1// Copyright 2015 The etcd Authors 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15// Package auth implements etcd authentication. 16package auth 17 18import ( 19 "encoding/json" 20 "fmt" 21 "net/http" 22 "path" 23 "reflect" 24 "sort" 25 "strings" 26 "time" 27 28 etcderr "github.com/coreos/etcd/error" 29 "github.com/coreos/etcd/etcdserver" 30 "github.com/coreos/etcd/etcdserver/etcdserverpb" 31 "github.com/coreos/etcd/pkg/types" 32 "github.com/coreos/pkg/capnslog" 33 "golang.org/x/crypto/bcrypt" 34 "golang.org/x/net/context" 35) 36 37const ( 38 // StorePermsPrefix is the internal prefix of the storage layer dedicated to storing user data. 39 StorePermsPrefix = "/2" 40 41 // RootRoleName is the name of the ROOT role, with privileges to manage the cluster. 42 RootRoleName = "root" 43 44 // GuestRoleName is the name of the role that defines the privileges of an unauthenticated user. 45 GuestRoleName = "guest" 46) 47 48var ( 49 plog = capnslog.NewPackageLogger("github.com/coreos/etcd", "etcdserver/auth") 50) 51 52var rootRole = Role{ 53 Role: RootRoleName, 54 Permissions: Permissions{ 55 KV: RWPermission{ 56 Read: []string{"/*"}, 57 Write: []string{"/*"}, 58 }, 59 }, 60} 61 62var guestRole = Role{ 63 Role: GuestRoleName, 64 Permissions: Permissions{ 65 KV: RWPermission{ 66 Read: []string{"/*"}, 67 Write: []string{"/*"}, 68 }, 69 }, 70} 71 72type doer interface { 73 Do(context.Context, etcdserverpb.Request) (etcdserver.Response, error) 74} 75 76type Store interface { 77 AllUsers() ([]string, error) 78 GetUser(name string) (User, error) 79 CreateOrUpdateUser(user User) (out User, created bool, err error) 80 CreateUser(user User) (User, error) 81 DeleteUser(name string) error 82 UpdateUser(user User) (User, error) 83 AllRoles() ([]string, error) 84 GetRole(name string) (Role, error) 85 CreateRole(role Role) error 86 DeleteRole(name string) error 87 UpdateRole(role Role) (Role, error) 88 AuthEnabled() bool 89 EnableAuth() error 90 DisableAuth() error 91 PasswordStore 92} 93 94type PasswordStore interface { 95 CheckPassword(user User, password string) bool 96 HashPassword(password string) (string, error) 97} 98 99type store struct { 100 server doer 101 timeout time.Duration 102 ensuredOnce bool 103 104 PasswordStore 105} 106 107type User struct { 108 User string `json:"user"` 109 Password string `json:"password,omitempty"` 110 Roles []string `json:"roles"` 111 Grant []string `json:"grant,omitempty"` 112 Revoke []string `json:"revoke,omitempty"` 113} 114 115type Role struct { 116 Role string `json:"role"` 117 Permissions Permissions `json:"permissions"` 118 Grant *Permissions `json:"grant,omitempty"` 119 Revoke *Permissions `json:"revoke,omitempty"` 120} 121 122type Permissions struct { 123 KV RWPermission `json:"kv"` 124} 125 126func (p *Permissions) IsEmpty() bool { 127 return p == nil || (len(p.KV.Read) == 0 && len(p.KV.Write) == 0) 128} 129 130type RWPermission struct { 131 Read []string `json:"read"` 132 Write []string `json:"write"` 133} 134 135type Error struct { 136 Status int 137 Errmsg string 138} 139 140func (ae Error) Error() string { return ae.Errmsg } 141func (ae Error) HTTPStatus() int { return ae.Status } 142 143func authErr(hs int, s string, v ...interface{}) Error { 144 return Error{Status: hs, Errmsg: fmt.Sprintf("auth: "+s, v...)} 145} 146 147func NewStore(server doer, timeout time.Duration) Store { 148 s := &store{ 149 server: server, 150 timeout: timeout, 151 PasswordStore: passwordStore{}, 152 } 153 return s 154} 155 156// passwordStore implements PasswordStore using bcrypt to hash user passwords 157type passwordStore struct{} 158 159func (_ passwordStore) CheckPassword(user User, password string) bool { 160 err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password)) 161 return err == nil 162} 163 164func (_ passwordStore) HashPassword(password string) (string, error) { 165 hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost) 166 return string(hash), err 167} 168 169func (s *store) AllUsers() ([]string, error) { 170 resp, err := s.requestResource("/users/", false, false) 171 if err != nil { 172 if e, ok := err.(*etcderr.Error); ok { 173 if e.ErrorCode == etcderr.EcodeKeyNotFound { 174 return []string{}, nil 175 } 176 } 177 return nil, err 178 } 179 var nodes []string 180 for _, n := range resp.Event.Node.Nodes { 181 _, user := path.Split(n.Key) 182 nodes = append(nodes, user) 183 } 184 sort.Strings(nodes) 185 return nodes, nil 186} 187 188func (s *store) GetUser(name string) (User, error) { return s.getUser(name, false) } 189 190// CreateOrUpdateUser should be only used for creating the new user or when you are not 191// sure if it is a create or update. (When only password is passed in, we are not sure 192// if it is a update or create) 193func (s *store) CreateOrUpdateUser(user User) (out User, created bool, err error) { 194 _, err = s.getUser(user.User, true) 195 if err == nil { 196 out, err = s.UpdateUser(user) 197 return out, false, err 198 } 199 u, err := s.CreateUser(user) 200 return u, true, err 201} 202 203func (s *store) CreateUser(user User) (User, error) { 204 // Attach root role to root user. 205 if user.User == "root" { 206 user = attachRootRole(user) 207 } 208 u, err := s.createUserInternal(user) 209 if err == nil { 210 plog.Noticef("created user %s", user.User) 211 } 212 return u, err 213} 214 215func (s *store) createUserInternal(user User) (User, error) { 216 if user.Password == "" { 217 return user, authErr(http.StatusBadRequest, "Cannot create user %s with an empty password", user.User) 218 } 219 hash, err := s.HashPassword(user.Password) 220 if err != nil { 221 return user, err 222 } 223 user.Password = hash 224 225 _, err = s.createResource("/users/"+user.User, user) 226 if err != nil { 227 if e, ok := err.(*etcderr.Error); ok { 228 if e.ErrorCode == etcderr.EcodeNodeExist { 229 return user, authErr(http.StatusConflict, "User %s already exists.", user.User) 230 } 231 } 232 } 233 return user, err 234} 235 236func (s *store) DeleteUser(name string) error { 237 if s.AuthEnabled() && name == "root" { 238 return authErr(http.StatusForbidden, "Cannot delete root user while auth is enabled.") 239 } 240 _, err := s.deleteResource("/users/" + name) 241 if err != nil { 242 if e, ok := err.(*etcderr.Error); ok { 243 if e.ErrorCode == etcderr.EcodeKeyNotFound { 244 return authErr(http.StatusNotFound, "User %s does not exist", name) 245 } 246 } 247 return err 248 } 249 plog.Noticef("deleted user %s", name) 250 return nil 251} 252 253func (s *store) UpdateUser(user User) (User, error) { 254 old, err := s.getUser(user.User, true) 255 if err != nil { 256 if e, ok := err.(*etcderr.Error); ok { 257 if e.ErrorCode == etcderr.EcodeKeyNotFound { 258 return user, authErr(http.StatusNotFound, "User %s doesn't exist.", user.User) 259 } 260 } 261 return old, err 262 } 263 264 newUser, err := old.merge(user, s.PasswordStore) 265 if err != nil { 266 return old, err 267 } 268 if reflect.DeepEqual(old, newUser) { 269 return old, authErr(http.StatusBadRequest, "User not updated. Use grant/revoke/password to update the user.") 270 } 271 _, err = s.updateResource("/users/"+user.User, newUser) 272 if err == nil { 273 plog.Noticef("updated user %s", user.User) 274 } 275 return newUser, err 276} 277 278func (s *store) AllRoles() ([]string, error) { 279 nodes := []string{RootRoleName} 280 resp, err := s.requestResource("/roles/", false, false) 281 if err != nil { 282 if e, ok := err.(*etcderr.Error); ok { 283 if e.ErrorCode == etcderr.EcodeKeyNotFound { 284 return nodes, nil 285 } 286 } 287 return nil, err 288 } 289 for _, n := range resp.Event.Node.Nodes { 290 _, role := path.Split(n.Key) 291 nodes = append(nodes, role) 292 } 293 sort.Strings(nodes) 294 return nodes, nil 295} 296 297func (s *store) GetRole(name string) (Role, error) { return s.getRole(name, false) } 298 299func (s *store) CreateRole(role Role) error { 300 if role.Role == RootRoleName { 301 return authErr(http.StatusForbidden, "Cannot modify role %s: is root role.", role.Role) 302 } 303 _, err := s.createResource("/roles/"+role.Role, role) 304 if err != nil { 305 if e, ok := err.(*etcderr.Error); ok { 306 if e.ErrorCode == etcderr.EcodeNodeExist { 307 return authErr(http.StatusConflict, "Role %s already exists.", role.Role) 308 } 309 } 310 } 311 if err == nil { 312 plog.Noticef("created new role %s", role.Role) 313 } 314 return err 315} 316 317func (s *store) DeleteRole(name string) error { 318 if name == RootRoleName { 319 return authErr(http.StatusForbidden, "Cannot modify role %s: is root role.", name) 320 } 321 _, err := s.deleteResource("/roles/" + name) 322 if err != nil { 323 if e, ok := err.(*etcderr.Error); ok { 324 if e.ErrorCode == etcderr.EcodeKeyNotFound { 325 return authErr(http.StatusNotFound, "Role %s doesn't exist.", name) 326 } 327 } 328 } 329 if err == nil { 330 plog.Noticef("deleted role %s", name) 331 } 332 return err 333} 334 335func (s *store) UpdateRole(role Role) (Role, error) { 336 if role.Role == RootRoleName { 337 return Role{}, authErr(http.StatusForbidden, "Cannot modify role %s: is root role.", role.Role) 338 } 339 old, err := s.getRole(role.Role, true) 340 if err != nil { 341 if e, ok := err.(*etcderr.Error); ok { 342 if e.ErrorCode == etcderr.EcodeKeyNotFound { 343 return role, authErr(http.StatusNotFound, "Role %s doesn't exist.", role.Role) 344 } 345 } 346 return old, err 347 } 348 newRole, err := old.merge(role) 349 if err != nil { 350 return old, err 351 } 352 if reflect.DeepEqual(old, newRole) { 353 return old, authErr(http.StatusBadRequest, "Role not updated. Use grant/revoke to update the role.") 354 } 355 _, err = s.updateResource("/roles/"+role.Role, newRole) 356 if err == nil { 357 plog.Noticef("updated role %s", role.Role) 358 } 359 return newRole, err 360} 361 362func (s *store) AuthEnabled() bool { 363 return s.detectAuth() 364} 365 366func (s *store) EnableAuth() error { 367 if s.AuthEnabled() { 368 return authErr(http.StatusConflict, "already enabled") 369 } 370 371 if _, err := s.getUser("root", true); err != nil { 372 return authErr(http.StatusConflict, "No root user available, please create one") 373 } 374 if _, err := s.getRole(GuestRoleName, true); err != nil { 375 plog.Printf("no guest role access found, creating default") 376 if err := s.CreateRole(guestRole); err != nil { 377 plog.Errorf("error creating guest role. aborting auth enable.") 378 return err 379 } 380 } 381 382 if err := s.enableAuth(); err != nil { 383 plog.Errorf("error enabling auth (%v)", err) 384 return err 385 } 386 387 plog.Noticef("auth: enabled auth") 388 return nil 389} 390 391func (s *store) DisableAuth() error { 392 if !s.AuthEnabled() { 393 return authErr(http.StatusConflict, "already disabled") 394 } 395 396 err := s.disableAuth() 397 if err == nil { 398 plog.Noticef("auth: disabled auth") 399 } else { 400 plog.Errorf("error disabling auth (%v)", err) 401 } 402 return err 403} 404 405// merge applies the properties of the passed-in User to the User on which it 406// is called and returns a new User with these modifications applied. Think of 407// all Users as immutable sets of data. Merge allows you to perform the set 408// operations (desired grants and revokes) atomically 409func (ou User) merge(nu User, s PasswordStore) (User, error) { 410 var out User 411 if ou.User != nu.User { 412 return out, authErr(http.StatusConflict, "Merging user data with conflicting usernames: %s %s", ou.User, nu.User) 413 } 414 out.User = ou.User 415 if nu.Password != "" { 416 hash, err := s.HashPassword(nu.Password) 417 if err != nil { 418 return ou, err 419 } 420 out.Password = hash 421 } else { 422 out.Password = ou.Password 423 } 424 currentRoles := types.NewUnsafeSet(ou.Roles...) 425 for _, g := range nu.Grant { 426 if currentRoles.Contains(g) { 427 plog.Noticef("granting duplicate role %s for user %s", g, nu.User) 428 return User{}, authErr(http.StatusConflict, fmt.Sprintf("Granting duplicate role %s for user %s", g, nu.User)) 429 } 430 currentRoles.Add(g) 431 } 432 for _, r := range nu.Revoke { 433 if !currentRoles.Contains(r) { 434 plog.Noticef("revoking ungranted role %s for user %s", r, nu.User) 435 return User{}, authErr(http.StatusConflict, fmt.Sprintf("Revoking ungranted role %s for user %s", r, nu.User)) 436 } 437 currentRoles.Remove(r) 438 } 439 out.Roles = currentRoles.Values() 440 sort.Strings(out.Roles) 441 return out, nil 442} 443 444// merge for a role works the same as User above -- atomic Role application to 445// each of the substructures. 446func (r Role) merge(n Role) (Role, error) { 447 var out Role 448 var err error 449 if r.Role != n.Role { 450 return out, authErr(http.StatusConflict, "Merging role with conflicting names: %s %s", r.Role, n.Role) 451 } 452 out.Role = r.Role 453 out.Permissions, err = r.Permissions.Grant(n.Grant) 454 if err != nil { 455 return out, err 456 } 457 out.Permissions, err = out.Permissions.Revoke(n.Revoke) 458 return out, err 459} 460 461func (r Role) HasKeyAccess(key string, write bool) bool { 462 if r.Role == RootRoleName { 463 return true 464 } 465 return r.Permissions.KV.HasAccess(key, write) 466} 467 468func (r Role) HasRecursiveAccess(key string, write bool) bool { 469 if r.Role == RootRoleName { 470 return true 471 } 472 return r.Permissions.KV.HasRecursiveAccess(key, write) 473} 474 475// Grant adds a set of permissions to the permission object on which it is called, 476// returning a new permission object. 477func (p Permissions) Grant(n *Permissions) (Permissions, error) { 478 var out Permissions 479 var err error 480 if n == nil { 481 return p, nil 482 } 483 out.KV, err = p.KV.Grant(n.KV) 484 return out, err 485} 486 487// Revoke removes a set of permissions to the permission object on which it is called, 488// returning a new permission object. 489func (p Permissions) Revoke(n *Permissions) (Permissions, error) { 490 var out Permissions 491 var err error 492 if n == nil { 493 return p, nil 494 } 495 out.KV, err = p.KV.Revoke(n.KV) 496 return out, err 497} 498 499// Grant adds a set of permissions to the permission object on which it is called, 500// returning a new permission object. 501func (rw RWPermission) Grant(n RWPermission) (RWPermission, error) { 502 var out RWPermission 503 currentRead := types.NewUnsafeSet(rw.Read...) 504 for _, r := range n.Read { 505 if currentRead.Contains(r) { 506 return out, authErr(http.StatusConflict, "Granting duplicate read permission %s", r) 507 } 508 currentRead.Add(r) 509 } 510 currentWrite := types.NewUnsafeSet(rw.Write...) 511 for _, w := range n.Write { 512 if currentWrite.Contains(w) { 513 return out, authErr(http.StatusConflict, "Granting duplicate write permission %s", w) 514 } 515 currentWrite.Add(w) 516 } 517 out.Read = currentRead.Values() 518 out.Write = currentWrite.Values() 519 sort.Strings(out.Read) 520 sort.Strings(out.Write) 521 return out, nil 522} 523 524// Revoke removes a set of permissions to the permission object on which it is called, 525// returning a new permission object. 526func (rw RWPermission) Revoke(n RWPermission) (RWPermission, error) { 527 var out RWPermission 528 currentRead := types.NewUnsafeSet(rw.Read...) 529 for _, r := range n.Read { 530 if !currentRead.Contains(r) { 531 plog.Noticef("revoking ungranted read permission %s", r) 532 continue 533 } 534 currentRead.Remove(r) 535 } 536 currentWrite := types.NewUnsafeSet(rw.Write...) 537 for _, w := range n.Write { 538 if !currentWrite.Contains(w) { 539 plog.Noticef("revoking ungranted write permission %s", w) 540 continue 541 } 542 currentWrite.Remove(w) 543 } 544 out.Read = currentRead.Values() 545 out.Write = currentWrite.Values() 546 sort.Strings(out.Read) 547 sort.Strings(out.Write) 548 return out, nil 549} 550 551func (rw RWPermission) HasAccess(key string, write bool) bool { 552 var list []string 553 if write { 554 list = rw.Write 555 } else { 556 list = rw.Read 557 } 558 for _, pat := range list { 559 match, err := simpleMatch(pat, key) 560 if err == nil && match { 561 return true 562 } 563 } 564 return false 565} 566 567func (rw RWPermission) HasRecursiveAccess(key string, write bool) bool { 568 list := rw.Read 569 if write { 570 list = rw.Write 571 } 572 for _, pat := range list { 573 match, err := prefixMatch(pat, key) 574 if err == nil && match { 575 return true 576 } 577 } 578 return false 579} 580 581func simpleMatch(pattern string, key string) (match bool, err error) { 582 if pattern[len(pattern)-1] == '*' { 583 return strings.HasPrefix(key, pattern[:len(pattern)-1]), nil 584 } 585 return key == pattern, nil 586} 587 588func prefixMatch(pattern string, key string) (match bool, err error) { 589 if pattern[len(pattern)-1] != '*' { 590 return false, nil 591 } 592 return strings.HasPrefix(key, pattern[:len(pattern)-1]), nil 593} 594 595func attachRootRole(u User) User { 596 inRoles := false 597 for _, r := range u.Roles { 598 if r == RootRoleName { 599 inRoles = true 600 break 601 } 602 } 603 if !inRoles { 604 u.Roles = append(u.Roles, RootRoleName) 605 } 606 return u 607} 608 609func (s *store) getUser(name string, quorum bool) (User, error) { 610 resp, err := s.requestResource("/users/"+name, false, quorum) 611 if err != nil { 612 if e, ok := err.(*etcderr.Error); ok { 613 if e.ErrorCode == etcderr.EcodeKeyNotFound { 614 return User{}, authErr(http.StatusNotFound, "User %s does not exist.", name) 615 } 616 } 617 return User{}, err 618 } 619 var u User 620 err = json.Unmarshal([]byte(*resp.Event.Node.Value), &u) 621 if err != nil { 622 return u, err 623 } 624 // Attach root role to root user. 625 if u.User == "root" { 626 u = attachRootRole(u) 627 } 628 return u, nil 629} 630 631func (s *store) getRole(name string, quorum bool) (Role, error) { 632 if name == RootRoleName { 633 return rootRole, nil 634 } 635 resp, err := s.requestResource("/roles/"+name, false, quorum) 636 if err != nil { 637 if e, ok := err.(*etcderr.Error); ok { 638 if e.ErrorCode == etcderr.EcodeKeyNotFound { 639 return Role{}, authErr(http.StatusNotFound, "Role %s does not exist.", name) 640 } 641 } 642 return Role{}, err 643 } 644 var r Role 645 err = json.Unmarshal([]byte(*resp.Event.Node.Value), &r) 646 return r, err 647} 648