1// Copyright 2016 The etcd Authors 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15package clientv3_test 16 17import ( 18 "context" 19 "fmt" 20 "log" 21 22 "go.etcd.io/etcd/client/v3" 23) 24 25func mockAuth() { 26 fmt.Println(`etcdserver: permission denied`) 27 fmt.Println(`user u permission: key "foo", range end "zoo"`) 28} 29 30func ExampleAuth() { 31 forUnitTestsRunInMockedContext( 32 mockAuth, 33 func() { 34 cli, err := clientv3.New(clientv3.Config{ 35 Endpoints: exampleEndpoints(), 36 DialTimeout: dialTimeout, 37 }) 38 if err != nil { 39 log.Fatal(err) 40 } 41 defer cli.Close() 42 43 if _, err = cli.RoleAdd(context.TODO(), "root"); err != nil { 44 log.Fatal(err) 45 } 46 if _, err = cli.UserAdd(context.TODO(), "root", "123"); err != nil { 47 log.Fatal(err) 48 } 49 if _, err = cli.UserGrantRole(context.TODO(), "root", "root"); err != nil { 50 log.Fatal(err) 51 } 52 53 if _, err = cli.RoleAdd(context.TODO(), "r"); err != nil { 54 log.Fatal(err) 55 } 56 57 if _, err = cli.RoleGrantPermission( 58 context.TODO(), 59 "r", // role name 60 "foo", // key 61 "zoo", // range end 62 clientv3.PermissionType(clientv3.PermReadWrite), 63 ); err != nil { 64 log.Fatal(err) 65 } 66 if _, err = cli.UserAdd(context.TODO(), "u", "123"); err != nil { 67 log.Fatal(err) 68 } 69 if _, err = cli.UserGrantRole(context.TODO(), "u", "r"); err != nil { 70 log.Fatal(err) 71 } 72 if _, err = cli.AuthEnable(context.TODO()); err != nil { 73 log.Fatal(err) 74 } 75 76 cliAuth, err := clientv3.New(clientv3.Config{ 77 Endpoints: exampleEndpoints(), 78 DialTimeout: dialTimeout, 79 Username: "u", 80 Password: "123", 81 }) 82 if err != nil { 83 log.Fatal(err) 84 } 85 defer cliAuth.Close() 86 87 if _, err = cliAuth.Put(context.TODO(), "foo1", "bar"); err != nil { 88 log.Fatal(err) 89 } 90 91 _, err = cliAuth.Txn(context.TODO()). 92 If(clientv3.Compare(clientv3.Value("zoo1"), ">", "abc")). 93 Then(clientv3.OpPut("zoo1", "XYZ")). 94 Else(clientv3.OpPut("zoo1", "ABC")). 95 Commit() 96 fmt.Println(err) 97 98 // now check the permission with the root account 99 rootCli, err := clientv3.New(clientv3.Config{ 100 Endpoints: exampleEndpoints(), 101 DialTimeout: dialTimeout, 102 Username: "root", 103 Password: "123", 104 }) 105 if err != nil { 106 log.Fatal(err) 107 } 108 defer rootCli.Close() 109 110 resp, err := rootCli.RoleGet(context.TODO(), "r") 111 if err != nil { 112 log.Fatal(err) 113 } 114 fmt.Printf("user u permission: key %q, range end %q\n", resp.Perm[0].Key, resp.Perm[0].RangeEnd) 115 116 if _, err = rootCli.AuthDisable(context.TODO()); err != nil { 117 log.Fatal(err) 118 } 119 }) 120 // Output: etcdserver: permission denied 121 // user u permission: key "foo", range end "zoo" 122} 123