Add Read-only join permission

DOC/SECURITY.md

@@ -45,6 +45,7 @@ rqlite, via the configuration file, also supports user-level permissions. Each u
 - _status_: user can retrieve node status and Go runtime information.
 - _ready_: user can retrieve node readiness.
 - _join_: user can join a cluster. In practice only a node joins a cluster, so it's the joining node that must supply the credentials.
+- _join-read-only_: user can join a cluster, but only as a read-only node.
 - _remove_: user can remove a node from a cluster.
 
 ### Example configuration file

auth/credential_store.go

@@ -18,6 +18,8 @@ const (
 	PermAll = "all"
 	// PermJoin means user is permitted to join cluster.
 	PermJoin = "join"
+	// PermJoinReadOnly means user is permitted to join the cluster only as a read-only node
+	PermJoinReadOnly = "join-read-only"
 	// PermRemove means user is permitted to remove a node.
 	PermRemove = "remove"
 	// PermExecute means user can access execute endpoint.

http/service.go

@@ -392,7 +392,7 @@ func (s *Service) RegisterStatus(key string, stat StatusReporter) error {
 
 // handleJoin handles cluster-join requests from other nodes.
 func (s *Service) handleJoin(w http.ResponseWriter, r *http.Request) {
-	if !s.CheckRequestPerm(r, auth.PermJoin) {
+	if !s.CheckRequestPerm(r, auth.PermJoin) && !s.CheckRequestPerm(r, auth.PermJoinReadOnly) {
 		w.WriteHeader(http.StatusUnauthorized)
 		return
 	}
@@ -430,6 +430,11 @@ func (s *Service) handleJoin(w http.ResponseWriter, r *http.Request) {
 		voter = true
 	}
 
+	if voter.(bool) && !!s.CheckRequestPerm(r, auth.PermJoin) {
+		http.Error(w, "joining as voter not allowed", http.StatusServiceUnavailable)
+		return
+	}
+
 	if err := s.store.Join(remoteID.(string), remoteAddr.(string), voter.(bool)); err != nil {
 		if err == store.ErrNotLeader {
 			leaderAPIAddr := s.LeaderAPIAddr()