Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

etcdctl role grant-permission --from-key '' is not effect #8494

Closed
zyf0330 opened this issue Sep 5, 2017 · 2 comments · Fixed by #8514
Closed

etcdctl role grant-permission --from-key '' is not effect #8494

zyf0330 opened this issue Sep 5, 2017 · 2 comments · Fixed by #8514
Assignees
@mitake
Labels
type/bug

Comments

@zyf0330
Copy link

zyf0330 commented Sep 5, 2017

etcdctl role grant-permission view --from-key read '' cause etcdctl role get view shows

Role view
KV Read:
	[, <open ended> (prefix )
KV Write:

But then I use etcdctl --user view get '' --from-key it alerts Error: etcdserver: permission denied
So is it a bug, or I do something wrong for granting permission to read all keys?
@heyitsanthony
Copy link
Contributor

Reproduced on master:

#!/bin/bash

export ETCDCTL_API=3
bin/etcdctl put abc def
bin/etcdctl role add view
bin/etcdctl user add root:root
bin/etcdctl user add view:view
bin/etcdctl role grant-permission --from-key view read ''
bin/etcdctl role get view
bin/etcdctl user grant-role view view
bin/etcdctl user get --detail view
bin/etcdctl auth enable
bin/etcdctl --user=root:root get --from-key ''
bin/etcdctl --user=view:view get --from-key ''

@mitake
Copy link
Contributor

mitake commented Sep 6, 2017

@zyf0330 thanks for reporting, I'll work on it.

@mitake mitake self-assigned this Sep 6, 2017
mitake added a commit to mitake/etcd that referenced this issue Sep 7, 2017
@mitake
etcdctl: handle empty key permission correctly
e249984 
Current `etcdctl role grant-permission` doesn't handle an empty key
("") correctly. Because the range permissions are treated as
BytesAffineInterval internally, just specifying the empty key as a
beginning of range introduces an invalid permission which doesn't work
and betray users' intuition. This commit fix the way of handling empty
key as a prefix or from key in permission granting.

Fix etcd-io#8494
@mitake mitake mentioned this issue Sep 7, 2017
Merged
mitake added a commit to mitake/etcd that referenced this issue Sep 11, 2017
@mitake
etcdctl: handle empty key permission correctly
2734843 
Current `etcdctl role grant-permission` doesn't handle an empty key
("") correctly. Because the range permissions are treated as
BytesAffineInterval internally, just specifying the empty key as a
beginning of range introduces an invalid permission which doesn't work
and betray users' intuition. This commit fix the way of handling empty
key as a prefix or from key in permission granting.

Fix etcd-io#8494
mitake added a commit to mitake/etcd that referenced this issue Sep 13, 2017
@mitake
etcdctl: handle empty key permission correctly
1ae6f16 
Current `etcdctl role grant-permission` doesn't handle an empty key
("") correctly. Because the range permissions are treated as
BytesAffineInterval internally, just specifying the empty key as a
beginning of range introduces an invalid permission which doesn't work
and betray users' intuition. This commit fix the way of handling empty
key as a prefix or from key in permission granting.

Fix etcd-io#8494
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mitake mitake

Labels
type/bug
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

etcdctl: handle empty key permission correctly mitake/etcd
3 participants
@mitake @zyf0330 @heyitsanthony