Skip to content

Commit

Permalink
Early exit auth check on lease puts
Browse files Browse the repository at this point in the history
Mitigates etcd-io#15993 by not checking each key individually for permission
when auth is entirely disabled or admin user is calling the method.

Backport of etcd-io#16005

Signed-off-by: Thomas Jungblut <[email protected]>
  • Loading branch information
tjungblu authored and wenjiaswe committed Jul 7, 2023
1 parent 6ccd8e9 commit e3f9738
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions etcdserver/apply_auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -178,6 +178,12 @@ func (aa *authApplierV3) LeaseRevoke(lc *pb.LeaseRevokeRequest) (*pb.LeaseRevoke
func (aa *authApplierV3) checkLeasePuts(leaseID lease.LeaseID) error {
lease := aa.lessor.Lookup(leaseID)
if lease != nil {
// early return for most-common scenario of either disabled auth or admin user.
// IsAdminPermitted also checks whether auth is enabled
if err := aa.as.IsAdminPermitted(&aa.authInfo); err == nil {
return nil
}

for _, key := range lease.Keys() {
if err := aa.as.IsPutPermitted(&aa.authInfo, []byte(key)); err != nil {
return err
Expand Down

0 comments on commit e3f9738

Please sign in to comment.