Add Join Perms back

10 months ago · 66434caeb9
parent 3fe6e3f122
commit 66434caeb9
3 changed files with 23 additions and 8 deletions
--- a/auth/credential_store.go
+++ b/auth/credential_store.go
@ -18,6 +18,10 @@ const (

 	// PermAll means all actions permitted.
 	PermAll = "all"
+	// PermJoin means user is permitted to join cluster.
+	PermJoin = "join"
+	// PermJoinReadOnly means user is permitted to join the cluster only as a read-only node
+	PermJoinReadOnly = "join-read-only"
 	// PermRemove means user is permitted to remove a node.
 	PermRemove = "remove"
 	// PermExecute means user can access execute endpoint.
--- a/cluster/service.go
+++ b/cluster/service.go
@ -439,6 +439,8 @@ func (s *Service) handleConn(conn net.Conn) {
 			nr := c.GetNotifyRequest()
 			if nr == nil {
 				resp.Error = "NotifyRequest is nil"
+			} else if !s.checkCommandPermAll(c, auth.PermJoin) {
+				resp.Error = "unauthorized"
 			} else {
 				if err := s.mgr.Notify(nr); err != nil {
 					resp.Error = err.Error()
@ -454,6 +456,8 @@ func (s *Service) handleConn(conn net.Conn) {
 			if jr == nil {
 				resp.Error = "JoinRequest is nil"
 			} else {
+				if (jr.Voter && s.checkCommandPerm(c, auth.PermJoin)) ||
+					(!jr.Voter && s.checkCommandPerm(c, auth.PermJoinReadOnly)) {
 					if err := s.mgr.Join(jr); err != nil {
 						resp.Error = err.Error()
 						if err.Error() == "not leader" {
@ -465,6 +469,9 @@ func (s *Service) handleConn(conn net.Conn) {
 							}
 						}
 					}
+				} else {
+					resp.Error = "unauthorized"
+				}
 			}
 			marshalAndWrite(conn, resp)
 		}
--- a/cmd/rqlited/flags.go
+++ b/cmd/rqlited/flags.go
@ -111,6 +111,9 @@ type Config struct {
 	// JoinInterval is the time between retrying failed join operations.
 	JoinInterval time.Duration

+	// JoinAs sets the user join attempts should be performed as. May not be set.
+	JoinAs string
+
 	// BootstrapExpect is the minimum number of nodes required for a bootstrap.
 	BootstrapExpect int

@ -441,6 +444,7 @@ func ParseFlags(name, desc string, build *BuildInfo) (*Config, error) {
 	flag.StringVar(&config.JoinAddrs, "join", "", "Comma-delimited list of nodes, through which a cluster can be joined (proto://host:port)")
 	flag.IntVar(&config.JoinAttempts, "join-attempts", 5, "Number of join attempts to make")
 	flag.DurationVar(&config.JoinInterval, "join-interval", 3*time.Second, "Period between join attempts")
+	flag.StringVar(&config.JoinAs, "join-as", "", "Username in authentication file to join as. If not set, joins anonymously")
 	flag.IntVar(&config.BootstrapExpect, "bootstrap-expect", 0, "Minimum number of nodes required for a bootstrap")
 	flag.DurationVar(&config.BootstrapExpectTimeout, "bootstrap-expect-timeout", 120*time.Second, "Maximum time for bootstrap process")
 	flag.StringVar(&config.DiscoMode, "disco-mode", "", "Choose clustering discovery mode. If not set, no node discovery is performed")