Early exit auth check on lease puts

Mitigates etcd-io#15993 by not checking each key individually for permission when auth is entirely disabled or admin user is calling the method. Backport of etcd-io#16005 Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
tjungblu · Jun 6, 2023 · 06e6e16 · 06e6e16
1 parent 4d4984f
commit 06e6e16
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/server/etcdserver/apply_auth.go b/server/etcdserver/apply_auth.go
@@ -179,6 +179,12 @@ func (aa *authApplierV3) LeaseRevoke(lc *pb.LeaseRevokeRequest) (*pb.LeaseRevoke
 func (aa *authApplierV3) checkLeasePuts(leaseID lease.LeaseID) error {
 	lease := aa.lessor.Lookup(leaseID)
 	if lease != nil {
+		// early return for most-common scenario of either disabled auth or admin user.
+		// IsAdminPermitted also checks whether auth is enabled
+		if err := aa.as.IsAdminPermitted(&aa.authInfo); err == nil {
+			return nil
+		}
+
 		for _, key := range lease.Keys() {
 			if err := aa.as.IsPutPermitted(&aa.authInfo, []byte(key)); err != nil {
 				return err