I start my etcd cluster using Go etcd/clientv3
with following parameters:
"--name", "etcd-cluster"
"--data-dir", "/var/lib/etcd",
"--wal-dir", "/var/lib",
"--listen-client-urls", "127.0.0.1:2379",
"--listen-peer-urls", , "127.0.0.1:2380",
"--advertise-client-urls", "127.0.0.1:2379",
"--initial-advertise-peer-urls", "127.0.0.1:2380",
"--initial-cluster", "cluster",
"--initial-cluster-state", "new",
"--initial-cluster-token", "election",
"--cert-file", "tls.pem",
"--key-file", "tls.key",
"--client-cert-auth",
"--trusted-ca-file", "ca.pem",
"--peer-client-cert-auth",
"--peer-trusted-ca-file", "peer-ca.pem",
"--peer-cert-file", "peer-cert.pem",
"--peer-key-file", "peer.key",
Then I run following commands:
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem user add root
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem role add root
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem user add myuser
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem role add myrole
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem put /events/1 value
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem role grant-permisson myrole read /events/1
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem user grant-role root root
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem user grant-role myuser myrole
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem auth enable
Etcd documentation for Authentication says, that if client uses TLS certificate then CN is taken from that certificate and used as etcd user
. My certificate tls.pem
has CN=myuser
and therefore:
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem put /events/1 value
Will result in permission denied
, which is correct, since only read
permission is given for myuser
. However the documentation also says, that if --user
option is used along with TLS certificates, then that --user
will have priority over CN
. Which means, that if I run:
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem --user=root:mypass put /events/1 value
Then root
user should be used to perform that operation, which I expect it to result in OK
, however it doesn't happen, and instead I got the same stuff - permission denied
. What can cause that problem? Thank you in advance!
I cannot help with --user
issue, i.e why it doesn't work, however, why can't you use following approach. You use TLS auth, that's good, but why don't you create master.clientv3
and myuserN.clientv3
, where Master is kinda master TLS certificate with CN=master
and other TLS certificates follow the pattern of CN=myuserN
, where N=0,1,2,...
. Then you grant root
role to the master
user and myrole
to all myuserN
.
In such case you could use master certificate to fully control etcd and other certificates with myrole
role, i.e having only read
permission on /events/1
key.
Following that idea, you can basically create any other permissions
and having one master
client to control everything in etcd. Hope that helps :)