etcd v2 auth guest role not working in non tls mode

[shyamradhakrishnan]

in etcd v3.0.4, guest role is not working in default installation, when tls had not been configured.
Steps to reproduce

1. Unzip etcd-v3.0.4-linux-amd64.tar.gz
2. cd etcd-v3.0.4-linux-amd64
3. Start the etcd server
4. ./etcdctl mk key1 value1
5. ./etcdctl user add root
6. ./etcdctl auth enable

Try to get key1 uysing ./etcdctl get key1 , it fails with an error
Error: 110: The request requires user authentication (Insufficient credentials) [0]
The same test case is working for etcd v 3.0.3 and previous versions.
As far as I can see, this is because of the line

if r.Header.Get("Authorization") == "" && clientCertAuthEnabled {
    user = userFromClientCertificate(sec, r)
    if user == nil {
        plog.Warningf("auth: no authorization provided, checking guest access")
        return hasGuestAccess(sec, r, key)
    }

in ./etcdserver/api/v2http/client_auth.go
In my case I think clientCertAuthEnabled is not enabled as I am not using tls.

Please confirm if the change in behavior is intended or if this is a bug.

[gyuho]

Please try

./etcdctl --endpoints=http://localhost:2379 mk key1 value1
./etcdctl --endpoints=http://localhost:2379 user add root
./etcdctl --endpoints=http://localhost:2379 auth enable
./etcdctl --endpoints=http://localhost:2379 -u root:password get key1

# Without password, it will error
# Error:  110: The request requires user authentication (Insufficient credentials) [0]

And I believe this is the correct behavior. In versions prior to v3.0.4, this works without password:

./etcdctl --endpoints=http://localhost:2379 get key1

@xiang90, or did we expect this to work in etcd version 2?

[xiang90]

If auth == "" && we cannot find the user. we should mark it as "" again. "" might mean guest.

[gyuho]

@xiang90 Ok, I will try to fix it with tests. Thanks.