Merge pull request #20370 from k8s-infra-cherrypick-robot/cherry-pick-20368-to-release-3.6

ahrtr · web-flow · commit e3a33657f15d · 2025-07-21T16:49:45.000+01:00
[release-3.6] Fix v2store check returning wrong result even there isn't any auth data
diff --git a/server/etcdserver/api/membership/storev2.go b/server/etcdserver/api/membership/storev2.go
@@ -47,8 +47,66 @@ func IsMetaStoreOnly(store v2store.Store) (bool, error) {
 	if err != nil {
 		return false, err
 	}
+
+	// storePermsPrefix is the internal prefix of the storage layer dedicated to storing user data.
+	// refer to https://github.com/etcd-io/etcd/blob/v3.5.21/server/etcdserver/api/v2auth/auth.go#L40
+	storePermsPrefix := "/2"
 	for _, n := range event.Node.Nodes {
-		if n.Key != storePrefix && n.Nodes.Len() > 0 {
+		if n.Key == storePrefix {
+			continue
+		}
+
+		// For auth data, even after we remove all users and roles, the node
+		// "/2/roles" and "/2/users" are still present in the tree. We need
+		// to exclude such case. See an example below,
+		// Refer to https://github.com/etcd-io/etcd/discussions/20231#discussioncomment-13791940
+		/*
+			"2": {
+				"Path": "/2",
+					"CreatedIndex": 204749,
+					"ModifiedIndex": 204749,
+					"ExpireTime": "0001-01-01T00:00:00Z",
+					"Value": "",
+					"Children": {
+					"enabled": {
+						"Path": "/2/enabled",
+							"CreatedIndex": 204752,
+							"ModifiedIndex": 16546016,
+							"ExpireTime": "0001-01-01T00:00:00Z",
+							"Value": "false",
+							"Children": null
+					},
+					"roles": {
+						"Path": "/2/roles",
+							"CreatedIndex": 204751,
+							"ModifiedIndex": 204751,
+							"ExpireTime": "0001-01-01T00:00:00Z",
+							"Value": "",
+							"Children": {}
+					},
+					"users": {
+						"Path": "/2/users",
+							"CreatedIndex": 204750,
+							"ModifiedIndex": 204750,
+							"ExpireTime": "0001-01-01T00:00:00Z",
+							"Value": "",
+							"Children": {}
+					}
+				}
+			}
+		*/
+		if n.Key == storePermsPrefix {
+			if n.Nodes.Len() > 0 {
+				for _, child := range n.Nodes {
+					if child.Nodes.Len() > 0 {
+						return false, nil
+					}
+				}
+			}
+			continue
+		}
+
+		if n.Nodes.Len() > 0 {
 			return false, nil
 		}
 	}
diff --git a/server/etcdserver/api/membership/storev2_test.go b/server/etcdserver/api/membership/storev2_test.go
@@ -54,3 +54,23 @@ func TestIsMetaStoreOnly(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Falsef(t, metaOnly, "Just created v2store should be meta-only")
 }
+
+func TestIsMetaStoreOnlyWithAuthData(t *testing.T) {
+	s := v2store.New("/0", "/1")
+
+	metaOnly, err := IsMetaStoreOnly(s)
+	require.NoError(t, err)
+	assert.Truef(t, metaOnly, "Just created v2store should be meta-only")
+
+	_, err = s.Create("/2/roles", true, "", false, v2store.TTLOptionSet{ExpireTime: v2store.Permanent})
+	require.NoError(t, err)
+	metaOnly, err = IsMetaStoreOnly(s)
+	require.NoError(t, err)
+	assert.Truef(t, metaOnly, "Just created empty roles directory should be meta-only")
+
+	_, err = s.Create("/2/users", true, "", false, v2store.TTLOptionSet{ExpireTime: v2store.Permanent})
+	require.NoError(t, err)
+	metaOnly, err = IsMetaStoreOnly(s)
+	require.NoError(t, err)
+	assert.Truef(t, metaOnly, "Just created empty users directory should be meta-only")
+}
