package auth

import "go.etcd.io/etcd/server/v3/auth"

Package auth provides client role authentication for accessing keys in etcd.

Index

Variables 

var (
	ErrRootUserNotExist     = errors.New("auth: root user does not exist")
	ErrRootRoleNotExist     = errors.New("auth: root user does not have root role")
	ErrUserAlreadyExist     = errors.New("auth: user already exists")
	ErrUserEmpty            = errors.New("auth: user name is empty")
	ErrUserNotFound         = errors.New("auth: user not found")
	ErrRoleAlreadyExist     = errors.New("auth: role already exists")
	ErrRoleNotFound         = errors.New("auth: role not found")
	ErrRoleEmpty            = errors.New("auth: role name is empty")
	ErrPermissionNotGiven   = errors.New("auth: permission not given")
	ErrAuthFailed           = errors.New("auth: authentication failed, invalid user ID or password")
	ErrNoPasswordUser       = errors.New("auth: authentication failed, password was given for no password user")
	ErrPermissionDenied     = errors.New("auth: permission denied")
	ErrRoleNotGranted       = errors.New("auth: role is not granted to the user")
	ErrPermissionNotGranted = errors.New("auth: permission is not granted to the role")
	ErrAuthNotEnabled       = errors.New("auth: authentication is not enabled")
	ErrAuthOldRevision      = errors.New("auth: revision in header is old")
	ErrInvalidAuthToken     = errors.New("auth: invalid auth token")
	ErrInvalidAuthOpts      = errors.New("auth: invalid auth options")
	ErrInvalidAuthMgmt      = errors.New("auth: invalid auth management")
	ErrInvalidAuthMethod    = errors.New("auth: invalid auth signature method")
	ErrMissingKey           = errors.New("auth: missing key data")
	ErrKeyMismatch          = errors.New("auth: public and private keys don't match")
	ErrVerifyOnly           = errors.New("auth: token signing attempted with verify-only key")
)
var DefaultTTL = 5 * time.Minute

DefaultTTL will be used when a 'ttl' is not specified

Types

type AuthBackend 

type AuthBackend interface {
	CreateAuthBuckets()
	ForceCommit()
	ReadTx() AuthReadTx
	BatchTx() AuthBatchTx

	GetUser(string) *authpb.User
	GetAllUsers() []*authpb.User
	GetRole(string) *authpb.Role
	GetAllRoles() []*authpb.Role
}

type AuthBatchTx 

type AuthBatchTx interface {
	Lock()
	Unlock()
	UnsafeAuthReadWriter
}

type AuthInfo 

type AuthInfo struct {
	Username string
	Revision uint64
}

type AuthReadTx 

type AuthReadTx interface {
	RLock()
	RUnlock()
	UnsafeAuthReader
}

type AuthStore 

type AuthStore interface {
	// AuthEnable turns on the authentication feature
	AuthEnable() error

	// AuthDisable turns off the authentication feature
	AuthDisable()

	// IsAuthEnabled returns true if the authentication feature is enabled.
	IsAuthEnabled() bool

	// Authenticate does authentication based on given user name and password
	Authenticate(ctx context.Context, username, password string) (*pb.AuthenticateResponse, error)

	// Recover recovers the state of auth store from the given backend
	Recover(be AuthBackend)

	// UserAdd adds a new user
	UserAdd(r *pb.AuthUserAddRequest) (*pb.AuthUserAddResponse, error)

	// UserDelete deletes a user
	UserDelete(r *pb.AuthUserDeleteRequest) (*pb.AuthUserDeleteResponse, error)

	// UserChangePassword changes a password of a user
	UserChangePassword(r *pb.AuthUserChangePasswordRequest) (*pb.AuthUserChangePasswordResponse, error)

	// UserGrantRole grants a role to the user
	UserGrantRole(r *pb.AuthUserGrantRoleRequest) (*pb.AuthUserGrantRoleResponse, error)

	// UserGet gets the detailed information of a users
	UserGet(r *pb.AuthUserGetRequest) (*pb.AuthUserGetResponse, error)

	// UserRevokeRole revokes a role of a user
	UserRevokeRole(r *pb.AuthUserRevokeRoleRequest) (*pb.AuthUserRevokeRoleResponse, error)

	// RoleAdd adds a new role
	RoleAdd(r *pb.AuthRoleAddRequest) (*pb.AuthRoleAddResponse, error)

	// RoleGrantPermission grants a permission to a role
	RoleGrantPermission(r *pb.AuthRoleGrantPermissionRequest) (*pb.AuthRoleGrantPermissionResponse, error)

	// RoleGet gets the detailed information of a role
	RoleGet(r *pb.AuthRoleGetRequest) (*pb.AuthRoleGetResponse, error)

	// RoleRevokePermission gets the detailed information of a role
	RoleRevokePermission(r *pb.AuthRoleRevokePermissionRequest) (*pb.AuthRoleRevokePermissionResponse, error)

	// RoleDelete gets the detailed information of a role
	RoleDelete(r *pb.AuthRoleDeleteRequest) (*pb.AuthRoleDeleteResponse, error)

	// UserList gets a list of all users
	UserList(r *pb.AuthUserListRequest) (*pb.AuthUserListResponse, error)

	// RoleList gets a list of all roles
	RoleList(r *pb.AuthRoleListRequest) (*pb.AuthRoleListResponse, error)

	// IsPutPermitted checks put permission of the user
	IsPutPermitted(authInfo *AuthInfo, key []byte) error

	// IsRangePermitted checks range permission of the user
	IsRangePermitted(authInfo *AuthInfo, key, rangeEnd []byte) error

	// IsDeleteRangePermitted checks delete-range permission of the user
	IsDeleteRangePermitted(authInfo *AuthInfo, key, rangeEnd []byte) error

	// IsAdminPermitted checks admin permission of the user
	IsAdminPermitted(authInfo *AuthInfo) error

	// GenTokenPrefix produces a random string in a case of simple token
	// in a case of JWT, it produces an empty string
	GenTokenPrefix() (string, error)

	// Revision gets current revision of authStore
	Revision() uint64

	// CheckPassword checks a given pair of username and password is correct
	CheckPassword(username, password string) (uint64, error)

	// Close does cleanup of AuthStore
	Close() error

	// AuthInfoFromCtx gets AuthInfo from gRPC's context
	AuthInfoFromCtx(ctx context.Context) (*AuthInfo, error)

	// AuthInfoFromTLS gets AuthInfo from TLS info of gRPC's context
	AuthInfoFromTLS(ctx context.Context) *AuthInfo

	// WithRoot generates and installs a token that can be used as a root credential
	WithRoot(ctx context.Context) context.Context

	// HasRole checks that user has role
	HasRole(user, role string) bool

	// BcryptCost gets strength of hashing bcrypted auth password
	BcryptCost() int
}

AuthStore defines auth storage interface.

func NewAuthStore 

func NewAuthStore(lg *zap.Logger, be AuthBackend, tp TokenProvider, bcryptCost int) AuthStore

NewAuthStore creates a new AuthStore.

type AuthenticateParamIndex 

type AuthenticateParamIndex struct{}

AuthenticateParamIndex is used for a key of context in the parameters of Authenticate()

type AuthenticateParamSimpleTokenPrefix 

type AuthenticateParamSimpleTokenPrefix struct{}

AuthenticateParamSimpleTokenPrefix is used for a key of context in the parameters of Authenticate()

type TokenProvider 

type TokenProvider interface {
	// contains filtered or unexported methods
}

func NewTokenProvider 

func NewTokenProvider(
	lg *zap.Logger,
	tokenOpts string,
	indexWaiter func(uint64) <-chan struct{},
	TokenTTL time.Duration,
) (TokenProvider, error)

NewTokenProvider creates a new token provider.

type UnsafeAuthReadWriter 

type UnsafeAuthReadWriter interface {
	UnsafeAuthReader
	UnsafeAuthWriter
}

type UnsafeAuthReader 

type UnsafeAuthReader interface {
	UnsafeReadAuthEnabled() bool
	UnsafeReadAuthRevision() uint64
	UnsafeGetUser(string) *authpb.User
	UnsafeGetRole(string) *authpb.Role
	UnsafeGetAllUsers() []*authpb.User
	UnsafeGetAllRoles() []*authpb.Role
}

type UnsafeAuthWriter 

type UnsafeAuthWriter interface {
	UnsafeSaveAuthEnabled(enabled bool)
	UnsafeSaveAuthRevision(rev uint64)
	UnsafePutUser(*authpb.User)
	UnsafeDeleteUser(string)
	UnsafePutRole(*authpb.Role)
	UnsafeDeleteRole(string)
}

Source Files

doc.go jwt.go metrics.go nop.go options.go range_perm_cache.go simple_token.go store.go

Version
v3.6.10 (latest)
Published
Apr 1, 2026
Platform
linux/amd64
Imports
31 packages
Last checked
2 weeks ago

Tools for package owners.