Early exit auth check on lease puts

Mitigates etcd-io#15993 by not checking each key individually for permission when auth is entirely disabled or admin user is calling the method. Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
tjungblu · Jun 6, 2023 · dfbe203 · dfbe203
1 parent 004195b
commit dfbe203
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/server/etcdserver/apply/apply_auth.go b/server/etcdserver/apply/apply_auth.go
@@ -125,6 +125,12 @@ func (aa *authApplierV3) LeaseRevoke(lc *pb.LeaseRevokeRequest) (*pb.LeaseRevoke
 func (aa *authApplierV3) checkLeasePuts(leaseID lease.LeaseID) error {
 	l := aa.lessor.Lookup(leaseID)
 	if l != nil {
+		// early return for most-common scenario of either disabled auth or admin user.
+		// IsAdminPermitted also checks whether auth is enabled
+		if err := aa.as.IsAdminPermitted(&aa.authInfo); err == nil {
+			return nil
+		}
+
 		for _, key := range l.Keys() {
 			if err := aa.as.IsPutPermitted(&aa.authInfo, []byte(key)); err != nil {
 				return err