Is it normal that leases are granted and kept alive unauthenticated?

[nlyan]

I've noticed that (via the GRPC proxy at least) anybody can create ("grant") and keepalive leases, even if they are not authenticated (do not send the Authorization header)

Is this by design?

Surely this 1) creates the possibility of some sort of denial of service attack (too many open leases?) and 2) means anybody with read access to a key can keepalive that value (because they can read the lease associated with the KV?)

[ahrtr]

I've noticed that (via the GRPC proxy at least) anybody can create ("grant") and keepalive leases, even if they are not authenticated (do not send the Authorization header)

Currently only leaseRevoke will be checked the permission if the lease is connected to keys; otherwise all other lease requests are not checked the permission.

1. creates the possibility of some sort of denial of service attack (too many open leases?)

Yes, it's true based on current implementation. Probably we should allow only admin to create leases, but it will be breaking change. Also unfortunately I do not see detailed document on lease.

2. means anybody with read access to a key can keepalive that value (because they can read the lease associated with the KV?)

This seems like a bug. If the lease is attached keys, then only users who have write permission can keepalive the lease. Could you raise an issue to track it? Thanks.