diff --git a/server/etcdserver/api/etcdhttp/peer.go b/server/etcdserver/api/etcdhttp/peer.go index de5948d30f50..2df6c0d88d5e 100644 --- a/server/etcdserver/api/etcdhttp/peer.go +++ b/server/etcdserver/api/etcdhttp/peer.go @@ -23,7 +23,9 @@ import ( "strings" "go.uber.org/zap" + "google.golang.org/grpc/metadata" + "go.etcd.io/etcd/api/v3/v3rpc/rpctypes" "go.etcd.io/etcd/client/pkg/v3/types" "go.etcd.io/etcd/server/v3/etcdserver" "go.etcd.io/etcd/server/v3/etcdserver/api" @@ -137,7 +139,14 @@ func (h *peerMemberPromoteHandler) ServeHTTP(w http.ResponseWriter, r *http.Requ return } - resp, err := h.server.PromoteMember(r.Context(), id) + // reconstruct gRPC metadata from HTTP header (if present) so admin check can pass + ctx := r.Context() + if tok := r.Header.Get("Authorization"); tok != "" { + md := metadata.New(map[string]string{rpctypes.TokenFieldNameGRPC: tok}) + ctx = metadata.NewIncomingContext(ctx, md) + } + + resp, err := h.server.PromoteMember(ctx, id) if err != nil { switch { case errorspkg.Is(err, membership.ErrIDNotFound): diff --git a/server/etcdserver/cluster_util.go b/server/etcdserver/cluster_util.go index 425ed971cdf8..d791907c4380 100644 --- a/server/etcdserver/cluster_util.go +++ b/server/etcdserver/cluster_util.go @@ -27,7 +27,9 @@ import ( "github.com/coreos/go-semver/semver" "go.uber.org/zap" + "google.golang.org/grpc/metadata" + "go.etcd.io/etcd/api/v3/v3rpc/rpctypes" "go.etcd.io/etcd/api/v3/version" "go.etcd.io/etcd/client/pkg/v3/types" "go.etcd.io/etcd/server/v3/etcdserver/api/membership" @@ -305,6 +307,20 @@ func promoteMemberHTTP(ctx context.Context, url string, id uint64, peerRt http.R if err != nil { return nil, err } + + // add the auth token via HTTP header if present in gRPC metadata + if md, ok := metadata.FromIncomingContext(ctx); ok { + ts, ok := md[rpctypes.TokenFieldNameGRPC] + if !ok { + ts, ok = md[rpctypes.TokenFieldNameSwagger] + } + + if ok && len(ts) > 0 { + token := ts[0] + req.Header.Set("Authorization", token) + } + } + req = req.WithContext(ctx) resp, err := cc.Do(req) if err != nil { diff --git a/tests/e2e/ctl_v3_member_test.go b/tests/e2e/ctl_v3_member_test.go index e9d302716d56..b3a54292b377 100644 --- a/tests/e2e/ctl_v3_member_test.go +++ b/tests/e2e/ctl_v3_member_test.go @@ -15,6 +15,7 @@ package e2e import ( + "context" "encoding/json" "errors" "fmt" @@ -46,6 +47,15 @@ func TestCtlV3MemberAdd(t *testing.T) { testCtl(t, memberAddTest) } func TestCtlV3MemberAddAsLearner(t *testing.T) { testCtl(t, memberAddAsLearnerTest) } func TestCtlV3MemberUpdate(t *testing.T) { testCtl(t, memberUpdateTest) } + +func TestCtlV3MemberPromoteWithAuthFromLeader(t *testing.T) { + testCtl(t, memberPromoteWithAuth(false), withTestTimeout(30*time.Second)) +} + +func TestCtlV3MemberPromoteWithAuthFromFollower(t *testing.T) { + testCtl(t, memberPromoteWithAuth(true), withTestTimeout(30*time.Second)) +} + func TestCtlV3MemberUpdateNoTLS(t *testing.T) { testCtl(t, memberUpdateTest, withCfg(*e2e.NewConfigNoTLS())) } @@ -263,6 +273,49 @@ func memberAddAsLearnerTest(cx ctlCtx) { require.NoError(cx.t, ctlV3MemberAdd(cx, peerURL, true)) } +func memberPromoteWithAuth(fromFollower bool) func(cx ctlCtx) { + return func(cx ctlCtx) { + ctx := context.Background() + + // Add a regular member + _, err := cx.epc.StartNewProc(ctx, nil, cx.t, false) + require.NoError(cx.t, err) + + var learnerID uint64 + var addErr error + for { + // Add a learner once the cluster is healthy + learnerID, addErr = cx.epc.StartNewProc(ctx, nil, cx.t, true) + if addErr != nil { + if strings.Contains(addErr.Error(), "etcdserver: unhealthy cluster") { + time.Sleep(1 * time.Second) + continue + } + } + break + } + require.NoError(cx.t, addErr) + + leaderIdx := cx.epc.WaitLeader(cx.t) + followerIdx := (leaderIdx + 1) % len(cx.epc.Procs) + + require.NoError(cx.t, authEnable(cx)) + cx.user, cx.pass = "root", "root" + + if fromFollower { + _, err = cx.epc.Procs[followerIdx]. + Etcdctl(e2e.WithAuth("root", "root")). + MemberPromote(ctx, learnerID) + } else { + _, err = cx.epc.Procs[leaderIdx]. + Etcdctl(e2e.WithAuth("root", "root")). + MemberPromote(ctx, learnerID) + } + + require.NoError(cx.t, err) + } +} + func ctlV3MemberAdd(cx ctlCtx, peerURL string, isLearner bool) error { cmdArgs := append(cx.PrefixArgs(), "member", "add", "newmember", fmt.Sprintf("--peer-urls=%s", peerURL)) asLearner := " "