Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

server/auth: disallow creating empty permission ranges #15294

Merged
merged 1 commit into from
Apr 3, 2023
Merged

server/auth: disallow creating empty permission ranges #15294

merged 1 commit into from
Apr 3, 2023
+309 −2

Conversation

mitake
Copy link
Contributor

@mitake mitake commented Feb 13, 2023
edited
Loading

Current RoleGrantPermission allows to create permission for ranges like (a, a) or (b, a). These are treated as empty ranges so not harmful. But they are quite confusing and etcd should disallow it.

cc @ahrtr @serathius @spzala @ptabor

@mitake
Copy link
Contributor Author

mitake commented Feb 13, 2023

Sorry for missing the issue. As a retrospective, I'm considering to improve the interval tree library for denying inputs like begin >= end in NewInterval() functions e.g. NewBytesAffineInterval . I also think updating other functions like Insert() might be possible. But they will update signature types for having a new error. I'd like to have other people's opinions.

@mitake mitake marked this pull request as draft February 13, 2023 15:08
@mitake mitake marked this pull request as ready for review February 13, 2023 22:47
@mitake
Copy link
Contributor Author

mitake commented Feb 26, 2023

Thanks for checking @ahrtr , I updated this PR based on your comments. Could you take a look?

ahrtr
ahrtr approved these changes Feb 26, 2023
View reviewed changes
Copy link
Member

@ahrtr ahrtr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with a couple of minor comments.

Thanks @mitake

server/auth/range_perm_cache_test.go Show resolved Hide resolved
server/auth/range_perm_cache.go Outdated Show resolved Hide resolved
@mitake @ahrtr
server/auth: disallow creating empty permission ranges
65eeb7f 
Signed-off-by: Hitoshi Mitake <h.mitake@gmail.com>
Co-authored-by: Benjamin Wang <wachao@vmware.com>
@mitake
Copy link
Contributor Author

mitake commented Feb 27, 2023

@ahrtr Resolved the latest comments, thanks for reviewing!

@ahrtr
Copy link
Member

ahrtr commented Feb 27, 2023

cc @ptabor @serathius @spzala the PR has more than 300 lines of code change, but actually it's just a minor change. It has only around 30 lines of production code change, all others are unit test cases. PTAL.

@mitake
Copy link
Contributor Author

mitake commented Mar 5, 2023

@ptabor @serathius @spzala it’s great if you can cross check

@serathius serathius mentioned this pull request Mar 30, 2023
Closed
spzala
spzala approved these changes Apr 2, 2023
View reviewed changes
Copy link
Member

@spzala spzala left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @mitake @ahrtr

@mitake mitake merged commit 4da39e4 into etcd-io:main Apr 3, 2023
@mitake mitake deleted the range-check branch April 3, 2023 00:03
serathius
serathius reviewed Apr 3, 2023
View reviewed changes
server/auth/range_perm_cache.go
@@ -155,3 +157,51 @@ type unifiedRangePermissions struct {
readPerms adt.IntervalTree
writePerms adt.IntervalTree
}

// Constraints related to key range
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does same rules apply for making a range request?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, the same rules are used by range, watch and delete.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could they use the same function to validate the range?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that's possible. It seems that etcdctl doesn't perform this kind of check for now e.g. etcdctl get k2 k1 or etcdctl del k2 k1. They perform nothing so are not harmful but printing errors might be friendly. If you think it's valuable I'll open PRs for it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm more worried about consistency, feel free to create an issue with the suggestion.

This was referenced Apr 3, 2023
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@serathius serathius serathius left review comments

@ahrtr ahrtr ahrtr approved these changes

@spzala spzala spzala approved these changes

Assignees
No one assigned
Labels
backport/v3.4 backport/v3.5
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mitake @ahrtr @serathius @spzala