etcd: Index | Files | Directories

package auth

import ""

Package auth provides client role authentication for accessing keys in etcd.


Package Files

doc.go jwt.go metrics.go nop.go options.go range_perm_cache.go simple_token.go store.go


var (
    ErrRootUserNotExist     = errors.New("auth: root user does not exist")
    ErrRootRoleNotExist     = errors.New("auth: root user does not have root role")
    ErrUserAlreadyExist     = errors.New("auth: user already exists")
    ErrUserEmpty            = errors.New("auth: user name is empty")
    ErrUserNotFound         = errors.New("auth: user not found")
    ErrRoleAlreadyExist     = errors.New("auth: role already exists")
    ErrRoleNotFound         = errors.New("auth: role not found")
    ErrRoleEmpty            = errors.New("auth: role name is empty")
    ErrAuthFailed           = errors.New("auth: authentication failed, invalid user ID or password")
    ErrNoPasswordUser       = errors.New("auth: authentication failed, password was given for no password user")
    ErrPermissionDenied     = errors.New("auth: permission denied")
    ErrRoleNotGranted       = errors.New("auth: role is not granted to the user")
    ErrPermissionNotGranted = errors.New("auth: permission is not granted to the role")
    ErrAuthNotEnabled       = errors.New("auth: authentication is not enabled")
    ErrAuthOldRevision      = errors.New("auth: revision in header is old")
    ErrInvalidAuthToken     = errors.New("auth: invalid auth token")
    ErrInvalidAuthOpts      = errors.New("auth: invalid auth options")
    ErrInvalidAuthMgmt      = errors.New("auth: invalid auth management")
    ErrInvalidAuthMethod    = errors.New("auth: invalid auth signature method")
    ErrMissingKey           = errors.New("auth: missing key data")
    ErrKeyMismatch          = errors.New("auth: public and private keys don't match")
    ErrVerifyOnly           = errors.New("auth: token signing attempted with verify-only key")
var (
    // DefaultTTL will be used when a 'ttl' is not specified
    DefaultTTL = 5 * time.Minute

func NewAuthStore Uses

func NewAuthStore(lg *zap.Logger, be backend.Backend, ci cindex.ConsistentIndexer, tp TokenProvider, bcryptCost int) *authStore

NewAuthStore creates a new AuthStore.

type AuthInfo Uses

type AuthInfo struct {
    Username string
    Revision uint64

type AuthStore Uses

type AuthStore interface {
    // AuthEnable turns on the authentication feature
    AuthEnable() error

    // AuthDisable turns off the authentication feature

    // IsAuthEnabled returns true if the authentication feature is enabled.
    IsAuthEnabled() bool

    // Authenticate does authentication based on given user name and password
    Authenticate(ctx context.Context, username, password string) (*pb.AuthenticateResponse, error)

    // Recover recovers the state of auth store from the given backend
    Recover(b backend.Backend)

    // UserAdd adds a new user
    UserAdd(r *pb.AuthUserAddRequest) (*pb.AuthUserAddResponse, error)

    // UserDelete deletes a user
    UserDelete(r *pb.AuthUserDeleteRequest) (*pb.AuthUserDeleteResponse, error)

    // UserChangePassword changes a password of a user
    UserChangePassword(r *pb.AuthUserChangePasswordRequest) (*pb.AuthUserChangePasswordResponse, error)

    // UserGrantRole grants a role to the user
    UserGrantRole(r *pb.AuthUserGrantRoleRequest) (*pb.AuthUserGrantRoleResponse, error)

    // UserGet gets the detailed information of a users
    UserGet(r *pb.AuthUserGetRequest) (*pb.AuthUserGetResponse, error)

    // UserRevokeRole revokes a role of a user
    UserRevokeRole(r *pb.AuthUserRevokeRoleRequest) (*pb.AuthUserRevokeRoleResponse, error)

    // RoleAdd adds a new role
    RoleAdd(r *pb.AuthRoleAddRequest) (*pb.AuthRoleAddResponse, error)

    // RoleGrantPermission grants a permission to a role
    RoleGrantPermission(r *pb.AuthRoleGrantPermissionRequest) (*pb.AuthRoleGrantPermissionResponse, error)

    // RoleGet gets the detailed information of a role
    RoleGet(r *pb.AuthRoleGetRequest) (*pb.AuthRoleGetResponse, error)

    // RoleRevokePermission gets the detailed information of a role
    RoleRevokePermission(r *pb.AuthRoleRevokePermissionRequest) (*pb.AuthRoleRevokePermissionResponse, error)

    // RoleDelete gets the detailed information of a role
    RoleDelete(r *pb.AuthRoleDeleteRequest) (*pb.AuthRoleDeleteResponse, error)

    // UserList gets a list of all users
    UserList(r *pb.AuthUserListRequest) (*pb.AuthUserListResponse, error)

    // RoleList gets a list of all roles
    RoleList(r *pb.AuthRoleListRequest) (*pb.AuthRoleListResponse, error)

    // IsPutPermitted checks put permission of the user
    IsPutPermitted(authInfo *AuthInfo, key []byte) error

    // IsRangePermitted checks range permission of the user
    IsRangePermitted(authInfo *AuthInfo, key, rangeEnd []byte) error

    // IsDeleteRangePermitted checks delete-range permission of the user
    IsDeleteRangePermitted(authInfo *AuthInfo, key, rangeEnd []byte) error

    // IsAdminPermitted checks admin permission of the user
    IsAdminPermitted(authInfo *AuthInfo) error

    // GenTokenPrefix produces a random string in a case of simple token
    // in a case of JWT, it produces an empty string
    GenTokenPrefix() (string, error)

    // Revision gets current revision of authStore
    Revision() uint64

    // CheckPassword checks a given pair of username and password is correct
    CheckPassword(username, password string) (uint64, error)

    // Close does cleanup of AuthStore
    Close() error

    // AuthInfoFromCtx gets AuthInfo from gRPC's context
    AuthInfoFromCtx(ctx context.Context) (*AuthInfo, error)

    // AuthInfoFromTLS gets AuthInfo from TLS info of gRPC's context
    AuthInfoFromTLS(ctx context.Context) *AuthInfo

    // WithRoot generates and installs a token that can be used as a root credential
    WithRoot(ctx context.Context) context.Context

    // HasRole checks that user has role
    HasRole(user, role string) bool

    // BcryptCost gets strength of hashing bcrypted auth password
    BcryptCost() int

AuthStore defines auth storage interface.

type AuthenticateParamIndex Uses

type AuthenticateParamIndex struct{}

AuthenticateParamIndex is used for a key of context in the parameters of Authenticate()

type AuthenticateParamSimpleTokenPrefix Uses

type AuthenticateParamSimpleTokenPrefix struct{}

AuthenticateParamSimpleTokenPrefix is used for a key of context in the parameters of Authenticate()

type TokenProvider Uses

type TokenProvider interface {
    // contains filtered or unexported methods

func NewTokenProvider Uses

func NewTokenProvider(
    lg *zap.Logger,
    tokenOpts string,
    indexWaiter func(uint64) <-chan struct{},
    TokenTTL time.Duration) (TokenProvider, error)

NewTokenProvider creates a new token provider.


authpbPackage authpb is a generated protocol buffer package.

Package auth imports 30 packages (graph) and is imported by 52 packages. Updated 2020-07-21. Refresh now. Tools for package owners.