mirror of
https://github.com/etcd-io/etcd.git
synced 2024-09-27 06:25:44 +00:00
6259318521
This commit adds a functionality of attaching an auth token to gRPC connection as a per RPC credential. For doing this, this commit lets clientv3.Client.Dial() create a dedicated gRPC connection for doing authentication. With the dedicated connection, the client calls Authenticate() RPC and obtain its token. The token is attached to the main gRPC connection with grpc.WithPerRPCCredentials(). This commit also adds a new option --username to etcdctl (v3). With this option, etcdctl attaches its auth token to the main gRPC connection (currently it is not used at all).
118 lines
2.7 KiB
Go
118 lines
2.7 KiB
Go
// Copyright 2016 The etcd Authors
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package clientv3
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"io/ioutil"
|
|
"time"
|
|
|
|
"github.com/coreos/etcd/pkg/tlsutil"
|
|
"github.com/ghodss/yaml"
|
|
"google.golang.org/grpc"
|
|
)
|
|
|
|
// EndpointDialer is a policy for choosing which endpoint to dial next
|
|
type EndpointDialer func(*Client) (*grpc.ClientConn, error)
|
|
|
|
type Config struct {
|
|
// Endpoints is a list of URLs
|
|
Endpoints []string
|
|
|
|
// RetryDialer chooses the next endpoint to use
|
|
RetryDialer EndpointDialer
|
|
|
|
// DialTimeout is the timeout for failing to establish a connection.
|
|
DialTimeout time.Duration
|
|
|
|
// TLS holds the client secure credentials, if any.
|
|
TLS *tls.Config
|
|
|
|
// Logger is the logger used by client library.
|
|
Logger Logger
|
|
|
|
// Username is a username of authentication
|
|
Username string
|
|
|
|
// Password is a password of authentication
|
|
Password string
|
|
}
|
|
|
|
type yamlConfig struct {
|
|
Endpoints []string `json:"endpoints"`
|
|
DialTimeout time.Duration `json:"dial-timeout"`
|
|
InsecureTransport bool `json:"insecure-transport"`
|
|
InsecureSkipTLSVerify bool `json:"insecure-skip-tls-verify"`
|
|
Certfile string `json:"cert-file"`
|
|
Keyfile string `json:"key-file"`
|
|
CAfile string `json:"ca-file"`
|
|
}
|
|
|
|
func configFromFile(fpath string) (*Config, error) {
|
|
b, err := ioutil.ReadFile(fpath)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
yc := &yamlConfig{}
|
|
|
|
err = yaml.Unmarshal(b, yc)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
cfg := &Config{
|
|
Endpoints: yc.Endpoints,
|
|
DialTimeout: yc.DialTimeout,
|
|
}
|
|
|
|
if yc.InsecureTransport {
|
|
cfg.TLS = nil
|
|
return cfg, nil
|
|
}
|
|
|
|
var (
|
|
cert *tls.Certificate
|
|
cp *x509.CertPool
|
|
)
|
|
|
|
if yc.Certfile != "" && yc.Keyfile != "" {
|
|
cert, err = tlsutil.NewCert(yc.Certfile, yc.Keyfile, nil)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
|
|
if yc.CAfile != "" {
|
|
cp, err = tlsutil.NewCertPool([]string{yc.CAfile})
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
|
|
tlscfg := &tls.Config{
|
|
MinVersion: tls.VersionTLS10,
|
|
InsecureSkipVerify: yc.InsecureSkipTLSVerify,
|
|
RootCAs: cp,
|
|
}
|
|
if cert != nil {
|
|
tlscfg.Certificates = []tls.Certificate{*cert}
|
|
}
|
|
cfg.TLS = tlscfg
|
|
|
|
return cfg, nil
|
|
}
|