Mirroristas/etcd
2
0
Fork 0
mirror of https://github.com/etcd-io/etcd.git synced 2024-09-27 06:25:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

etcdman, pkg: Rename new flags to 'hostname'

Browse Source
This commit is contained in:
John Millikin 2019-07-03 09:41:37 +09:00
parent 9a53601a18
commit 5824421f8b
No known key found for this signature in database
GPG Key ID: 1F7686B8DA217791
7 changed files with 24 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Documentation/op-guide/authentication.md
View File

@ -171,6 +171,6 @@ Otherwise, all `etcdctl` commands remain the same. Users and roles can still be
## Using TLS Common Name ## Using TLS Common Name
As of version v3.2 if an etcd server is launched with the option `--client-cert-auth=true`, the field of Common Name (CN) in the client's TLS cert will be used as an etcd user. In this case, the common name authenticates the user and the client does not need a password. Note that if both of 1. `--client-cert-auth=true` is passed and CN is provided by the client, and 2. username and password are provided by the client, the username and password based authentication is prioritized. Note that this feature cannot be used with gRPC-proxy and gRPC-gateway. This is because gRPC-proxy terminates TLS from its client so all the clients share a cert of the proxy. gRPC-gateway uses a TLS connection internally for transforming HTTP request to gRPC request so it shares the same limitation. Therefore the clients cannot provide their CN to the server correctly. gRPC-proxy will cause an error and stop if a given cert has non empty CN. gRPC-proxy returns an error which indicates that the client has an non empty CN in its cert. As of version v3.2 if an etcd server is launched with the option `--client-cert-auth=true`, the field of Common Name (CN) in the client's TLS cert will be used as an etcd user. In this case, the common name authenticates the user and the client does not need a password. Note that if both of 1. `--client-cert-auth=true` is passed and CN is provided by the client, and 2. username and password are provided by the client, the username and password based authentication is prioritized. Note that this feature cannot be used with gRPC-proxy and gRPC-gateway. This is because gRPC-proxy terminates TLS from its client so all the clients share a cert of the proxy. gRPC-gateway uses a TLS connection internally for transforming HTTP request to gRPC request so it shares the same limitation. Therefore the clients cannot provide their CN to the server correctly. gRPC-proxy will cause an error and stop if a given cert has non empty CN. gRPC-proxy returns an error which indicates that the client has an non empty CN in its cert.
As of version v3.3 if an etcd server is launched with the option `--peer-cert-allowed-cn` or `--peer-cert-allowed-name` filtering of inter-peer connections is enabled. Nodes can only join the etcd cluster if their TLS certificate identity match the allowed one. As of version v3.3 if an etcd server is launched with the option `--peer-cert-allowed-cn` or `--peer-cert-allowed-hostname` filtering of inter-peer connections is enabled. Nodes can only join the etcd cluster if their TLS certificate identity match the allowed one.
See [etcd security page](https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/security.md) for more details. See [etcd security page](https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/security.md) for more details.

8
Documentation/op-guide/configuration.md
View File

@ -270,10 +270,10 @@ The security flags help to [build a secure etcd cluster][security].
+ default: "" + default: ""
+ env variable: ETCD_CLIENT_CRL_FILE + env variable: ETCD_CLIENT_CRL_FILE
### --client-cert-allowed-name ### --client-cert-allowed-hostname
+ Allowed Allowed TLS name for client cert authentication. + Allowed Allowed TLS name for client cert authentication.
+ default: "" + default: ""
+ env variable: ETCD_CLIENT_CERT_ALLOWED_NAME + env variable: ETCD_CLIENT_CERT_ALLOWED_HOSTNAME
### --trusted-ca-file ### --trusted-ca-file
+ Path to the client server TLS trusted CA cert file. + Path to the client server TLS trusted CA cert file.
@ -328,10 +328,10 @@ The security flags help to [build a secure etcd cluster][security].
+ default: "" + default: ""
+ env variable: ETCD_PEER_CERT_ALLOWED_CN + env variable: ETCD_PEER_CERT_ALLOWED_CN
### --peer-cert-allowed-name ### --peer-cert-allowed-hostname
+ Allowed TLS certificate name for inter peer authentication. + Allowed TLS certificate name for inter peer authentication.
+ default: "" + default: ""
+ env variable: ETCD_PEER_CERT_ALLOWED_NAME + env variable: ETCD_PEER_CERT_ALLOWED_HOSTNAME
### --cipher-suites ### --cipher-suites
+ Comma-separated list of supported TLS cipher suites between server/client and peers. + Comma-separated list of supported TLS cipher suites between server/client and peers.

4
etcdmain/config.go
View File

@ -200,7 +200,7 @@ func newConfig() *config {
fs.StringVar(&cfg.ec.ClientTLSInfo.KeyFile, "key-file", "", "Path to the client server TLS key file.") fs.StringVar(&cfg.ec.ClientTLSInfo.KeyFile, "key-file", "", "Path to the client server TLS key file.")
fs.BoolVar(&cfg.ec.ClientTLSInfo.ClientCertAuth, "client-cert-auth", false, "Enable client cert authentication.") fs.BoolVar(&cfg.ec.ClientTLSInfo.ClientCertAuth, "client-cert-auth", false, "Enable client cert authentication.")
fs.StringVar(&cfg.ec.ClientTLSInfo.CRLFile, "client-crl-file", "", "Path to the client certificate revocation list file.") fs.StringVar(&cfg.ec.ClientTLSInfo.CRLFile, "client-crl-file", "", "Path to the client certificate revocation list file.")
fs.StringVar(&cfg.ec.ClientTLSInfo.AllowedName, "client-cert-allowed-name", "", "Allowed TLS name for client cert authentication.") fs.StringVar(&cfg.ec.ClientTLSInfo.AllowedHostname, "client-cert-allowed-hostname", "", "Allowed TLS hostname for client cert authentication.")
fs.StringVar(&cfg.ec.ClientTLSInfo.TrustedCAFile, "trusted-ca-file", "", "Path to the client server TLS trusted CA cert file.") fs.StringVar(&cfg.ec.ClientTLSInfo.TrustedCAFile, "trusted-ca-file", "", "Path to the client server TLS trusted CA cert file.")
fs.BoolVar(&cfg.ec.ClientAutoTLS, "auto-tls", false, "Client TLS using generated certificates") fs.BoolVar(&cfg.ec.ClientAutoTLS, "auto-tls", false, "Client TLS using generated certificates")
fs.StringVar(&cfg.ec.PeerTLSInfo.CertFile, "peer-cert-file", "", "Path to the peer server TLS cert file.") fs.StringVar(&cfg.ec.PeerTLSInfo.CertFile, "peer-cert-file", "", "Path to the peer server TLS cert file.")
@ -210,7 +210,7 @@ func newConfig() *config {
fs.BoolVar(&cfg.ec.PeerAutoTLS, "peer-auto-tls", false, "Peer TLS using generated certificates") fs.BoolVar(&cfg.ec.PeerAutoTLS, "peer-auto-tls", false, "Peer TLS using generated certificates")
fs.StringVar(&cfg.ec.PeerTLSInfo.CRLFile, "peer-crl-file", "", "Path to the peer certificate revocation list file.") fs.StringVar(&cfg.ec.PeerTLSInfo.CRLFile, "peer-crl-file", "", "Path to the peer certificate revocation list file.")
fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedCN, "peer-cert-allowed-cn", "", "Allowed CN for inter peer authentication.") fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedCN, "peer-cert-allowed-cn", "", "Allowed CN for inter peer authentication.")
fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedName, "peer-cert-allowed-name", "", "Allowed TLS name for inter peer authentication.") fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedHostname, "peer-cert-allowed-hostname", "", "Allowed TLS hostname for inter peer authentication.")
fs.Var(flags.NewStringsValue(""), "cipher-suites", "Comma-separated list of supported TLS cipher suites between client/server and peers (empty will be auto-populated by Go).") fs.Var(flags.NewStringsValue(""), "cipher-suites", "Comma-separated list of supported TLS cipher suites between client/server and peers (empty will be auto-populated by Go).")
fs.Var( fs.Var(

8
etcdmain/help.go
View File

@ -128,8 +128,8 @@ Security:
Enable client cert authentication. Enable client cert authentication.
--client-crl-file '' --client-crl-file ''
Path to the client certificate revocation list file. Path to the client certificate revocation list file.
--client-cert-allowed-name '' --client-cert-allowed-hostname ''
Allowed TLS name for client cert authentication. Allowed TLS hostname for client cert authentication.
--trusted-ca-file '' --trusted-ca-file ''
Path to the client server TLS trusted CA cert file. Path to the client server TLS trusted CA cert file.
--auto-tls 'false' --auto-tls 'false'
@ -144,8 +144,8 @@ Security:
Path to the peer server TLS trusted CA file. Path to the peer server TLS trusted CA file.
--peer-cert-allowed-cn '' --peer-cert-allowed-cn ''
Required CN for client certs connecting to the peer endpoint. Required CN for client certs connecting to the peer endpoint.
--peer-cert-allowed-name '' --peer-cert-allowed-hostname ''
Allowed TLS name for inter peer authentication. Allowed TLS hostname for inter peer authentication.
--peer-auto-tls 'false' --peer-auto-tls 'false'
Peer TLS using self-generated certificates if --peer-key-file and --peer-cert-file are not provided. Peer TLS using self-generated certificates if --peer-key-file and --peer-cert-file are not provided.
--peer-crl-file '' --peer-crl-file ''

15
pkg/transport/listener.go
View File

@ -88,9 +88,9 @@ type TLSInfo struct {
// AllowedCN is a CN which must be provided by a client. // AllowedCN is a CN which must be provided by a client.
AllowedCN string AllowedCN string
// AllowedName is an IP address or hostname that must match the TLS // AllowedHostname is an IP address or hostname that must match the TLS
// certificate provided by a client. // certificate provided by a client.
AllowedName string AllowedHostname string
// Logger logs TLS errors. // Logger logs TLS errors.
// If nil, all logs are discarded. // If nil, all logs are discarded.
@ -264,20 +264,21 @@ func (info TLSInfo) baseConfig() (*tls.Config, error) {
// or a more general check of the CN and SANs. // or a more general check of the CN and SANs.
var verifyCertificate func(*x509.Certificate) bool var verifyCertificate func(*x509.Certificate) bool
if info.AllowedCN != "" { if info.AllowedCN != "" {
if info.AllowedName != "" { if info.AllowedHostname != "" {
return nil, fmt.Errorf("AllowedCN and AllowedName are mutually exclusive (cn=%q, name=%q)", info.AllowedCN, info.AllowedName) return nil, fmt.Errorf("AllowedCN and AllowedHostname are mutually exclusive (cn=%q, hostname=%q)", info.AllowedCN, info.AllowedHostname)
} }
verifyCertificate = func(cert *x509.Certificate) bool { verifyCertificate = func(cert *x509.Certificate) bool {
return info.AllowedCN == cert.Subject.CommonName return info.AllowedCN == cert.Subject.CommonName
} }
} }
if info.AllowedName != "" { if info.AllowedHostname != "" {
verifyCertificate = func(cert *x509.Certificate) bool { verifyCertificate = func(cert *x509.Certificate) bool {
return cert.VerifyHostname(info.AllowedName) == nil return cert.VerifyHostname(info.AllowedHostname) == nil
} }
} }
if verifyCertificate != nil { if verifyCertificate != nil {
cfg.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { cfg.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
fmt.Fprintf(os.Stderr, "== VERIFY PEER CERT (%d verified chains)\n", len(verifiedChains))
for _, chains := range verifiedChains { for _, chains := range verifiedChains {
if len(chains) != 0 { if len(chains) != 0 {
if verifyCertificate(chains[0]) { if verifyCertificate(chains[0]) {
@ -285,6 +286,7 @@ func (info TLSInfo) baseConfig() (*tls.Config, error) {
} }
} }
} }
fmt.Fprintf(os.Stderr, "== VERIFY PEER CERT\n")
return errors.New("client certificate authentication failed") return errors.New("client certificate authentication failed")
} }
} }
@ -362,6 +364,7 @@ func (info TLSInfo) ServerConfig() (*tls.Config, error) {
} }
cs := info.cafiles() cs := info.cafiles()
fmt.Fprintf(os.Stderr, "== CAFILES: %v\n", cs)
if len(cs) > 0 { if len(cs) > 0 {
cp, err := tlsutil.NewCertPool(cs) cp, err := tlsutil.NewCertPool(cs)
if err != nil { if err != nil {

2
pkg/transport/listener_tls.go
View File

@ -21,6 +21,7 @@ import (
"fmt" "fmt"
"io/ioutil" "io/ioutil"
"net" "net"
"os"
"strings" "strings"
"sync" "sync"
) )
@ -98,6 +99,7 @@ func checkSAN(ctx context.Context, tlsConn *tls.Conn) error {
st := tlsConn.ConnectionState() st := tlsConn.ConnectionState()
if certs := st.PeerCertificates; len(certs) > 0 { if certs := st.PeerCertificates; len(certs) > 0 {
addr := tlsConn.RemoteAddr().String() addr := tlsConn.RemoteAddr().String()
fmt.Fprintf(os.Stderr, "checkSAN(addr=%q, certs=%v)\n", addr, certs)
return checkCertSAN(ctx, certs[0], addr) return checkCertSAN(ctx, certs[0], addr)
} }
return nil return nil

4
tests/e2e/etcd_config_test.go
View File

@ -234,7 +234,7 @@ func TestEtcdPeerNameAuth(t *testing.T) {
"--peer-key-file", privateKeyPath, "--peer-key-file", privateKeyPath,
"--peer-trusted-ca-file", caPath, "--peer-trusted-ca-file", caPath,
"--peer-client-cert-auth", "--peer-client-cert-auth",
"--peer-cert-allowed-name", "example.com", "--peer-cert-allowed-hostname", "example.com",
} }
} else { } else {
args = []string{ args = []string{
@ -242,7 +242,7 @@ func TestEtcdPeerNameAuth(t *testing.T) {
"--peer-key-file", privateKeyPath2, "--peer-key-file", privateKeyPath2,
"--peer-trusted-ca-file", caPath, "--peer-trusted-ca-file", caPath,
"--peer-client-cert-auth", "--peer-client-cert-auth",
"--peer-cert-allowed-name", "example2.com", "--peer-cert-allowed-hostname", "example2.com",
} }
} }