Skip to content

Commit

Permalink
Early exit auth check on lease puts
Browse files Browse the repository at this point in the history 
Mitigates etcd-io#15993 by not checking each key individually for permission
when auth is entirely disabled or admin user is calling the method.

Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
  • Loading branch information
@tjungblu
tjungblu committed Jun 2, 2023
1 parent 004195b commit 014b17d
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions server/etcdserver/apply/apply_auth.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,11 @@ func (aa *authApplierV3) LeaseRevoke(lc *pb.LeaseRevokeRequest) (*pb.LeaseRevoke
func (aa *authApplierV3) checkLeasePuts(leaseID lease.LeaseID) error {
l := aa.lessor.Lookup(leaseID)
if l != nil {
// early return for most-common scenario of either disabled auth or admin user
if aa.as.IsAdminPermitted(&aa.authInfo) == nil {
return nil
}

for _, key := range l.Keys() {
if err := aa.as.IsPutPermitted(&aa.authInfo, []byte(key)); err != nil {
return err
Expand Down

0 comments on commit 014b17d

Please sign in to comment.