etcdserver: allow non-admin to fetch member list and alarms

[fuweid]

In some environments, etcd members do not have stable hostnames or IP addresses. During maintenance, all etcd nodes may be replaced, resulting in new hostnames and IPs for every member. In that case, clients such as Patroni can lose access to the cluster entirely if they are not allowed to refresh the member list.

Allow non-admin users to fetch the member list so they can rediscover updated member endpoints after such topology changes.

@ahrtr @serathius @ivanvc @CyberDem0n

REF: #21516 (comment)

[ahrtr]

we might want to relax the permission to ListAlarm as well: allow any authenticated users to list alarm; otherwises we might will see similar complaint soon.

[codecov]

Codecov Report

❌ Patch coverage is 35.29412% with 11 lines in your changes missing coverage. Please review.
✅ Project coverage is 68.44%. Comparing base (0fd953c) to head (a2987fd).
⚠️ Report is 13 commits behind head on main.

Files with missing lines	Patch %	Lines
server/etcdserver/api/v3rpc/auth.go	33.33%	6 Missing ⚠️
server/etcdserver/api/v3rpc/maintenance.go	42.85%	2 Missing and 2 partials ⚠️
server/etcdserver/server.go	0.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

Files with missing lines	Coverage Δ
server/etcdserver/server.go	83.16% <0.00%> (+0.07%)	⬆️
server/etcdserver/api/v3rpc/maintenance.go	73.77% <42.85%> (-0.39%)	⬇️
server/etcdserver/api/v3rpc/auth.go	51.48% <33.33%> (-1.78%)	⬇️

... and 20 files with indirect coverage changes

@@            Coverage Diff             @@
##             main   #21538      +/-   ##
==========================================
- Coverage   68.46%   68.44%   -0.02%     
==========================================
  Files         428      428              
  Lines       35383    35397      +14     
==========================================
+ Hits        24226    24229       +3     
- Misses       9749     9760      +11     
  Partials     1408     1408              

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0fd953c...a2987fd. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ivanvc]

Is this a blocker for 3.6.10, et al?

[ahrtr]

/ok-to-test

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ahrtr, fuweid

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [ahrtr,fuweid]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ahrtr]

Is this a blocker for 3.6.10, et al?

yes, we need to backport this PR to stable releases.

[serathius]

Allow non-admin users to fetch the member list so they can rediscover updated member endpoints after such topology changes.

If all nodes were replaced, than who would you ask for member list?

[CyberDem0n]

If all nodes were replaced, than who would you ask for member list?

Nodes aren't replaced instantly, querying topology every 30s-5min usually allows catching all changes.

[fuweid]

Is there any objection for this change?