-
Notifications
You must be signed in to change notification settings - Fork 9.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
UserAdd and RoleAdd bypass --quota-backend-bytes #16150
Comments
Thanks @CaojiamingAlan for bringing it up! Looks like it is missed not only in the quota applier but in grpc API layer. |
It looks like a good first issue to me. If you think it's OK, I'd like to work on it and bring some update up until Wednesday, 5th. |
@iuriatan Thank you for your enthusiasm. However, IMHO lets not rush to fix this. In fact, the title of the issue may be a little bit misleading, since the set of auth related apis that need to be considered includes all the apis that write new records to the authstore(UserAdd/UserChangePassword/UserGrantRole/UserRevokeRole/RoleAdd/RoleGrantPermission/RoleRevokePermission etc.) And for each api, it involves several parts of work:
All of the three parts do not have enough test coverage yet. Therefore, I don't think a PR that change all these manually would be accepted. We should improve the test coverage first and try to make changes after that. #16036 (comment) I would also like to hear other's opinion about this. |
@CaojiamingAlan Can you help defining some cases to be tested? I can work on extending appliers test coverage while the community discuss strategies. |
The tests I've written so far covers the correctness of permission checks and alarm handling, but not yet throughly test the correctness of the result of applying. For example, first PUT and then RANGE to see whether the result matches. There are still some apis are not covered at all, like |
* add `put` tests on quota applier Following discussions on etcd-io#16036 and etcd-io#16150, this patch aims to improve appliers test coverage. Signed-off-by: iuriatan <iuriatan@gmail.com>
* add `put` tests on quota applier Following discussions on etcd-io#16036 and etcd-io#16150, this patch aims to improve appliers test coverage. Signed-off-by: iuriatan <iuriatan@gmail.com>
* add `put` tests on quota applier Following discussions on etcd-io#16036 and etcd-io#16150, this patch aims to improve appliers test coverage. Signed-off-by: iuriatan <iuriatan@gmail.com>
* add `put` tests on quota applier Following discussions on etcd-io#16036 and etcd-io#16150, this patch improves appliers test coverage. Signed-off-by: iuriatan <iuriatan@gmail.com>
* add `put` tests on quota applier Following discussions on etcd-io#16036 and etcd-io#16150, this patch improves appliers test coverage. Signed-off-by: iuriatan <iuriatan@gmail.com>
* add `put` tests on quota applier Following discussions on etcd-io#16036 and etcd-io#16150, this patch improves appliers test coverage. Signed-off-by: iuriatan <iuriatan@gmail.com>
* add `put` tests on quota applier Following discussions on etcd-io#16036 and etcd-io#16150, this patch improves appliers test coverage. Signed-off-by: iuriatan <iuriatan@gmail.com>
* add `put` tests on quota applier Following discussions on etcd-io#16036 and etcd-io#16150, this patch improves appliers test coverage. Signed-off-by: iuriatan <iuriatan@gmail.com>
* add `put` tests on quota applier Following discussions on etcd-io#16036 and etcd-io#16150, this patch improves appliers test coverage. Signed-off-by: iuriatan <iuriatan@gmail.com>
Bug report criteria
What happened?
When the db size hit the limit of --quota-backend-bytes, users can still add users and roles, causing the db size continue to increase.
What did you expect to happen?
user add/role add should also return ErrNoSpace when hitting the limit
How can we reproduce it (as minimally and precisely as possible)?
etcd --quota-backend-bytes=$((200*1024))
Check the db size with
etcdctl --write-out=table endpoint status
The db's initial size is 98kB:
Anything else we need to know?
No response
Etcd version (please run commands below)
I believe all versions are affected
Etcd configuration (command line flags or environment variables)
No response
Etcd debug information (please run commands below, feel free to obfuscate the IP address or FQDN in the output)
No response
Relevant log output
No response
The text was updated successfully, but these errors were encountered: