Skip to content

Commit

Permalink
*: Rename security to auth
Browse files Browse the repository at this point in the history
  • Loading branch information
barakmich committed Jun 15, 2015
1 parent e20b487 commit 64ec8af
Show file tree
Hide file tree
Showing 14 changed files with 234 additions and 234 deletions.
54 changes: 27 additions & 27 deletions Documentation/security_api.md → Documentation/auth_api.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ There are three types of resources in etcd
#### Users
A user is an identity to be authenticated. Each user can have multiple roles. The user has a capability (such as reading or writing) on the resource if one of the roles has that capability.

A user named `root` is required before security can be enabled, and it always has the ROOT role. The ROOT role can be granted to multiple users, but `root` is required for recovery purposes.
A user named `root` is required before authentication can be enabled, and it always has the ROOT role. The ROOT role can be granted to multiple users, but `root` is required for recovery purposes.

#### Roles
Each role has exact one associated Permission List. An permission list exists for each permission on key-value resources.
Expand All @@ -35,15 +35,15 @@ A permission on `/foo` is for that exact key or directory, not its children or r

### Settings Resources

Specific settings for the cluster as a whole. This can include adding and removing cluster members, enabling or disabling security, replacing certificates, and any other dynamic configuration by the administrator (holder of the ROOT role).
Specific settings for the cluster as a whole. This can include adding and removing cluster members, enabling or disabling authentication, replacing certificates, and any other dynamic configuration by the administrator (holder of the ROOT role).

## v2 Auth

### Basic Auth
We only support [Basic Auth](http://en.wikipedia.org/wiki/Basic_access_authentication) for the first version. Client needs to attach the basic auth to the HTTP Authorization Header.

### Authorization field for operations
Added to requests to /v2/keys, /v2/security
Added to requests to /v2/keys, /v2/auth
Add code 403 Forbidden to the set of responses from the v2 API
Authorization: Basic {encoded string}

Expand Down Expand Up @@ -86,7 +86,7 @@ Password is only passed when necessary. Last Modified is set by the server and i

**Get a list of users**

GET/HEAD /v2/security/user
GET/HEAD /v2/auth/user

Sent Headers:
Authorization: Basic <BasicAuthString>
Expand All @@ -102,7 +102,7 @@ GET/HEAD /v2/security/user

**Get User Details**

GET/HEAD /v2/security/users/alice
GET/HEAD /v2/auth/users/alice

Sent Headers:
Authorization: Basic <BasicAuthString>
Expand All @@ -122,7 +122,7 @@ GET/HEAD /v2/security/users/alice

A user can be created with initial roles, if filled in. However, no roles are required; only the username and password fields

PUT /v2/security/users/charlie
PUT /v2/auth/users/charlie

Sent Headers:
Authorization: Basic <BasicAuthString>
Expand All @@ -138,7 +138,7 @@ PUT /v2/security/users/charlie

**Remove A User**

DELETE /v2/security/users/charlie
DELETE /v2/auth/users/charlie

Sent Headers:
Authorization: Basic <BasicAuthString>
Expand Down Expand Up @@ -169,7 +169,7 @@ A full role structure may look like this. A Permission List structure is used fo

**Get a list of Roles**

GET/HEAD /v2/security/roles
GET/HEAD /v2/auth/roles

Sent Headers:
Authorization: Basic <BasicAuthString>
Expand All @@ -186,7 +186,7 @@ GET/HEAD /v2/security/roles

**Get Role Details**

GET/HEAD /v2/security/roles/fleet
GET/HEAD /v2/auth/roles/fleet

Sent Headers:
Authorization: Basic <BasicAuthString>
Expand All @@ -210,7 +210,7 @@ GET/HEAD /v2/security/roles/fleet

**Create Or Update A Role**

PUT /v2/security/roles/rocket
PUT /v2/auth/roles/rocket

Sent Headers:
Authorization: Basic <BasicAuthString>
Expand All @@ -228,7 +228,7 @@ PUT /v2/security/roles/rocket

**Remove A Role**

DELETE /v2/security/roles/rocket
DELETE /v2/auth/roles/rocket

Sent Headers:
Authorization: Basic <BasicAuthString>
Expand All @@ -240,11 +240,11 @@ DELETE /v2/security/roles/rocket
200 Body: (empty)


#### Enable and Disable Security
#### Enable and Disable Authentication
**Get security status**
**Get auth status**

GET /v2/security/enable
GET /v2/auth/enable

Sent Headers:
Possible Status Codes:
Expand All @@ -255,9 +255,9 @@ GET /v2/security/enable
}


**Enable security**
**Enable auth**

PUT /v2/security/enable
PUT /v2/auth/enable

Sent Headers:
Put Body: (empty)
Expand All @@ -266,9 +266,9 @@ PUT /v2/security/enable
400 Bad Request (if not a root user)
200 Body: (empty)

**Disable security**
**Disable auth**

DELETE /v2/security/enable
DELETE /v2/auth/enable

Sent Headers:
Authorization: Basic <RootAuthString>
Expand All @@ -282,10 +282,10 @@ DELETE /v2/security/enable

Let's walk through an example to show two tenants (applications, in our case) using etcd permissions.

### Enable security
### Enable auth

```
PUT /v2/security/enable
PUT /v2/auth/enable
Headers:
Put Body:
{"user" : "root", "password": "root"}
Expand All @@ -295,7 +295,7 @@ PUT /v2/security/enable
### Change root's password

```
PUT /v2/security/users/root
PUT /v2/auth/users/root
Headers:
Authorization: Basic <root:root>
Put Body:
Expand All @@ -307,7 +307,7 @@ PUT /v2/security/users/root
Create the rocket role fully specified:

```
PUT /v2/security/roles/rocket
PUT /v2/auth/roles/rocket
Headers:
Authorization: Basic <root:betterRootPW!>
Body:
Expand All @@ -329,7 +329,7 @@ PUT /v2/security/roles/rocket
But let's make fleet just a basic role for now:

```
PUT /v2/security/roles/fleet
PUT /v2/auth/roles/fleet
Headers:
Authorization: Basic <root:betterRootPW!>
Body:
Expand All @@ -345,7 +345,7 @@ Well, we finally figured out where we want fleet to live. Let's fix it.


```
PUT /v2/security/roles/fleet
PUT /v2/auth/roles/fleet
Headers:
Authorization: Basic <root:betterRootPW!>
Put Body:
Expand All @@ -367,15 +367,15 @@ PUT /v2/security/roles/fleet
Same as before, let's use rocket all at once and fleet separately

```
PUT /v2/security/users/rocketuser
PUT /v2/auth/users/rocketuser
Headers:
Authorization: Basic <root:betterRootPW!>
Body:
{"user" : "rocketuser", "password" : "rocketpw", "roles" : ["rocket"]}
```

```
PUT /v2/security/users/fleetuser
PUT /v2/auth/users/fleetuser
Headers:
Authorization: Basic <root:betterRootPW!>
Body:
Expand All @@ -387,7 +387,7 @@ PUT /v2/security/users/fleetuser
Likewise, let's explicitly grant fleetuser access.

```
PUT /v2/security/users/fleetuser
PUT /v2/auth/users/fleetuser
Headers:
Authorization: Basic <root:betterRootPW!>
Body:
Expand Down
54 changes: 27 additions & 27 deletions client/security_role.go → client/auth_role.go
Original file line number Diff line number Diff line change
Expand Up @@ -47,15 +47,15 @@ const (
ReadWritePermission
)

// NewSecurityRoleAPI constructs a new SecurityRoleAPI that uses HTTP to
// NewAuthRoleAPI constructs a new AuthRoleAPI that uses HTTP to
// interact with etcd's role creation and modification features.
func NewSecurityRoleAPI(c Client) SecurityRoleAPI {
return &httpSecurityRoleAPI{
func NewAuthRoleAPI(c Client) AuthRoleAPI {
return &httpAuthRoleAPI{
client: c,
}
}

type SecurityRoleAPI interface {
type AuthRoleAPI interface {
// Add a role.
AddRole(ctx context.Context, role string) error

Expand All @@ -75,27 +75,27 @@ type SecurityRoleAPI interface {
ListRoles(ctx context.Context) ([]string, error)
}

type httpSecurityRoleAPI struct {
type httpAuthRoleAPI struct {
client httpClient
}

type securityRoleAPIAction struct {
type authRoleAPIAction struct {
verb string
name string
role *Role
}

type securityRoleAPIList struct{}
type authRoleAPIList struct{}

func (list *securityRoleAPIList) HTTPRequest(ep url.URL) *http.Request {
u := v2SecurityURL(ep, "roles", "")
func (list *authRoleAPIList) HTTPRequest(ep url.URL) *http.Request {
u := v2AuthURL(ep, "roles", "")
req, _ := http.NewRequest("GET", u.String(), nil)
req.Header.Set("Content-Type", "application/json")
return req
}

func (l *securityRoleAPIAction) HTTPRequest(ep url.URL) *http.Request {
u := v2SecurityURL(ep, "roles", l.name)
func (l *authRoleAPIAction) HTTPRequest(ep url.URL) *http.Request {
u := v2AuthURL(ep, "roles", l.name)
if l.role == nil {
req, _ := http.NewRequest(l.verb, u.String(), nil)
return req
Expand All @@ -110,8 +110,8 @@ func (l *securityRoleAPIAction) HTTPRequest(ep url.URL) *http.Request {
return req
}

func (r *httpSecurityRoleAPI) ListRoles(ctx context.Context) ([]string, error) {
resp, body, err := r.client.Do(ctx, &securityRoleAPIList{})
func (r *httpAuthRoleAPI) ListRoles(ctx context.Context) ([]string, error) {
resp, body, err := r.client.Do(ctx, &authRoleAPIList{})
if err != nil {
return nil, err
}
Expand All @@ -128,31 +128,31 @@ func (r *httpSecurityRoleAPI) ListRoles(ctx context.Context) ([]string, error) {
return userList.Roles, nil
}

func (r *httpSecurityRoleAPI) AddRole(ctx context.Context, rolename string) error {
func (r *httpAuthRoleAPI) AddRole(ctx context.Context, rolename string) error {
role := &Role{
Role: rolename,
}
return r.addRemoveRole(ctx, &securityRoleAPIAction{
return r.addRemoveRole(ctx, &authRoleAPIAction{
verb: "PUT",
name: rolename,
role: role,
})
}

func (r *httpSecurityRoleAPI) RemoveRole(ctx context.Context, rolename string) error {
return r.addRemoveRole(ctx, &securityRoleAPIAction{
func (r *httpAuthRoleAPI) RemoveRole(ctx context.Context, rolename string) error {
return r.addRemoveRole(ctx, &authRoleAPIAction{
verb: "DELETE",
name: rolename,
})
}

func (r *httpSecurityRoleAPI) addRemoveRole(ctx context.Context, req *securityRoleAPIAction) error {
func (r *httpAuthRoleAPI) addRemoveRole(ctx context.Context, req *authRoleAPIAction) error {
resp, body, err := r.client.Do(ctx, req)
if err != nil {
return err
}
if err := assertStatusCode(resp.StatusCode, http.StatusOK, http.StatusCreated); err != nil {
var sec securityError
var sec authError
err := json.Unmarshal(body, &sec)
if err != nil {
return err
Expand All @@ -162,8 +162,8 @@ func (r *httpSecurityRoleAPI) addRemoveRole(ctx context.Context, req *securityRo
return nil
}

func (r *httpSecurityRoleAPI) GetRole(ctx context.Context, rolename string) (*Role, error) {
return r.modRole(ctx, &securityRoleAPIAction{
func (r *httpAuthRoleAPI) GetRole(ctx context.Context, rolename string) (*Role, error) {
return r.modRole(ctx, &authRoleAPIAction{
verb: "GET",
name: rolename,
})
Expand All @@ -183,43 +183,43 @@ func buildRWPermission(prefixes []string, permType PermissionType) rwPermission
return out
}

func (r *httpSecurityRoleAPI) GrantRoleKV(ctx context.Context, rolename string, prefixes []string, permType PermissionType) (*Role, error) {
func (r *httpAuthRoleAPI) GrantRoleKV(ctx context.Context, rolename string, prefixes []string, permType PermissionType) (*Role, error) {
rwp := buildRWPermission(prefixes, permType)
role := &Role{
Role: rolename,
Grant: &Permissions{
KV: rwp,
},
}
return r.modRole(ctx, &securityRoleAPIAction{
return r.modRole(ctx, &authRoleAPIAction{
verb: "PUT",
name: rolename,
role: role,
})
}

func (r *httpSecurityRoleAPI) RevokeRoleKV(ctx context.Context, rolename string, prefixes []string, permType PermissionType) (*Role, error) {
func (r *httpAuthRoleAPI) RevokeRoleKV(ctx context.Context, rolename string, prefixes []string, permType PermissionType) (*Role, error) {
rwp := buildRWPermission(prefixes, permType)
role := &Role{
Role: rolename,
Revoke: &Permissions{
KV: rwp,
},
}
return r.modRole(ctx, &securityRoleAPIAction{
return r.modRole(ctx, &authRoleAPIAction{
verb: "PUT",
name: rolename,
role: role,
})
}

func (r *httpSecurityRoleAPI) modRole(ctx context.Context, req *securityRoleAPIAction) (*Role, error) {
func (r *httpAuthRoleAPI) modRole(ctx context.Context, req *authRoleAPIAction) (*Role, error) {
resp, body, err := r.client.Do(ctx, req)
if err != nil {
return nil, err
}
if err := assertStatusCode(resp.StatusCode, http.StatusOK); err != nil {
var sec securityError
var sec authError
err := json.Unmarshal(body, &sec)
if err != nil {
return nil, err
Expand Down
Loading

0 comments on commit 64ec8af

Please sign in to comment.