From e3f973858922274f81573f06b983715647d88dfc Mon Sep 17 00:00:00 2001
From: Thomas Jungblut <tjungblu@redhat.com>
Date: Tue, 6 Jun 2023 11:45:28 +0200
Subject: [PATCH] Early exit auth check on lease puts

Mitigates #15993 by not checking each key individually for permission
when auth is entirely disabled or admin user is calling the method.

Backport of #16005

Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
---
 etcdserver/apply_auth.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/etcdserver/apply_auth.go b/etcdserver/apply_auth.go
index 269af4758cd4..f5da854f297a 100644
--- a/etcdserver/apply_auth.go
+++ b/etcdserver/apply_auth.go
@@ -178,6 +178,12 @@ func (aa *authApplierV3) LeaseRevoke(lc *pb.LeaseRevokeRequest) (*pb.LeaseRevoke
 func (aa *authApplierV3) checkLeasePuts(leaseID lease.LeaseID) error {
 	lease := aa.lessor.Lookup(leaseID)
 	if lease != nil {
+		// early return for most-common scenario of either disabled auth or admin user.
+		// IsAdminPermitted also checks whether auth is enabled
+		if err := aa.as.IsAdminPermitted(&aa.authInfo); err == nil {
+			return nil
+		}
+
 		for _, key := range lease.Keys() {
 			if err := aa.as.IsPutPermitted(&aa.authInfo, []byte(key)); err != nil {
 				return err