From a9a9466fb8ba11ad7bb6a44d7446fbd072d59887 Mon Sep 17 00:00:00 2001 From: Sam Batschelet Date: Thu, 3 Jan 2019 10:58:06 -0500 Subject: [PATCH] Documentation: document gRPC-gateway CN authentication support Signed-off-by: Sam Batschelet --- Documentation/dev-guide/api_grpc_gateway.md | 2 ++ Documentation/op-guide/authentication.md | 3 ++- Documentation/op-guide/configuration.md | 1 + 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/Documentation/dev-guide/api_grpc_gateway.md b/Documentation/dev-guide/api_grpc_gateway.md index 1994dbf33..e8cfc3f2a 100644 --- a/Documentation/dev-guide/api_grpc_gateway.md +++ b/Documentation/dev-guide/api_grpc_gateway.md @@ -18,6 +18,8 @@ gRPC gateway endpoint has changed since etcd v3.3: - etcd v3.5 or later uses only `[CLIENT-URL]/v3/*`. - **`[CLIENT-URL]/v3beta/*` is deprecated**. +gRPC-gateway does not support authentication using TLS Common Name. + ### Put and get keys Use the `/v3/kv/range` and `/v3/kv/put` services to read and write keys: diff --git a/Documentation/op-guide/authentication.md b/Documentation/op-guide/authentication.md index 41655b7e1..471eff1db 100644 --- a/Documentation/op-guide/authentication.md +++ b/Documentation/op-guide/authentication.md @@ -167,7 +167,8 @@ $ etcdctl --user user --password password get foo Otherwise, all `etcdctl` commands remain the same. Users and roles can still be created and modified, but require authentication by a user with the root role. ## Using TLS Common Name -As of version v3.2 if an etcd server is launched with the option `--client-cert-auth=true`, the field of Common Name (CN) in the client's TLS cert will be used as an etcd user. In this case, the common name authenticates the user and the client does not need a password. Note that if both of 1. `--client-cert-auth=true` is passed and CN is provided by the client, and 2. username and password are provided by the client, the username and password based authentication is prioritized. +As of version v3.2 if an etcd server is launched with the option `--client-cert-auth=true`, the field of Common Name (CN) in the client's TLS cert will be used as an etcd user. In this case, the common name authenticates the user and the client does not need a password. Note that if both of 1. `--client-cert-auth=true` is passed and CN is provided by the client, and 2. username and password are provided by the client, the username and password based authentication is prioritized. gRPC-gateway does not support authentication using TLS Common Name. As of version v3.3 if an etcd server is launched with the option `--peer-cert-allowed-cn` filtering of CN inter-peer connections is enabled. Nodes can only join the etcd cluster if their CN match the allowed one. See [etcd security page](https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/security.md) for more details. + diff --git a/Documentation/op-guide/configuration.md b/Documentation/op-guide/configuration.md index cb01958f1..5065615c8 100644 --- a/Documentation/op-guide/configuration.md +++ b/Documentation/op-guide/configuration.md @@ -261,6 +261,7 @@ The security flags help to [build a secure etcd cluster][security]. + Enable client cert authentication. + default: false + env variable: ETCD_CLIENT_CERT_AUTH ++ CN authentication is not supported by gRPC-gateway. ### --client-crl-file + Path to the client certificate revocation list file.