如何正确使用etcd角色来控制对特定etcd键的写入权限?

huangapple go评论75阅读模式
英文:

How can I properly use etcd Roles to control write permission on specific etcd key?

问题

我使用Go的etcd/clientv3启动我的etcd集群,使用以下参数:

"--name", "etcd-cluster"
"--data-dir", "/var/lib/etcd"
"--wal-dir", "/var/lib"
"--listen-client-urls", "127.0.0.1:2379"
"--listen-peer-urls", "127.0.0.1:2380"
"--advertise-client-urls", "127.0.0.1:2379"
"--initial-advertise-peer-urls", "127.0.0.1:2380"
"--initial-cluster", "cluster"
"--initial-cluster-state", "new"
"--initial-cluster-token", "election"
"--cert-file", "tls.pem"
"--key-file", "tls.key"
"--client-cert-auth"
"--trusted-ca-file", "ca.pem"
"--peer-client-cert-auth"
"--peer-trusted-ca-file", "peer-ca.pem"
"--peer-cert-file", "peer-cert.pem"
"--peer-key-file", "peer.key"

然后我运行以下命令:

env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem user add root
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem role add root
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem user add myuser
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem role add myrole
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem put /events/1 value
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem role grant-permisson myrole read /events/1
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem user grant-role root root
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem user grant-role myuser myrole
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem auth enable

Etcd身份验证的文档说明,如果客户端使用TLS证书,则从该证书中获取CN并将其用作etcd的user。我的证书tls.pem的CN为myuser,因此:

env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem put /events/1 value

将导致permission denied,这是正确的,因为只为myuser授予了read权限。然而,文档还指出,如果与TLS证书一起使用--user选项,则该--user将优先于CN。这意味着,如果我运行:

env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem --user=root:mypass put /events/1 value

那么应该使用root用户执行该操作,我期望结果是OK,但实际上并没有发生,而是得到了相同的错误 - permission denied。这可能是什么原因导致的问题?谢谢!

英文:

I start my etcd cluster using Go etcd/clientv3 with following parameters:

"--name", "etcd-cluster"                                    
"--data-dir", "/var/lib/etcd",                      
"--wal-dir", "/var/lib",                                      
"--listen-client-urls", "127.0.0.1:2379",                        
"--listen-peer-urls", , "127.0.0.1:2380",                                                              
"--advertise-client-urls", "127.0.0.1:2379",           
"--initial-advertise-peer-urls", "127.0.0.1:2380", 
"--initial-cluster", "cluster",                          
"--initial-cluster-state", "new",                               
"--initial-cluster-token", "election",                                                             
"--cert-file", "tls.pem",                                      
"--key-file", "tls.key",                                       
"--client-cert-auth",                                           
"--trusted-ca-file", "ca.pem",                                  
"--peer-client-cert-auth",                                      
"--peer-trusted-ca-file", "peer-ca.pem",                             
"--peer-cert-file", "peer-cert.pem",                                 
"--peer-key-file", "peer.key",

Then I run following commands:

env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem user add root
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem role add root
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem user add myuser
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem role add myrole
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem put /events/1 value
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem role grant-permisson myrole read /events/1
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem user grant-role root root
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem user grant-role myuser myrole
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem auth enable

Etcd documentation for Authentication says, that if client uses TLS certificate then CN is taken from that certificate and used as etcd user. My certificate tls.pem has CN=myuser and therefore:

env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem put /events/1 value

Will result in permission denied, which is correct, since only read permission is given for myuser. However the documentation also says, that if --user option is used along with TLS certificates, then that --user will have priority over CN. Which means, that if I run:

env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem --user=root:mypass put /events/1 value

Then root user should be used to perform that operation, which I expect it to result in OK, however it doesn't happen, and instead I got the same stuff - permission denied. What can cause that problem? Thank you in advance!

答案1

得分: 2

我无法帮助你解决--user问题,也就是为什么它不起作用,但是,为什么你不尝试以下方法呢?你可以使用TLS认证,这很好,但是为什么不创建master.clientv3myuserN.clientv3,其中Master是一个带有CN=master的主TLS证书,其他TLS证书遵循CN=myuserN的模式,其中N=0,1,2,...。然后,你将root角色授予master用户,将myrole角色授予所有myuserN用户。

在这种情况下,你可以使用主证书完全控制etcd,而其他证书则使用myrole角色,即对/events/1键只具有读取权限。

按照这个思路,你基本上可以创建任何其他的权限,并且只需要一个master客户端来控制etcd中的所有内容。希望这对你有帮助 如何正确使用etcd角色来控制对特定etcd键的写入权限?

英文:

I cannot help with --user issue, i.e why it doesn't work, however, why can't you use following approach. You use TLS auth, that's good, but why don't you create master.clientv3 and myuserN.clientv3, where Master is kinda master TLS certificate with CN=master and other TLS certificates follow the pattern of CN=myuserN, where N=0,1,2,.... Then you grant root role to the master user and myrole to all myuserN.

In such case you could use master certificate to fully control etcd and other certificates with myrole role, i.e having only read permission on /events/1 key.

Following that idea, you can basically create any other permissions and having one master client to control everything in etcd. Hope that helps 如何正确使用etcd角色来控制对特定etcd键的写入权限?

huangapple
  • 本文由 发表于 2023年6月27日 20:25:36
  • 转载请务必保留本文链接:https://go.coder-hub.com/76564839.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定