s.lg != nil {
382 s.lg.Info("updated a new role", zap.String("role-name", role.Role))
383 } else {
384 plog.Noticef("updated role %s", role.Role)
385 }
386 }
387 return newRole, err
388}
389
390func (s *store) AuthEnabled() bool {
391 return s.detectAuth()
392}
393
394func (s *store) EnableAuth() error {
395 if s.AuthEnabled() {
396 return authErr(http.StatusConflict, "already enabled")
397 }
398
399 if _, err := s.getUser("root", true); err != nil {
400 return authErr(http.StatusConflict, "No root user available, please create one")
401 }
402 if _, err := s.getRole(GuestRoleName, true); err != nil {
403 if s.lg != nil {
404 s.lg.Info(
405 "no guest role access found; creating default",
406 zap.String("role-name", GuestRoleName),
407 )
408 } else {
409 plog.Printf("no guest role access found, creating default")
410 }
411 if err := s.CreateRole(guestRole); err != nil {
412 if s.lg != nil {
413 s.lg.Warn(
414 "failed to create a guest role; aborting auth enable",
415 zap.String("role-name", GuestRoleName),
416 zap.Error(err),
417 )
418 } else {
419 plog.Errorf("error creating guest role. aborting auth enable.")
420 }
421 return err
422 }
423 }
424
425 if err := s.enableAuth(); err != nil {
426 if s.lg != nil {
427 s.lg.Warn("failed to enable auth", zap.Error(err))
428 } else {
429 plog.Errorf("error enabling auth (%v)", err)
430 }
431 return err
432 }
433
434 if s.lg != nil {
435 s.lg.Info("enabled auth")
436 } else {
437 plog.Noticef("auth: enabled auth")
438 }
439 return nil
440}
441
442func (s *store) DisableAuth() error {
443 if !s.AuthEnabled() {
444 return authErr(http.StatusConflict, "already disabled")
445 }
446
447 err := s.disableAuth()
448 if err == nil {
449 if s.lg != nil {
450 s.lg.Info("disabled auth")
451 } else {
452 plog.Noticef("auth: disabled auth")
453 }
454 } else {
455 if s.lg != nil {
456 s.lg.Warn("failed to disable auth", zap.Error(err))
457 } else {
458 plog.Errorf("error disabling auth (%v)", err)
459 }
460 }
461 return err
462}
463
464// merge applies the properties of the passed-in User to the User on which it
465// is called and returns a new User with these modifications applied. Think of
466// all Users as immutable sets of data. Merge allows you to perform the set
467// operations (desired grants and revokes) atomically
468func (ou User) merge(lg *zap.Logger, nu User, s PasswordStore) (User, error) {
469 var out User
470 if ou.User != nu.User {
471 return out, authErr(http.StatusConflict, "Merging user data with conflicting usernames: %s %s", ou.User, nu.User)
472 }
473 out.User = ou.User
474 if nu.Password != "" {
475 hash, err := s.HashPassword(nu.Password)
476 if err != nil {
477 return ou, err
478 }
479 out.Password = hash
480 } else {
481 out.Password = ou.Password
482 }
483 currentRoles := types.NewUnsafeSet(ou.Roles...)
484 for _, g := range nu.Grant {
485 if currentRoles.Contains(g) {
486 if lg != nil {
487 lg.Warn(
488 "attempted to grant a duplicate role for a user",
489 zap.String("user-name", nu.User),
490 zap.String("role-name", g),
491 )
492 } else {
493 plog.Noticef("granting duplicate role %s for user %s", g, nu.User)
494 }
495 return User{}, authErr(http.StatusConflict, fmt.Sprintf("Granting duplicate role %s for user %s", g, nu.User))
496 }
497 currentRoles.Add(g)
498 }
499 for _, r := range nu.Revoke {
500 if !currentRoles.Contains(r) {
501 if lg != nil {
502 lg.Warn(
503 "attempted to revoke a ungranted role for a user",
504 zap.String("user-name", nu.User),
505 zap.String("role-name", r),
506 )
507 } else {
508 plog.Noticef("revoking ungranted role %s for user %s", r, nu.User)
509 }
510 return User{}, authErr(http.StatusConflict, fmt.Sprintf("Revoking ungranted role %s for user %s", r, nu.User))
511 }
512 currentRoles.Remove(r)
513 }
514 out.Roles = currentRoles.Values()
515 sort.Strings(out.Roles)
516 return out, nil
517}
518
519// merge for a role works the same as User above -- atomic Role application to
520// each of the substructures.
521func (r Role) merge(lg *zap.Logger, n Role) (Role, error) {
522 var out Role
523 var err error
524 if r.Role != n.Role {
525 return out, authErr(http.StatusConflict, "Merging role with conflicting names: %s %s", r.Role, n.Role)
526 }
527 out.Role = r.Role
528 out.Permissions, err = r.Permissions.Grant(n.Grant)
529 if err != nil {
530 return out, err
531 }
532 out.Permissions, err = out.Permissions.Revoke(lg, n.Revoke)
533 return out, err
534}
535
536func (r Role) HasKeyAccess(key string, write bool) bool {
537 if r.Role == RootRoleName {
538 return true
539 }
540 return r.Permissions.KV.HasAccess(key, write)
541}
542
543func (r Role) HasRecursiveAccess(key string, write bool) bool {
544 if r.Role == RootRoleName {
545 return true
546 }
547 return r.Permissions.KV.HasRecursiveAccess(key, write)
548}
549
550// Grant adds a set of permissions to the permission object on which it is called,
551// returning a new permission object.
552func (p Permissions) Grant(n *Permissions) (Permissions, error) {
553 var out Permissions
554 var err error
555 if n == nil {
556 return p, nil
557 }
558 out.KV, err = p.KV.Grant(n.KV)
559 return out, err
560}
561
562// Revoke removes a set of permissions to the permission object on which it is called,
563// returning a new permission object.
564func (p Permissions) Revoke(lg *zap.Logger, n *Permissions) (Permissions, error) {
565 var out Permissions
566 var err error
567 if n == nil {
568 return p, nil
569 }
570 out.KV, err = p.KV.Revoke(lg, n.KV)
571 return out, err
572}
573
574// Grant adds a set of permissions to the permission object on which it is called,
575// returning a new permission object.
576func (rw RWPermission) Grant(n RWPermission) (RWPermission, error) {
577 var out RWPermission
578 currentRead := types.NewUnsafeSet(rw.Read...)
579 for _, r := range n.Read {
580 if currentRead.Contains(r) {
581 return out, authErr(http.StatusConflict, "Granting duplicate read permission %s", r)
582 }
583 currentRead.Add(r)
584 }
585 currentWrite := types.NewUnsafeSet(rw.Write...)
586 for _, w := range n.Write {
587 if currentWrite.Contains(w) {
588 return out, authErr(http.StatusConflict, "Granting duplicate write permission %s", w)
589 }
590 currentWrite.Add(w)
591 }
592 out.Read = currentRead.Values()
593 out.Write = currentWrite.Values()
594 sort.Strings(out.Read)
595 sort.Strings(out.Write)
596 return out, nil
597}
598
599// Revoke removes a set of permissions to the permission object on which it is called,
600// returning a new permission object.
601func (rw RWPermission) Revoke(lg *zap.Logger, n RWPermission) (RWPermission, error) {
602 var out RWPermission
603 currentRead := types.NewUnsafeSet(rw.Read...)
604 for _, r := range n.Read {
605 if !currentRead.Contains(r) {
606 if lg != nil {
607 lg.Info(
608 "revoking ungranted read permission",
609 zap.String("read-permission", r),
610 )
611 } else {
612 plog.Noticef("revoking ungranted read permission %s", r)
613 }
614 continue
615 }
616 currentRead.Remove(r)
617 }
618 currentWrite := types.NewUnsafeSet(rw.Write...)
619 for _, w := range n.Write {
620 if !currentWrite.Contains(w) {
621 if lg != nil {
622 lg.Info(
623 "revoking ungranted write permission",
624 zap.String("write-permission", w),
625 )
626 } else {
627 plog.Noticef("revoking ungranted write permission %s", w)
628 }
629 continue
630 }
631 currentWrite.Remove(w)
632 }
633 out.Read = currentRead.Values()
634 out.Write = currentWrite.Values()
635 sort.Strings(out.Read)
636 sort.Strings(out.Write)
637 return out, nil
638}
639
640func (rw RWPermission) HasAccess(key string, write bool) bool {
641 var list []string
642 if write {
643 list = rw.Write
644 } else {
645 list = rw.Read
646 }
647 for _, pat := range list {
648 match, err := simpleMatch(pat, key)
649 if err == nil && match {
650 return true
651 }
652 }
653 return false
654}
655
656func (rw RWPermission) HasRecursiveAccess(key string, write bool) bool {
657 list := rw.Read
658 if write {
659 list = rw.Write
660 }
661 for _, pat := range list {
662 match, err := prefixMatch(pat, key)
663 if err == nil && match {
664 return true
665 }
666 }
667 return false
668}
669
670func simpleMatch(pattern string, key string) (match bool, err error) {
671 if pattern[len(pattern)-1] == '*' {
672 return strings.HasPrefix(key, pattern[:len(pattern)-1]), nil
673 }
674 return key == pattern, nil
675}
676
677func prefixMatch(pattern string, key string) (match bool, err error) {
678 if pattern[len(pattern)-1] != '*' {
679 return false, nil
680 }
681 return strings.HasPrefix(key, pattern[:len(pattern)-1]), nil
682}
683
684func attachRootRole(u User) User {
685 inRoles := false
686 for _, r := range u.Roles {
687 if r == RootRoleName {
688 inRoles = true
689 break
690 }
691 }
692 if !inRoles {
693 u.Roles = append(u.Roles, RootRoleName)
694 }
695 return u
696}
697
698func (s *store) getUser(name string, quorum bool) (User, error) {
699 resp, err := s.requestResource("/users/"+name, quorum)
700 if err != nil {
701 if e, ok := err.(*v2error.Error); ok {
702 if e.ErrorCode == v2error.EcodeKeyNotFound {
703 return User{}, authErr(http.StatusNotFound, "User %s does not exist.", name)
704 }
705 }
706 return User{}, err
707 }
708 var u User
709 err = json.Unmarshal([]byte(*resp.Event.Node.Value), &u)
710 if err != nil {
711 return u, err
712 }
713 // Attach root role to root user.
714 if u.User == "root" {
715 u = attachRootRole(u)
716 }
717 return u, nil
718}
719
720func (s *store) getRole(name string, quorum bool) (Role, error) {
721 if name == RootRoleName {
722 return rootRole, nil
723 }
724 resp, err := s.requestResource("/roles/"+name, quorum)
725 if err != nil {
726 if e, ok := err.(*v2error.Error); ok {
727 if e.ErrorCode == v2error.EcodeKeyNotFound {
728 return Role{}, authErr(http.StatusNotFound, "Role %s does not exist.", name)
729 }
730 }
731 return Role{}, err
732 }
733 var r Role
734 err = json.Unmarshal([]byte(*resp.Event.Node.Value), &r)
735 return r, err
736}