mirror of
				https://github.com/etcd-io/etcd.git
				synced 2024-09-27 06:25:44 +00:00 
			
		
		
		
	 2b3aa7e1d4
			
		
	
	
		2b3aa7e1d4
		
			
		
	
	
	
	
		
			
			Documentation: Add etcd version support notes for Using TLS common name in RBAC and notes about inter-peer CN filtering
		
			
				
	
	
		
			174 lines
		
	
	
		
			5.4 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
			
		
		
	
	
			174 lines
		
	
	
		
			5.4 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
| # Role-based access control
 | |
| 
 | |
| ## Overview
 | |
| 
 | |
| Authentication was added in etcd 2.1. The etcd v3 API slightly modified the authentication feature's API and user interface to better fit the new data model. This guide is intended to help users set up basic authentication and role-based access control in etcd v3.
 | |
| 
 | |
| ## Special users and roles
 | |
| 
 | |
| There is one special user, `root`, and one special role, `root`.
 | |
| 
 | |
| ### User `root`
 | |
| 
 | |
| The `root` user, which has full access to etcd, must be created before activating authentication. The idea behind the `root` user is for administrative purposes: managing roles and ordinary users. The `root` user must have the `root` role and is allowed to change anything inside etcd.
 | |
| 
 | |
| ### Role `root`
 | |
| 
 | |
| The role `root` may be granted to any user, in addition to the root user. A user with the `root` role has both global read-write access and permission to update the cluster's authentication configuration. Furthermore, the `root` role grants privileges for general cluster maintenance, including modifying cluster membership, defragmenting the store, and taking snapshots.
 | |
| 
 | |
| ## Working with users
 | |
| 
 | |
| The `user` subcommand for `etcdctl` handles all things having to do with user accounts.
 | |
| 
 | |
| A listing of users can be found with:
 | |
| 
 | |
| ```
 | |
| $ etcdctl user list
 | |
| ```
 | |
| 
 | |
| Creating a user is as easy as
 | |
| 
 | |
| ```
 | |
| $ etcdctl user add myusername
 | |
| ```
 | |
| 
 | |
| Creating a new user will prompt for a new password. The password can be supplied from standard input when an option `--interactive=false` is given. `--new-user-password` can also be used for supplying the password.
 | |
| 
 | |
| Roles can be granted and revoked for a user with:
 | |
| 
 | |
| ```
 | |
| $ etcdctl user grant-role myusername foo
 | |
| $ etcdctl user revoke-role myusername bar
 | |
| ```
 | |
| 
 | |
| The user's settings can be inspected with:
 | |
| 
 | |
| ```
 | |
| $ etcdctl user get myusername
 | |
| ```
 | |
| 
 | |
| And the password for a user can be changed with
 | |
| 
 | |
| ```
 | |
| $ etcdctl user passwd myusername
 | |
| ```
 | |
| 
 | |
| Changing the password will prompt again for a new password. The password can be supplied from standard input when an option `--interactive=false` is given.
 | |
| 
 | |
| Delete an account with:
 | |
| ```
 | |
| $ etcdctl user delete myusername
 | |
| ```
 | |
| 
 | |
| 
 | |
| ## Working with roles
 | |
| 
 | |
| The `role` subcommand for `etcdctl` handles all things having to do with access controls for particular roles, as were granted to individual users.
 | |
| 
 | |
| List roles with:
 | |
| 
 | |
| ```
 | |
| $ etcdctl role list
 | |
| ```
 | |
| 
 | |
| Create a new role with:
 | |
| 
 | |
| ```
 | |
| $ etcdctl role add myrolename
 | |
| ```
 | |
| 
 | |
| A role has no password; it merely defines a new set of access rights.
 | |
| 
 | |
| Roles are granted access to a single key or a range of keys.
 | |
| 
 | |
| The range can be specified as an interval [start-key, end-key) where start-key should be lexically less than end-key in an alphabetical manner.
 | |
| 
 | |
| Access can be granted as either read, write, or both, as in the following examples:
 | |
| 
 | |
| ```
 | |
| # Give read access to a key /foo
 | |
| $ etcdctl role grant-permission myrolename read /foo
 | |
| 
 | |
| # Give read access to keys with a prefix /foo/. The prefix is equal to the range [/foo/, /foo0)
 | |
| $ etcdctl role grant-permission myrolename --prefix=true read /foo/
 | |
| 
 | |
| # Give write-only access to the key at /foo/bar
 | |
| $ etcdctl role grant-permission myrolename write /foo/bar
 | |
| 
 | |
| # Give full access to keys in a range of [key1, key5)
 | |
| $ etcdctl role grant-permission myrolename readwrite key1 key5
 | |
| 
 | |
| # Give full access to keys with a prefix /pub/
 | |
| $ etcdctl role grant-permission myrolename --prefix=true readwrite /pub/
 | |
| ```
 | |
| 
 | |
| To see what's granted, we can look at the role at any time:
 | |
| 
 | |
| ```
 | |
| $ etcdctl role get myrolename
 | |
| ```
 | |
| 
 | |
| Revocation of permissions is done the same logical way:
 | |
| 
 | |
| ```
 | |
| $ etcdctl role revoke-permission myrolename /foo/bar
 | |
| ```
 | |
| 
 | |
| As is removing a role entirely:
 | |
| 
 | |
| ```
 | |
| $ etcdctl role remove myrolename
 | |
| ```
 | |
| 
 | |
| ## Enabling authentication
 | |
| 
 | |
| The minimal steps to enabling auth are as follows. The administrator can set up users and roles before or after enabling authentication, as a matter of preference. 
 | |
| 
 | |
| Make sure the root user is created:
 | |
| 
 | |
| ```
 | |
| $ etcdctl user add root 
 | |
| Password of root:
 | |
| ```
 | |
| 
 | |
| Enable authentication:
 | |
| 
 | |
| ```
 | |
| $ etcdctl auth enable
 | |
| ```
 | |
| 
 | |
| After this, etcd is running with authentication enabled. To disable it for any reason, use the reciprocal command:
 | |
| 
 | |
| ```
 | |
| $ etcdctl --user root:rootpw auth disable
 | |
| ```
 | |
| 
 | |
| ## Using `etcdctl` to authenticate
 | |
| 
 | |
| `etcdctl` supports a similar flag as `curl` for authentication.
 | |
| 
 | |
| ```
 | |
| $ etcdctl --user user:password get foo
 | |
| ```
 | |
| 
 | |
| The password can be taken from a prompt:
 | |
| 
 | |
| ```
 | |
| $ etcdctl --user user get foo
 | |
| ```
 | |
| 
 | |
| The password can also be taken from a command line flag `--password`:
 | |
| 
 | |
| ```
 | |
| $ etcdctl --user user --password password get foo
 | |
| ```
 | |
| 
 | |
| 
 | |
| Otherwise, all `etcdctl` commands remain the same. Users and roles can still be created and modified, but require authentication by a user with the root role.
 | |
| 
 | |
| ## Using TLS Common Name
 | |
| As of version v3.2 if an etcd server is launched with the option `--client-cert-auth=true`, the field of Common Name (CN) in the client's TLS cert will be used as an etcd user. In this case, the common name authenticates the user and the client does not need a password. Note that if both of 1. `--client-cert-auth=true` is passed and CN is provided by the client, and 2. username and password are provided by the client, the username and password based authentication is prioritized.
 | |
| 
 | |
| As of version v3.3 if an etcd server is launched with the option `--peer-cert-allowed-cn` filtering of CN inter-peer connections is enabled.  Nodes can only join the etcd cluster if their CN match the allowed one.
 | |
| See [etcd security page](https://github.com/coreos/etcd/blob/master/Documentation/op-guide/security.md) for more details.
 |