From 64ec8af91be7462aa3c4b6d33a23a0c878e27a1d Mon Sep 17 00:00:00 2001 From: Barak Michener Date: Mon, 15 Jun 2015 18:15:51 -0400 Subject: [PATCH] *: Rename `security` to `auth` --- .../{security_api.md => auth_api.md} | 54 ++++----- client/{security_role.go => auth_role.go} | 54 ++++----- client/{security_user.go => auth_user.go} | 106 +++++++++--------- ...{security_commands.go => auth_commands.go} | 34 +++--- etcdctl/command/role_commands.go | 10 +- etcdctl/command/user_commands.go | 10 +- etcdctl/main.go | 2 +- .../{security/security.go => auth/auth.go} | 76 ++++++------- .../auth_requests.go} | 18 +-- .../security_test.go => auth/auth_test.go} | 2 +- etcdserver/etcdhttp/capability.go | 4 +- etcdserver/etcdhttp/client.go | 14 +-- .../{client_security.go => client_auth.go} | 80 ++++++------- etcdserver/etcdhttp/http.go | 4 +- 14 files changed, 234 insertions(+), 234 deletions(-) rename Documentation/{security_api.md => auth_api.md} (89%) rename client/{security_role.go => auth_role.go} (71%) rename client/{security_user.go => auth_user.go} (60%) rename etcdctl/command/{security_commands.go => auth_commands.go} (69%) rename etcdserver/{security/security.go => auth/auth.go} (86%) rename etcdserver/{security/security_requests.go => auth/auth_requests.go} (90%) rename etcdserver/{security/security_test.go => auth/auth_test.go} (99%) rename etcdserver/etcdhttp/{client_security.go => client_auth.go} (73%) diff --git a/Documentation/security_api.md b/Documentation/auth_api.md similarity index 89% rename from Documentation/security_api.md rename to Documentation/auth_api.md index ccb63ac8449..a2e5f4b5a71 100644 --- a/Documentation/security_api.md +++ b/Documentation/auth_api.md @@ -12,7 +12,7 @@ There are three types of resources in etcd #### Users A user is an identity to be authenticated. Each user can have multiple roles. The user has a capability (such as reading or writing) on the resource if one of the roles has that capability. -A user named `root` is required before security can be enabled, and it always has the ROOT role. The ROOT role can be granted to multiple users, but `root` is required for recovery purposes. +A user named `root` is required before authentication can be enabled, and it always has the ROOT role. The ROOT role can be granted to multiple users, but `root` is required for recovery purposes. #### Roles Each role has exact one associated Permission List. An permission list exists for each permission on key-value resources. @@ -35,7 +35,7 @@ A permission on `/foo` is for that exact key or directory, not its children or r ### Settings Resources -Specific settings for the cluster as a whole. This can include adding and removing cluster members, enabling or disabling security, replacing certificates, and any other dynamic configuration by the administrator (holder of the ROOT role). +Specific settings for the cluster as a whole. This can include adding and removing cluster members, enabling or disabling authentication, replacing certificates, and any other dynamic configuration by the administrator (holder of the ROOT role). ## v2 Auth @@ -43,7 +43,7 @@ Specific settings for the cluster as a whole. This can include adding and removi We only support [Basic Auth](http://en.wikipedia.org/wiki/Basic_access_authentication) for the first version. Client needs to attach the basic auth to the HTTP Authorization Header. ### Authorization field for operations -Added to requests to /v2/keys, /v2/security +Added to requests to /v2/keys, /v2/auth Add code 403 Forbidden to the set of responses from the v2 API Authorization: Basic {encoded string} @@ -86,7 +86,7 @@ Password is only passed when necessary. Last Modified is set by the server and i **Get a list of users** -GET/HEAD /v2/security/user +GET/HEAD /v2/auth/user Sent Headers: Authorization: Basic @@ -102,7 +102,7 @@ GET/HEAD /v2/security/user **Get User Details** -GET/HEAD /v2/security/users/alice +GET/HEAD /v2/auth/users/alice Sent Headers: Authorization: Basic @@ -122,7 +122,7 @@ GET/HEAD /v2/security/users/alice A user can be created with initial roles, if filled in. However, no roles are required; only the username and password fields -PUT /v2/security/users/charlie +PUT /v2/auth/users/charlie Sent Headers: Authorization: Basic @@ -138,7 +138,7 @@ PUT /v2/security/users/charlie **Remove A User** -DELETE /v2/security/users/charlie +DELETE /v2/auth/users/charlie Sent Headers: Authorization: Basic @@ -169,7 +169,7 @@ A full role structure may look like this. A Permission List structure is used fo **Get a list of Roles** -GET/HEAD /v2/security/roles +GET/HEAD /v2/auth/roles Sent Headers: Authorization: Basic @@ -186,7 +186,7 @@ GET/HEAD /v2/security/roles **Get Role Details** -GET/HEAD /v2/security/roles/fleet +GET/HEAD /v2/auth/roles/fleet Sent Headers: Authorization: Basic @@ -210,7 +210,7 @@ GET/HEAD /v2/security/roles/fleet **Create Or Update A Role** -PUT /v2/security/roles/rocket +PUT /v2/auth/roles/rocket Sent Headers: Authorization: Basic @@ -228,7 +228,7 @@ PUT /v2/security/roles/rocket **Remove A Role** -DELETE /v2/security/roles/rocket +DELETE /v2/auth/roles/rocket Sent Headers: Authorization: Basic @@ -240,11 +240,11 @@ DELETE /v2/security/roles/rocket 200 Body: (empty) -#### Enable and Disable Security +#### Enable and Disable Authentication -**Get security status** +**Get auth status** -GET /v2/security/enable +GET /v2/auth/enable Sent Headers: Possible Status Codes: @@ -255,9 +255,9 @@ GET /v2/security/enable } -**Enable security** +**Enable auth** -PUT /v2/security/enable +PUT /v2/auth/enable Sent Headers: Put Body: (empty) @@ -266,9 +266,9 @@ PUT /v2/security/enable 400 Bad Request (if not a root user) 200 Body: (empty) -**Disable security** +**Disable auth** -DELETE /v2/security/enable +DELETE /v2/auth/enable Sent Headers: Authorization: Basic @@ -282,10 +282,10 @@ DELETE /v2/security/enable Let's walk through an example to show two tenants (applications, in our case) using etcd permissions. -### Enable security +### Enable auth ``` -PUT /v2/security/enable +PUT /v2/auth/enable Headers: Put Body: {"user" : "root", "password": "root"} @@ -295,7 +295,7 @@ PUT /v2/security/enable ### Change root's password ``` -PUT /v2/security/users/root +PUT /v2/auth/users/root Headers: Authorization: Basic Put Body: @@ -307,7 +307,7 @@ PUT /v2/security/users/root Create the rocket role fully specified: ``` -PUT /v2/security/roles/rocket +PUT /v2/auth/roles/rocket Headers: Authorization: Basic Body: @@ -329,7 +329,7 @@ PUT /v2/security/roles/rocket But let's make fleet just a basic role for now: ``` -PUT /v2/security/roles/fleet +PUT /v2/auth/roles/fleet Headers: Authorization: Basic Body: @@ -345,7 +345,7 @@ Well, we finally figured out where we want fleet to live. Let's fix it. ``` -PUT /v2/security/roles/fleet +PUT /v2/auth/roles/fleet Headers: Authorization: Basic Put Body: @@ -367,7 +367,7 @@ PUT /v2/security/roles/fleet Same as before, let's use rocket all at once and fleet separately ``` -PUT /v2/security/users/rocketuser +PUT /v2/auth/users/rocketuser Headers: Authorization: Basic Body: @@ -375,7 +375,7 @@ PUT /v2/security/users/rocketuser ``` ``` -PUT /v2/security/users/fleetuser +PUT /v2/auth/users/fleetuser Headers: Authorization: Basic Body: @@ -387,7 +387,7 @@ PUT /v2/security/users/fleetuser Likewise, let's explicitly grant fleetuser access. ``` -PUT /v2/security/users/fleetuser +PUT /v2/auth/users/fleetuser Headers: Authorization: Basic Body: diff --git a/client/security_role.go b/client/auth_role.go similarity index 71% rename from client/security_role.go rename to client/auth_role.go index b0c4a52d6ff..e771db7f453 100644 --- a/client/security_role.go +++ b/client/auth_role.go @@ -47,15 +47,15 @@ const ( ReadWritePermission ) -// NewSecurityRoleAPI constructs a new SecurityRoleAPI that uses HTTP to +// NewAuthRoleAPI constructs a new AuthRoleAPI that uses HTTP to // interact with etcd's role creation and modification features. -func NewSecurityRoleAPI(c Client) SecurityRoleAPI { - return &httpSecurityRoleAPI{ +func NewAuthRoleAPI(c Client) AuthRoleAPI { + return &httpAuthRoleAPI{ client: c, } } -type SecurityRoleAPI interface { +type AuthRoleAPI interface { // Add a role. AddRole(ctx context.Context, role string) error @@ -75,27 +75,27 @@ type SecurityRoleAPI interface { ListRoles(ctx context.Context) ([]string, error) } -type httpSecurityRoleAPI struct { +type httpAuthRoleAPI struct { client httpClient } -type securityRoleAPIAction struct { +type authRoleAPIAction struct { verb string name string role *Role } -type securityRoleAPIList struct{} +type authRoleAPIList struct{} -func (list *securityRoleAPIList) HTTPRequest(ep url.URL) *http.Request { - u := v2SecurityURL(ep, "roles", "") +func (list *authRoleAPIList) HTTPRequest(ep url.URL) *http.Request { + u := v2AuthURL(ep, "roles", "") req, _ := http.NewRequest("GET", u.String(), nil) req.Header.Set("Content-Type", "application/json") return req } -func (l *securityRoleAPIAction) HTTPRequest(ep url.URL) *http.Request { - u := v2SecurityURL(ep, "roles", l.name) +func (l *authRoleAPIAction) HTTPRequest(ep url.URL) *http.Request { + u := v2AuthURL(ep, "roles", l.name) if l.role == nil { req, _ := http.NewRequest(l.verb, u.String(), nil) return req @@ -110,8 +110,8 @@ func (l *securityRoleAPIAction) HTTPRequest(ep url.URL) *http.Request { return req } -func (r *httpSecurityRoleAPI) ListRoles(ctx context.Context) ([]string, error) { - resp, body, err := r.client.Do(ctx, &securityRoleAPIList{}) +func (r *httpAuthRoleAPI) ListRoles(ctx context.Context) ([]string, error) { + resp, body, err := r.client.Do(ctx, &authRoleAPIList{}) if err != nil { return nil, err } @@ -128,31 +128,31 @@ func (r *httpSecurityRoleAPI) ListRoles(ctx context.Context) ([]string, error) { return userList.Roles, nil } -func (r *httpSecurityRoleAPI) AddRole(ctx context.Context, rolename string) error { +func (r *httpAuthRoleAPI) AddRole(ctx context.Context, rolename string) error { role := &Role{ Role: rolename, } - return r.addRemoveRole(ctx, &securityRoleAPIAction{ + return r.addRemoveRole(ctx, &authRoleAPIAction{ verb: "PUT", name: rolename, role: role, }) } -func (r *httpSecurityRoleAPI) RemoveRole(ctx context.Context, rolename string) error { - return r.addRemoveRole(ctx, &securityRoleAPIAction{ +func (r *httpAuthRoleAPI) RemoveRole(ctx context.Context, rolename string) error { + return r.addRemoveRole(ctx, &authRoleAPIAction{ verb: "DELETE", name: rolename, }) } -func (r *httpSecurityRoleAPI) addRemoveRole(ctx context.Context, req *securityRoleAPIAction) error { +func (r *httpAuthRoleAPI) addRemoveRole(ctx context.Context, req *authRoleAPIAction) error { resp, body, err := r.client.Do(ctx, req) if err != nil { return err } if err := assertStatusCode(resp.StatusCode, http.StatusOK, http.StatusCreated); err != nil { - var sec securityError + var sec authError err := json.Unmarshal(body, &sec) if err != nil { return err @@ -162,8 +162,8 @@ func (r *httpSecurityRoleAPI) addRemoveRole(ctx context.Context, req *securityRo return nil } -func (r *httpSecurityRoleAPI) GetRole(ctx context.Context, rolename string) (*Role, error) { - return r.modRole(ctx, &securityRoleAPIAction{ +func (r *httpAuthRoleAPI) GetRole(ctx context.Context, rolename string) (*Role, error) { + return r.modRole(ctx, &authRoleAPIAction{ verb: "GET", name: rolename, }) @@ -183,7 +183,7 @@ func buildRWPermission(prefixes []string, permType PermissionType) rwPermission return out } -func (r *httpSecurityRoleAPI) GrantRoleKV(ctx context.Context, rolename string, prefixes []string, permType PermissionType) (*Role, error) { +func (r *httpAuthRoleAPI) GrantRoleKV(ctx context.Context, rolename string, prefixes []string, permType PermissionType) (*Role, error) { rwp := buildRWPermission(prefixes, permType) role := &Role{ Role: rolename, @@ -191,14 +191,14 @@ func (r *httpSecurityRoleAPI) GrantRoleKV(ctx context.Context, rolename string, KV: rwp, }, } - return r.modRole(ctx, &securityRoleAPIAction{ + return r.modRole(ctx, &authRoleAPIAction{ verb: "PUT", name: rolename, role: role, }) } -func (r *httpSecurityRoleAPI) RevokeRoleKV(ctx context.Context, rolename string, prefixes []string, permType PermissionType) (*Role, error) { +func (r *httpAuthRoleAPI) RevokeRoleKV(ctx context.Context, rolename string, prefixes []string, permType PermissionType) (*Role, error) { rwp := buildRWPermission(prefixes, permType) role := &Role{ Role: rolename, @@ -206,20 +206,20 @@ func (r *httpSecurityRoleAPI) RevokeRoleKV(ctx context.Context, rolename string, KV: rwp, }, } - return r.modRole(ctx, &securityRoleAPIAction{ + return r.modRole(ctx, &authRoleAPIAction{ verb: "PUT", name: rolename, role: role, }) } -func (r *httpSecurityRoleAPI) modRole(ctx context.Context, req *securityRoleAPIAction) (*Role, error) { +func (r *httpAuthRoleAPI) modRole(ctx context.Context, req *authRoleAPIAction) (*Role, error) { resp, body, err := r.client.Do(ctx, req) if err != nil { return nil, err } if err := assertStatusCode(resp.StatusCode, http.StatusOK); err != nil { - var sec securityError + var sec authError err := json.Unmarshal(body, &sec) if err != nil { return nil, err diff --git a/client/security_user.go b/client/auth_user.go similarity index 60% rename from client/security_user.go rename to client/auth_user.go index 07a648bf95d..9df1f294d18 100644 --- a/client/security_user.go +++ b/client/auth_user.go @@ -25,7 +25,7 @@ import ( ) var ( - defaultV2SecurityPrefix = "/v2/security" + defaultV2AuthPrefix = "/v2/auth" ) type User struct { @@ -36,50 +36,50 @@ type User struct { Revoke []string `json:"revoke,omitempty"` } -func v2SecurityURL(ep url.URL, action string, name string) *url.URL { +func v2AuthURL(ep url.URL, action string, name string) *url.URL { if name != "" { - ep.Path = path.Join(ep.Path, defaultV2SecurityPrefix, action, name) + ep.Path = path.Join(ep.Path, defaultV2AuthPrefix, action, name) return &ep } - ep.Path = path.Join(ep.Path, defaultV2SecurityPrefix, action) + ep.Path = path.Join(ep.Path, defaultV2AuthPrefix, action) return &ep } -// NewSecurityAPI constructs a new SecurityAPI that uses HTTP to -// interact with etcd's general security features. -func NewSecurityAPI(c Client) SecurityAPI { - return &httpSecurityAPI{ +// NewAuthAPI constructs a new AuthAPI that uses HTTP to +// interact with etcd's general auth features. +func NewAuthAPI(c Client) AuthAPI { + return &httpAuthAPI{ client: c, } } -type SecurityAPI interface { - // Enable security. +type AuthAPI interface { + // Enable auth. Enable(ctx context.Context) error - // Disable security. + // Disable auth. Disable(ctx context.Context) error } -type httpSecurityAPI struct { +type httpAuthAPI struct { client httpClient } -func (s *httpSecurityAPI) Enable(ctx context.Context) error { - return s.enableDisable(ctx, &securityAPIAction{"PUT"}) +func (s *httpAuthAPI) Enable(ctx context.Context) error { + return s.enableDisable(ctx, &authAPIAction{"PUT"}) } -func (s *httpSecurityAPI) Disable(ctx context.Context) error { - return s.enableDisable(ctx, &securityAPIAction{"DELETE"}) +func (s *httpAuthAPI) Disable(ctx context.Context) error { + return s.enableDisable(ctx, &authAPIAction{"DELETE"}) } -func (s *httpSecurityAPI) enableDisable(ctx context.Context, req httpAction) error { +func (s *httpAuthAPI) enableDisable(ctx context.Context, req httpAction) error { resp, body, err := s.client.Do(ctx, req) if err != nil { return err } if err := assertStatusCode(resp.StatusCode, http.StatusOK, http.StatusCreated); err != nil { - var sec securityError + var sec authError err := json.Unmarshal(body, &sec) if err != nil { return err @@ -89,34 +89,34 @@ func (s *httpSecurityAPI) enableDisable(ctx context.Context, req httpAction) err return nil } -type securityAPIAction struct { +type authAPIAction struct { verb string } -func (l *securityAPIAction) HTTPRequest(ep url.URL) *http.Request { - u := v2SecurityURL(ep, "enable", "") +func (l *authAPIAction) HTTPRequest(ep url.URL) *http.Request { + u := v2AuthURL(ep, "enable", "") req, _ := http.NewRequest(l.verb, u.String(), nil) return req } -type securityError struct { +type authError struct { Message string `json:"message"` Code int `json:"-"` } -func (e securityError) Error() string { +func (e authError) Error() string { return e.Message } -// NewSecurityUserAPI constructs a new SecurityUserAPI that uses HTTP to +// NewAuthUserAPI constructs a new AuthUserAPI that uses HTTP to // interact with etcd's user creation and modification features. -func NewSecurityUserAPI(c Client) SecurityUserAPI { - return &httpSecurityUserAPI{ +func NewAuthUserAPI(c Client) AuthUserAPI { + return &httpAuthUserAPI{ client: c, } } -type SecurityUserAPI interface { +type AuthUserAPI interface { // Add a user. AddUser(ctx context.Context, username string, password string) error @@ -139,27 +139,27 @@ type SecurityUserAPI interface { ListUsers(ctx context.Context) ([]string, error) } -type httpSecurityUserAPI struct { +type httpAuthUserAPI struct { client httpClient } -type securityUserAPIAction struct { +type authUserAPIAction struct { verb string username string user *User } -type securityUserAPIList struct{} +type authUserAPIList struct{} -func (list *securityUserAPIList) HTTPRequest(ep url.URL) *http.Request { - u := v2SecurityURL(ep, "users", "") +func (list *authUserAPIList) HTTPRequest(ep url.URL) *http.Request { + u := v2AuthURL(ep, "users", "") req, _ := http.NewRequest("GET", u.String(), nil) req.Header.Set("Content-Type", "application/json") return req } -func (l *securityUserAPIAction) HTTPRequest(ep url.URL) *http.Request { - u := v2SecurityURL(ep, "users", l.username) +func (l *authUserAPIAction) HTTPRequest(ep url.URL) *http.Request { + u := v2AuthURL(ep, "users", l.username) if l.user == nil { req, _ := http.NewRequest(l.verb, u.String(), nil) return req @@ -174,13 +174,13 @@ func (l *securityUserAPIAction) HTTPRequest(ep url.URL) *http.Request { return req } -func (u *httpSecurityUserAPI) ListUsers(ctx context.Context) ([]string, error) { - resp, body, err := u.client.Do(ctx, &securityUserAPIList{}) +func (u *httpAuthUserAPI) ListUsers(ctx context.Context) ([]string, error) { + resp, body, err := u.client.Do(ctx, &authUserAPIList{}) if err != nil { return nil, err } if err := assertStatusCode(resp.StatusCode, http.StatusOK); err != nil { - var sec securityError + var sec authError err := json.Unmarshal(body, &sec) if err != nil { return nil, err @@ -197,32 +197,32 @@ func (u *httpSecurityUserAPI) ListUsers(ctx context.Context) ([]string, error) { return userList.Users, nil } -func (u *httpSecurityUserAPI) AddUser(ctx context.Context, username string, password string) error { +func (u *httpAuthUserAPI) AddUser(ctx context.Context, username string, password string) error { user := &User{ User: username, Password: password, } - return u.addRemoveUser(ctx, &securityUserAPIAction{ + return u.addRemoveUser(ctx, &authUserAPIAction{ verb: "PUT", username: username, user: user, }) } -func (u *httpSecurityUserAPI) RemoveUser(ctx context.Context, username string) error { - return u.addRemoveUser(ctx, &securityUserAPIAction{ +func (u *httpAuthUserAPI) RemoveUser(ctx context.Context, username string) error { + return u.addRemoveUser(ctx, &authUserAPIAction{ verb: "DELETE", username: username, }) } -func (u *httpSecurityUserAPI) addRemoveUser(ctx context.Context, req *securityUserAPIAction) error { +func (u *httpAuthUserAPI) addRemoveUser(ctx context.Context, req *authUserAPIAction) error { resp, body, err := u.client.Do(ctx, req) if err != nil { return err } if err := assertStatusCode(resp.StatusCode, http.StatusOK, http.StatusCreated); err != nil { - var sec securityError + var sec authError err := json.Unmarshal(body, &sec) if err != nil { return err @@ -232,56 +232,56 @@ func (u *httpSecurityUserAPI) addRemoveUser(ctx context.Context, req *securityUs return nil } -func (u *httpSecurityUserAPI) GetUser(ctx context.Context, username string) (*User, error) { - return u.modUser(ctx, &securityUserAPIAction{ +func (u *httpAuthUserAPI) GetUser(ctx context.Context, username string) (*User, error) { + return u.modUser(ctx, &authUserAPIAction{ verb: "GET", username: username, }) } -func (u *httpSecurityUserAPI) GrantUser(ctx context.Context, username string, roles []string) (*User, error) { +func (u *httpAuthUserAPI) GrantUser(ctx context.Context, username string, roles []string) (*User, error) { user := &User{ User: username, Grant: roles, } - return u.modUser(ctx, &securityUserAPIAction{ + return u.modUser(ctx, &authUserAPIAction{ verb: "PUT", username: username, user: user, }) } -func (u *httpSecurityUserAPI) RevokeUser(ctx context.Context, username string, roles []string) (*User, error) { +func (u *httpAuthUserAPI) RevokeUser(ctx context.Context, username string, roles []string) (*User, error) { user := &User{ User: username, Revoke: roles, } - return u.modUser(ctx, &securityUserAPIAction{ + return u.modUser(ctx, &authUserAPIAction{ verb: "PUT", username: username, user: user, }) } -func (u *httpSecurityUserAPI) ChangePassword(ctx context.Context, username string, password string) (*User, error) { +func (u *httpAuthUserAPI) ChangePassword(ctx context.Context, username string, password string) (*User, error) { user := &User{ User: username, Password: password, } - return u.modUser(ctx, &securityUserAPIAction{ + return u.modUser(ctx, &authUserAPIAction{ verb: "PUT", username: username, user: user, }) } -func (u *httpSecurityUserAPI) modUser(ctx context.Context, req *securityUserAPIAction) (*User, error) { +func (u *httpAuthUserAPI) modUser(ctx context.Context, req *authUserAPIAction) (*User, error) { resp, body, err := u.client.Do(ctx, req) if err != nil { return nil, err } if err := assertStatusCode(resp.StatusCode, http.StatusOK); err != nil { - var sec securityError + var sec authError err := json.Unmarshal(body, &sec) if err != nil { return nil, err diff --git a/etcdctl/command/security_commands.go b/etcdctl/command/auth_commands.go similarity index 69% rename from etcdctl/command/security_commands.go rename to etcdctl/command/auth_commands.go index 7d8c27b2162..8b72fc937cd 100644 --- a/etcdctl/command/security_commands.go +++ b/etcdctl/command/auth_commands.go @@ -24,49 +24,49 @@ import ( "github.com/coreos/etcd/client" ) -func NewSecurityCommands() cli.Command { +func NewAuthCommands() cli.Command { return cli.Command{ - Name: "security", - Usage: "overall security controls", + Name: "auth", + Usage: "overall auth controls", Subcommands: []cli.Command{ cli.Command{ Name: "enable", - Usage: "enable security access controls", - Action: actionSecurityEnable, + Usage: "enable auth access controls", + Action: actionAuthEnable, }, cli.Command{ Name: "disable", - Usage: "disable security access controls", - Action: actionSecurityDisable, + Usage: "disable auth access controls", + Action: actionAuthDisable, }, }, } } -func actionSecurityEnable(c *cli.Context) { - securityEnableDisable(c, true) +func actionAuthEnable(c *cli.Context) { + authEnableDisable(c, true) } -func actionSecurityDisable(c *cli.Context) { - securityEnableDisable(c, false) +func actionAuthDisable(c *cli.Context) { + authEnableDisable(c, false) } -func mustNewSecurityAPI(c *cli.Context) client.SecurityAPI { +func mustNewAuthAPI(c *cli.Context) client.AuthAPI { hc := mustNewClient(c) if c.GlobalBool("debug") { fmt.Fprintf(os.Stderr, "Cluster-Endpoints: %s\n", strings.Join(hc.Endpoints(), ", ")) } - return client.NewSecurityAPI(hc) + return client.NewAuthAPI(hc) } -func securityEnableDisable(c *cli.Context, enable bool) { +func authEnableDisable(c *cli.Context, enable bool) { if len(c.Args()) != 0 { fmt.Fprintln(os.Stderr, "No arguments accepted") os.Exit(1) } - s := mustNewSecurityAPI(c) + s := mustNewAuthAPI(c) ctx, cancel := context.WithTimeout(context.Background(), client.DefaultRequestTimeout) var err error if enable { @@ -80,8 +80,8 @@ func securityEnableDisable(c *cli.Context, enable bool) { os.Exit(1) } if enable { - fmt.Println("Security Enabled") + fmt.Println("Authentication Enabled") } else { - fmt.Println("Security Disabled") + fmt.Println("Authentication Disabled") } } diff --git a/etcdctl/command/role_commands.go b/etcdctl/command/role_commands.go index d0fd7d7a960..bbd90864e20 100644 --- a/etcdctl/command/role_commands.go +++ b/etcdctl/command/role_commands.go @@ -76,14 +76,14 @@ func NewRoleCommands() cli.Command { } } -func mustNewSecurityRoleAPI(c *cli.Context) client.SecurityRoleAPI { +func mustNewAuthRoleAPI(c *cli.Context) client.AuthRoleAPI { hc := mustNewClient(c) if c.GlobalBool("debug") { fmt.Fprintf(os.Stderr, "Cluster-Endpoints: %s\n", strings.Join(hc.Endpoints(), ", ")) } - return client.NewSecurityRoleAPI(hc) + return client.NewAuthRoleAPI(hc) } func actionRoleList(c *cli.Context) { @@ -91,7 +91,7 @@ func actionRoleList(c *cli.Context) { fmt.Fprintln(os.Stderr, "No arguments accepted") os.Exit(1) } - r := mustNewSecurityRoleAPI(c) + r := mustNewAuthRoleAPI(c) ctx, cancel := context.WithTimeout(context.Background(), client.DefaultRequestTimeout) roles, err := r.ListRoles(ctx) cancel() @@ -228,7 +228,7 @@ func actionRoleGet(c *cli.Context) { } } -func mustRoleAPIAndName(c *cli.Context) (client.SecurityRoleAPI, string) { +func mustRoleAPIAndName(c *cli.Context) (client.AuthRoleAPI, string) { args := c.Args() if len(args) != 1 { fmt.Fprintln(os.Stderr, "Please provide a role name") @@ -236,6 +236,6 @@ func mustRoleAPIAndName(c *cli.Context) (client.SecurityRoleAPI, string) { } name := args[0] - api := mustNewSecurityRoleAPI(c) + api := mustNewAuthRoleAPI(c) return api, name } diff --git a/etcdctl/command/user_commands.go b/etcdctl/command/user_commands.go index f57d0671e14..ace215f8c09 100644 --- a/etcdctl/command/user_commands.go +++ b/etcdctl/command/user_commands.go @@ -73,14 +73,14 @@ func NewUserCommands() cli.Command { } } -func mustNewSecurityUserAPI(c *cli.Context) client.SecurityUserAPI { +func mustNewAuthUserAPI(c *cli.Context) client.AuthUserAPI { hc := mustNewClient(c) if c.GlobalBool("debug") { fmt.Fprintf(os.Stderr, "Cluster-Endpoints: %s\n", strings.Join(hc.Endpoints(), ", ")) } - return client.NewSecurityUserAPI(hc) + return client.NewAuthUserAPI(hc) } func actionUserList(c *cli.Context) { @@ -88,7 +88,7 @@ func actionUserList(c *cli.Context) { fmt.Fprintln(os.Stderr, "No arguments accepted") os.Exit(1) } - u := mustNewSecurityUserAPI(c) + u := mustNewAuthUserAPI(c) ctx, cancel := context.WithTimeout(context.Background(), client.DefaultRequestTimeout) users, err := u.ListUsers(ctx) cancel() @@ -229,14 +229,14 @@ func actionUserGet(c *cli.Context) { } -func mustUserAPIAndName(c *cli.Context) (client.SecurityUserAPI, string) { +func mustUserAPIAndName(c *cli.Context) (client.AuthUserAPI, string) { args := c.Args() if len(args) != 1 { fmt.Fprintln(os.Stderr, "Please provide a username") os.Exit(1) } - api := mustNewSecurityUserAPI(c) + api := mustNewAuthUserAPI(c) username := args[0] return api, username } diff --git a/etcdctl/main.go b/etcdctl/main.go index 293c9d4907a..73149406266 100644 --- a/etcdctl/main.go +++ b/etcdctl/main.go @@ -56,7 +56,7 @@ func main() { command.NewImportSnapCommand(), command.NewUserCommands(), command.NewRoleCommands(), - command.NewSecurityCommands(), + command.NewAuthCommands(), } app.Run(os.Args) diff --git a/etcdserver/security/security.go b/etcdserver/auth/auth.go similarity index 86% rename from etcdserver/security/security.go rename to etcdserver/auth/auth.go index bc3cf39eae3..8a861f38fb5 100644 --- a/etcdserver/security/security.go +++ b/etcdserver/auth/auth.go @@ -12,7 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -package security +package auth import ( "encoding/json" @@ -44,7 +44,7 @@ const ( ) var ( - plog = capnslog.NewPackageLogger("github.com/coreos/etcd/etcdserver", "security") + plog = capnslog.NewPackageLogger("github.com/coreos/etcd/etcdserver", "auth") ) var rootRole = Role{ @@ -108,11 +108,11 @@ type Error struct { func (se Error) Error() string { return se.errmsg } func mergeErr(s string, v ...interface{}) Error { - return Error{fmt.Sprintf("security: "+s, v...)} + return Error{fmt.Sprintf("auth: "+s, v...)} } -func securityErr(s string, v ...interface{}) Error { - return Error{fmt.Sprintf("security: "+s, v...)} +func authErr(s string, v ...interface{}) Error { + return Error{fmt.Sprintf("auth: "+s, v...)} } func NewStore(server doer, timeout time.Duration) *Store { @@ -147,7 +147,7 @@ func (s *Store) GetUser(name string) (User, error) { if err != nil { if e, ok := err.(*etcderr.Error); ok { if e.ErrorCode == etcderr.EcodeKeyNotFound { - return User{}, securityErr("User %s does not exist.", name) + return User{}, authErr("User %s does not exist.", name) } } return User{}, err @@ -197,7 +197,7 @@ func (s *Store) CreateUser(user User) (User, error) { func (s *Store) createUserInternal(user User) (User, error) { if user.Password == "" { - return user, securityErr("Cannot create user %s with an empty password", user.User) + return user, authErr("Cannot create user %s with an empty password", user.User) } hash, err := bcrypt.GenerateFromPassword([]byte(user.Password), bcrypt.DefaultCost) if err != nil { @@ -209,7 +209,7 @@ func (s *Store) createUserInternal(user User) (User, error) { if err != nil { if e, ok := err.(*etcderr.Error); ok { if e.ErrorCode == etcderr.EcodeNodeExist { - return user, securityErr("User %s already exists.", user.User) + return user, authErr("User %s already exists.", user.User) } } } @@ -217,14 +217,14 @@ func (s *Store) createUserInternal(user User) (User, error) { } func (s *Store) DeleteUser(name string) error { - if s.SecurityEnabled() && name == "root" { - return securityErr("Cannot delete root user while security is enabled.") + if s.AuthEnabled() && name == "root" { + return authErr("Cannot delete root user while auth is enabled.") } _, err := s.deleteResource("/users/" + name) if err != nil { if e, ok := err.(*etcderr.Error); ok { if e.ErrorCode == etcderr.EcodeKeyNotFound { - return securityErr("User %s does not exist", name) + return authErr("User %s does not exist", name) } } return err @@ -238,7 +238,7 @@ func (s *Store) UpdateUser(user User) (User, error) { if err != nil { if e, ok := err.(*etcderr.Error); ok { if e.ErrorCode == etcderr.EcodeKeyNotFound { - return user, securityErr("User %s doesn't exist.", user.User) + return user, authErr("User %s doesn't exist.", user.User) } } return old, err @@ -249,9 +249,9 @@ func (s *Store) UpdateUser(user User) (User, error) { } if reflect.DeepEqual(old, newUser) { if user.Revoke != nil || user.Grant != nil { - return old, securityErr("User not updated. Grant/Revoke lists didn't match any current roles.") + return old, authErr("User not updated. Grant/Revoke lists didn't match any current roles.") } - return old, securityErr("User not updated. Use Grant/Revoke/Password to update the user.") + return old, authErr("User not updated. Use Grant/Revoke/Password to update the user.") } _, err = s.updateResource("/users/"+user.User, newUser) if err == nil { @@ -287,7 +287,7 @@ func (s *Store) GetRole(name string) (Role, error) { if err != nil { if e, ok := err.(*etcderr.Error); ok { if e.ErrorCode == etcderr.EcodeKeyNotFound { - return Role{}, securityErr("Role %s does not exist.", name) + return Role{}, authErr("Role %s does not exist.", name) } } return Role{}, err @@ -313,13 +313,13 @@ func (s *Store) CreateOrUpdateRole(r Role) (role Role, created bool, err error) func (s *Store) CreateRole(role Role) error { if role.Role == RootRoleName { - return securityErr("Cannot modify role %s: is root role.", role.Role) + return authErr("Cannot modify role %s: is root role.", role.Role) } _, err := s.createResource("/roles/"+role.Role, role) if err != nil { if e, ok := err.(*etcderr.Error); ok { if e.ErrorCode == etcderr.EcodeNodeExist { - return securityErr("Role %s already exists.", role.Role) + return authErr("Role %s already exists.", role.Role) } } } @@ -331,13 +331,13 @@ func (s *Store) CreateRole(role Role) error { func (s *Store) DeleteRole(name string) error { if name == RootRoleName { - return securityErr("Cannot modify role %s: is superuser role.", name) + return authErr("Cannot modify role %s: is superuser role.", name) } _, err := s.deleteResource("/roles/" + name) if err != nil { if e, ok := err.(*etcderr.Error); ok { if e.ErrorCode == etcderr.EcodeKeyNotFound { - return securityErr("Role %s doesn't exist.", name) + return authErr("Role %s doesn't exist.", name) } } } @@ -352,7 +352,7 @@ func (s *Store) UpdateRole(role Role) (Role, error) { if err != nil { if e, ok := err.(*etcderr.Error); ok { if e.ErrorCode == etcderr.EcodeKeyNotFound { - return role, securityErr("Role %s doesn't exist.", role.Role) + return role, authErr("Role %s doesn't exist.", role.Role) } } return old, err @@ -363,9 +363,9 @@ func (s *Store) UpdateRole(role Role) (Role, error) { } if reflect.DeepEqual(old, newRole) { if role.Revoke != nil || role.Grant != nil { - return old, securityErr("Role not updated. Grant/Revoke lists didn't match any current permissions.") + return old, authErr("Role not updated. Grant/Revoke lists didn't match any current permissions.") } - return old, securityErr("Role not updated. Use Grant/Revoke to update the role.") + return old, authErr("Role not updated. Use Grant/Revoke to update the role.") } _, err = s.updateResource("/roles/"+role.Role, newRole) if err == nil { @@ -374,45 +374,45 @@ func (s *Store) UpdateRole(role Role) (Role, error) { return newRole, err } -func (s *Store) SecurityEnabled() bool { - return s.detectSecurity() +func (s *Store) AuthEnabled() bool { + return s.detectAuth() } -func (s *Store) EnableSecurity() error { - if s.SecurityEnabled() { - return securityErr("already enabled") +func (s *Store) EnableAuth() error { + if s.AuthEnabled() { + return authErr("already enabled") } _, err := s.GetUser("root") if err != nil { - return securityErr("No root user available, please create one") + return authErr("No root user available, please create one") } _, err = s.GetRole(GuestRoleName) if err != nil { plog.Printf("no guest role access found, creating default") err := s.CreateRole(guestRole) if err != nil { - plog.Errorf("error creating guest role. aborting security enable.") + plog.Errorf("error creating guest role. aborting auth enable.") return err } } - err = s.enableSecurity() + err = s.enableAuth() if err == nil { - plog.Noticef("security: enabled security") + plog.Noticef("auth: enabled auth") } else { - plog.Errorf("error enabling security (%v)", err) + plog.Errorf("error enabling auth (%v)", err) } return err } -func (s *Store) DisableSecurity() error { - if !s.SecurityEnabled() { - return securityErr("already disabled") +func (s *Store) DisableAuth() error { + if !s.AuthEnabled() { + return authErr("already disabled") } - err := s.disableSecurity() + err := s.disableAuth() if err == nil { - plog.Noticef("security: disabled security") + plog.Noticef("auth: disabled auth") } else { - plog.Errorf("error disabling security (%v)", err) + plog.Errorf("error disabling auth (%v)", err) } return err } diff --git a/etcdserver/security/security_requests.go b/etcdserver/auth/auth_requests.go similarity index 90% rename from etcdserver/security/security_requests.go rename to etcdserver/auth/auth_requests.go index 6ad627ec0f2..d51c57db8ce 100644 --- a/etcdserver/security/security_requests.go +++ b/etcdserver/auth/auth_requests.go @@ -12,7 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -package security +package auth import ( "encoding/json" @@ -24,7 +24,7 @@ import ( "github.com/coreos/etcd/etcdserver/etcdserverpb" ) -func (s *Store) ensureSecurityDirectories() error { +func (s *Store) ensureAuthDirectories() error { if s.ensuredOnce { return nil } @@ -45,7 +45,7 @@ func (s *Store) ensureSecurityDirectories() error { continue } } - plog.Errorf("failed to create security directories in the store (%v)", err) + plog.Errorf("failed to create auth directories in the store (%v)", err) return err } } @@ -72,16 +72,16 @@ func (s *Store) ensureSecurityDirectories() error { return nil } -func (s *Store) enableSecurity() error { +func (s *Store) enableAuth() error { _, err := s.updateResource("/enabled", true) return err } -func (s *Store) disableSecurity() error { +func (s *Store) disableAuth() error { _, err := s.updateResource("/enabled", false) return err } -func (s *Store) detectSecurity() bool { +func (s *Store) detectAuth() bool { if s.server == nil { return false } @@ -92,7 +92,7 @@ func (s *Store) detectSecurity() bool { return false } } - plog.Errorf("failed to detect security settings (%s)", err) + plog.Errorf("failed to detect auth settings (%s)", err) return false } @@ -124,7 +124,7 @@ func (s *Store) createResource(res string, value interface{}) (etcdserver.Respon return s.setResource(res, value, false) } func (s *Store) setResource(res string, value interface{}, prevexist bool) (etcdserver.Response, error) { - err := s.ensureSecurityDirectories() + err := s.ensureAuthDirectories() if err != nil { return etcdserver.Response{}, err } @@ -145,7 +145,7 @@ func (s *Store) setResource(res string, value interface{}, prevexist bool) (etcd } func (s *Store) deleteResource(res string) (etcdserver.Response, error) { - err := s.ensureSecurityDirectories() + err := s.ensureAuthDirectories() if err != nil { return etcdserver.Response{}, err } diff --git a/etcdserver/security/security_test.go b/etcdserver/auth/auth_test.go similarity index 99% rename from etcdserver/security/security_test.go rename to etcdserver/auth/auth_test.go index e5e33567d04..87cc6517033 100644 --- a/etcdserver/security/security_test.go +++ b/etcdserver/auth/auth_test.go @@ -12,7 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -package security +package auth import ( "reflect" diff --git a/etcdserver/etcdhttp/capability.go b/etcdserver/etcdhttp/capability.go index 471039a658f..75d75a90564 100644 --- a/etcdserver/etcdhttp/capability.go +++ b/etcdserver/etcdhttp/capability.go @@ -14,14 +14,14 @@ import ( type capability string const ( - securityCapability capability = "security" + authCapability capability = "auth" ) var ( // capabilityMap is a static map of version to capability map. // the base capabilities is the set of capability 2.0 supports. capabilityMaps = map[string]map[capability]bool{ - "2.1.0": {securityCapability: true}, + "2.1.0": {authCapability: true}, } enableMapMu sync.Mutex diff --git a/etcdserver/etcdhttp/client.go b/etcdserver/etcdhttp/client.go index def5d8348e6..32391e8430e 100644 --- a/etcdserver/etcdhttp/client.go +++ b/etcdserver/etcdhttp/client.go @@ -32,9 +32,9 @@ import ( "github.com/coreos/etcd/Godeps/_workspace/src/golang.org/x/net/context" etcdErr "github.com/coreos/etcd/error" "github.com/coreos/etcd/etcdserver" + "github.com/coreos/etcd/etcdserver/auth" "github.com/coreos/etcd/etcdserver/etcdhttp/httptypes" "github.com/coreos/etcd/etcdserver/etcdserverpb" - "github.com/coreos/etcd/etcdserver/security" "github.com/coreos/etcd/etcdserver/stats" "github.com/coreos/etcd/pkg/types" "github.com/coreos/etcd/raft" @@ -43,7 +43,7 @@ import ( ) const ( - securityPrefix = "/v2/security" + authPrefix = "/v2/auth" keysPrefix = "/v2/keys" deprecatedMachinesPrefix = "/v2/machines" membersPrefix = "/v2/members" @@ -58,7 +58,7 @@ const ( func NewClientHandler(server *etcdserver.EtcdServer) http.Handler { go capabilityLoop(server) - sec := security.NewStore(server, defaultServerTimeout) + sec := auth.NewStore(server, defaultServerTimeout) kh := &keysHandler{ sec: sec, @@ -83,7 +83,7 @@ func NewClientHandler(server *etcdserver.EtcdServer) http.Handler { cluster: server.Cluster(), } - sech := &securityHandler{ + sech := &authHandler{ sec: sec, cluster: server.Cluster(), } @@ -102,13 +102,13 @@ func NewClientHandler(server *etcdserver.EtcdServer) http.Handler { mux.Handle(membersPrefix, mh) mux.Handle(membersPrefix+"/", mh) mux.Handle(deprecatedMachinesPrefix, dmh) - handleSecurity(mux, sech) + handleAuth(mux, sech) return requestLogger(mux) } type keysHandler struct { - sec *security.Store + sec *auth.Store server etcdserver.Server cluster etcdserver.Cluster timer etcdserver.RaftTimer @@ -170,7 +170,7 @@ func (h *deprecatedMachinesHandler) ServeHTTP(w http.ResponseWriter, r *http.Req } type membersHandler struct { - sec *security.Store + sec *auth.Store server etcdserver.Server cluster etcdserver.Cluster clock clockwork.Clock diff --git a/etcdserver/etcdhttp/client_security.go b/etcdserver/etcdhttp/client_auth.go similarity index 73% rename from etcdserver/etcdhttp/client_security.go rename to etcdserver/etcdhttp/client_auth.go index 0f217abbfbd..4b0562b2bef 100644 --- a/etcdserver/etcdhttp/client_security.go +++ b/etcdserver/etcdhttp/client_auth.go @@ -21,29 +21,29 @@ import ( "strings" "github.com/coreos/etcd/etcdserver" + "github.com/coreos/etcd/etcdserver/auth" "github.com/coreos/etcd/etcdserver/etcdhttp/httptypes" - "github.com/coreos/etcd/etcdserver/security" "github.com/coreos/etcd/pkg/netutil" ) -type securityHandler struct { - sec *security.Store +type authHandler struct { + sec *auth.Store cluster etcdserver.Cluster } -func hasWriteRootAccess(sec *security.Store, r *http.Request) bool { +func hasWriteRootAccess(sec *auth.Store, r *http.Request) bool { if r.Method == "GET" || r.Method == "HEAD" { return true } return hasRootAccess(sec, r) } -func hasRootAccess(sec *security.Store, r *http.Request) bool { +func hasRootAccess(sec *auth.Store, r *http.Request) bool { if sec == nil { - // No store means no security available, eg, tests. + // No store means no auth available, eg, tests. return true } - if !sec.SecurityEnabled() { + if !sec.AuthEnabled() { return true } username, password, ok := netutil.BasicAuth(r) @@ -56,24 +56,24 @@ func hasRootAccess(sec *security.Store, r *http.Request) bool { } ok = rootUser.CheckPassword(password) if !ok { - plog.Warningf("security: wrong password for user %s", username) + plog.Warningf("auth: wrong password for user %s", username) return false } for _, role := range rootUser.Roles { - if role == security.RootRoleName { + if role == auth.RootRoleName { return true } } - plog.Warningf("security: user %s does not have the %s role for resource %s.", username, security.RootRoleName, r.URL.Path) + plog.Warningf("auth: user %s does not have the %s role for resource %s.", username, auth.RootRoleName, r.URL.Path) return false } -func hasKeyPrefixAccess(sec *security.Store, r *http.Request, key string, recursive bool) bool { +func hasKeyPrefixAccess(sec *auth.Store, r *http.Request, key string, recursive bool) bool { if sec == nil { - // No store means no security available, eg, tests. + // No store means no auth available, eg, tests. return true } - if !sec.SecurityEnabled() { + if !sec.AuthEnabled() { return true } username, password, ok := netutil.BasicAuth(r) @@ -82,12 +82,12 @@ func hasKeyPrefixAccess(sec *security.Store, r *http.Request, key string, recurs } user, err := sec.GetUser(username) if err != nil { - plog.Warningf("security: no such user: %s.", username) + plog.Warningf("auth: no such user: %s.", username) return false } authAsUser := user.CheckPassword(password) if !authAsUser { - plog.Warningf("security: incorrect password for user: %s.", username) + plog.Warningf("auth: incorrect password for user: %s.", username) return false } writeAccess := r.Method != "GET" && r.Method != "HEAD" @@ -101,20 +101,20 @@ func hasKeyPrefixAccess(sec *security.Store, r *http.Request, key string, recurs } return role.HasKeyAccess(key, writeAccess) } - plog.Warningf("security: invalid access for user %s on key %s.", username, key) + plog.Warningf("auth: invalid access for user %s on key %s.", username, key) return false } -func hasGuestAccess(sec *security.Store, r *http.Request, key string) bool { +func hasGuestAccess(sec *auth.Store, r *http.Request, key string) bool { writeAccess := r.Method != "GET" && r.Method != "HEAD" - role, err := sec.GetRole(security.GuestRoleName) + role, err := sec.GetRole(auth.GuestRoleName) if err != nil { return false } if role.HasKeyAccess(key, writeAccess) { return true } - plog.Warningf("security: invalid access for unauthenticated user on resource %s.", key) + plog.Warningf("auth: invalid access for unauthenticated user on resource %s.", key) return false } @@ -123,15 +123,15 @@ func writeNoAuth(w http.ResponseWriter) { herr.WriteTo(w) } -func handleSecurity(mux *http.ServeMux, sh *securityHandler) { - mux.HandleFunc(securityPrefix+"/roles", capabilityHandler(securityCapability, sh.baseRoles)) - mux.HandleFunc(securityPrefix+"/roles/", capabilityHandler(securityCapability, sh.handleRoles)) - mux.HandleFunc(securityPrefix+"/users", capabilityHandler(securityCapability, sh.baseUsers)) - mux.HandleFunc(securityPrefix+"/users/", capabilityHandler(securityCapability, sh.handleUsers)) - mux.HandleFunc(securityPrefix+"/enable", capabilityHandler(securityCapability, sh.enableDisable)) +func handleAuth(mux *http.ServeMux, sh *authHandler) { + mux.HandleFunc(authPrefix+"/roles", capabilityHandler(authCapability, sh.baseRoles)) + mux.HandleFunc(authPrefix+"/roles/", capabilityHandler(authCapability, sh.handleRoles)) + mux.HandleFunc(authPrefix+"/users", capabilityHandler(authCapability, sh.baseUsers)) + mux.HandleFunc(authPrefix+"/users/", capabilityHandler(authCapability, sh.handleUsers)) + mux.HandleFunc(authPrefix+"/enable", capabilityHandler(authCapability, sh.enableDisable)) } -func (sh *securityHandler) baseRoles(w http.ResponseWriter, r *http.Request) { +func (sh *authHandler) baseRoles(w http.ResponseWriter, r *http.Request) { if !allowMethod(w, r.Method, "GET") { return } @@ -160,8 +160,8 @@ func (sh *securityHandler) baseRoles(w http.ResponseWriter, r *http.Request) { } } -func (sh *securityHandler) handleRoles(w http.ResponseWriter, r *http.Request) { - subpath := path.Clean(r.URL.Path[len(securityPrefix):]) +func (sh *authHandler) handleRoles(w http.ResponseWriter, r *http.Request) { + subpath := path.Clean(r.URL.Path[len(authPrefix):]) // Split "/roles/rolename/command". // First item is an empty string, second is "roles" pieces := strings.Split(subpath, "/") @@ -176,7 +176,7 @@ func (sh *securityHandler) handleRoles(w http.ResponseWriter, r *http.Request) { sh.forRole(w, r, pieces[2]) } -func (sh *securityHandler) forRole(w http.ResponseWriter, r *http.Request, role string) { +func (sh *authHandler) forRole(w http.ResponseWriter, r *http.Request, role string) { if !allowMethod(w, r.Method, "GET", "PUT", "DELETE") { return } @@ -201,7 +201,7 @@ func (sh *securityHandler) forRole(w http.ResponseWriter, r *http.Request, role } return case "PUT": - var in security.Role + var in auth.Role err := json.NewDecoder(r.Body).Decode(&in) if err != nil { writeError(w, httptypes.NewHTTPError(http.StatusBadRequest, "Invalid JSON in request body.")) @@ -236,7 +236,7 @@ func (sh *securityHandler) forRole(w http.ResponseWriter, r *http.Request, role } } -func (sh *securityHandler) baseUsers(w http.ResponseWriter, r *http.Request) { +func (sh *authHandler) baseUsers(w http.ResponseWriter, r *http.Request) { if !allowMethod(w, r.Method, "GET") { return } @@ -265,8 +265,8 @@ func (sh *securityHandler) baseUsers(w http.ResponseWriter, r *http.Request) { } } -func (sh *securityHandler) handleUsers(w http.ResponseWriter, r *http.Request) { - subpath := path.Clean(r.URL.Path[len(securityPrefix):]) +func (sh *authHandler) handleUsers(w http.ResponseWriter, r *http.Request) { + subpath := path.Clean(r.URL.Path[len(authPrefix):]) // Split "/users/username". // First item is an empty string, second is "users" pieces := strings.Split(subpath, "/") @@ -281,7 +281,7 @@ func (sh *securityHandler) handleUsers(w http.ResponseWriter, r *http.Request) { sh.forUser(w, r, pieces[2]) } -func (sh *securityHandler) forUser(w http.ResponseWriter, r *http.Request, user string) { +func (sh *authHandler) forUser(w http.ResponseWriter, r *http.Request, user string) { if !allowMethod(w, r.Method, "GET", "PUT", "DELETE") { return } @@ -308,7 +308,7 @@ func (sh *securityHandler) forUser(w http.ResponseWriter, r *http.Request, user } return case "PUT": - var u security.User + var u auth.User err := json.NewDecoder(r.Body).Decode(&u) if err != nil { writeError(w, httptypes.NewHTTPError(http.StatusBadRequest, "Invalid JSON in request body.")) @@ -351,7 +351,7 @@ type enabled struct { Enabled bool `json:"enabled"` } -func (sh *securityHandler) enableDisable(w http.ResponseWriter, r *http.Request) { +func (sh *authHandler) enableDisable(w http.ResponseWriter, r *http.Request) { if !allowMethod(w, r.Method, "GET", "PUT", "DELETE") { return } @@ -361,22 +361,22 @@ func (sh *securityHandler) enableDisable(w http.ResponseWriter, r *http.Request) } w.Header().Set("X-Etcd-Cluster-ID", sh.cluster.ID().String()) w.Header().Set("Content-Type", "application/json") - isEnabled := sh.sec.SecurityEnabled() + isEnabled := sh.sec.AuthEnabled() switch r.Method { case "GET": jsonDict := enabled{isEnabled} err := json.NewEncoder(w).Encode(jsonDict) if err != nil { - plog.Warningf("error encoding security state on %s", r.URL) + plog.Warningf("error encoding auth state on %s", r.URL) } case "PUT": - err := sh.sec.EnableSecurity() + err := sh.sec.EnableAuth() if err != nil { writeError(w, err) return } case "DELETE": - err := sh.sec.DisableSecurity() + err := sh.sec.DisableAuth() if err != nil { writeError(w, err) return diff --git a/etcdserver/etcdhttp/http.go b/etcdserver/etcdhttp/http.go index f9b1853d746..656282f2a4e 100644 --- a/etcdserver/etcdhttp/http.go +++ b/etcdserver/etcdhttp/http.go @@ -23,8 +23,8 @@ import ( "github.com/coreos/etcd/Godeps/_workspace/src/github.com/coreos/pkg/capnslog" etcdErr "github.com/coreos/etcd/error" + "github.com/coreos/etcd/etcdserver/auth" "github.com/coreos/etcd/etcdserver/etcdhttp/httptypes" - "github.com/coreos/etcd/etcdserver/security" ) const ( @@ -55,7 +55,7 @@ func writeError(w http.ResponseWriter, err error) { e.WriteTo(w) case *httptypes.HTTPError: e.WriteTo(w) - case security.Error: + case auth.Error: herr := httptypes.NewHTTPError(http.StatusBadRequest, e.Error()) herr.WriteTo(w) default: