From 3b53146b495220c59e5122e84582f6bef4bdd3f3 Mon Sep 17 00:00:00 2001 From: primeroz Date: Fri, 25 May 2018 08:53:57 +0100 Subject: [PATCH] Documentation: Add support notes for Using TLS common name in RBAC and support for inter-peer CN filtering --- Documentation/op-guide/authentication.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Documentation/op-guide/authentication.md b/Documentation/op-guide/authentication.md index a528a8d04..41887fbd0 100644 --- a/Documentation/op-guide/authentication.md +++ b/Documentation/op-guide/authentication.md @@ -160,5 +160,7 @@ $ etcdctl --user user get foo Otherwise, all `etcdctl` commands remain the same. Users and roles can still be created and modified, but require authentication by a user with the root role. ## Using TLS Common Name +As of version v3.2 if an etcd server is launched with the option `--client-cert-auth=true`, the field of Common Name (CN) in the client's TLS cert will be used as an etcd user. In this case, the common name authenticates the user and the client does not need a password. Note that if both of 1. `--client-cert-auth=true` is passed and CN is provided by the client, and 2. username and password are provided by the client, the username and password based authentication is prioritized. -If an etcd server is launched with the option `--client-cert-auth=true`, the field of Common Name (CN) in the client's TLS cert will be used as an etcd user. In this case, the common name authenticates the user and the client does not need a password. Note that if both of 1. `--client-cert-auth=true` is passed and CN is provided by the client, and 2. username and password are provided by the client, the username and password based authentication is prioritized. +As of version v3.3 if an etcd server is launched with the option `--peer-cert-allowed-cn` filtering of CN inter-peer connections is enabled. Nodes can only join the etcd cluster if their CN match the allowed one. +See [etcd security page](https://github.com/coreos/etcd/blob/master/Documentation/op-guide/security.md) for more details.