英文:
How can I properly use etcd Roles to control write permission on specific etcd key?
问题
我使用Go的etcd/clientv3
启动我的etcd集群,使用以下参数:
"--name", "etcd-cluster"
"--data-dir", "/var/lib/etcd"
"--wal-dir", "/var/lib"
"--listen-client-urls", "127.0.0.1:2379"
"--listen-peer-urls", "127.0.0.1:2380"
"--advertise-client-urls", "127.0.0.1:2379"
"--initial-advertise-peer-urls", "127.0.0.1:2380"
"--initial-cluster", "cluster"
"--initial-cluster-state", "new"
"--initial-cluster-token", "election"
"--cert-file", "tls.pem"
"--key-file", "tls.key"
"--client-cert-auth"
"--trusted-ca-file", "ca.pem"
"--peer-client-cert-auth"
"--peer-trusted-ca-file", "peer-ca.pem"
"--peer-cert-file", "peer-cert.pem"
"--peer-key-file", "peer.key"
然后我运行以下命令:
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem user add root
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem role add root
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem user add myuser
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem role add myrole
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem put /events/1 value
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem role grant-permisson myrole read /events/1
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem user grant-role root root
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem user grant-role myuser myrole
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem auth enable
Etcd身份验证的文档说明,如果客户端使用TLS证书,则从该证书中获取CN并将其用作etcd的user
。我的证书tls.pem
的CN为myuser
,因此:
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem put /events/1 value
将导致permission denied
,这是正确的,因为只为myuser
授予了read
权限。然而,文档还指出,如果与TLS证书一起使用--user
选项,则该--user
将优先于CN。这意味着,如果我运行:
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem --user=root:mypass put /events/1 value
那么应该使用root
用户执行该操作,我期望结果是OK
,但实际上并没有发生,而是得到了相同的错误 - permission denied
。这可能是什么原因导致的问题?谢谢!
英文:
I start my etcd cluster using Go etcd/clientv3
with following parameters:
"--name", "etcd-cluster"
"--data-dir", "/var/lib/etcd",
"--wal-dir", "/var/lib",
"--listen-client-urls", "127.0.0.1:2379",
"--listen-peer-urls", , "127.0.0.1:2380",
"--advertise-client-urls", "127.0.0.1:2379",
"--initial-advertise-peer-urls", "127.0.0.1:2380",
"--initial-cluster", "cluster",
"--initial-cluster-state", "new",
"--initial-cluster-token", "election",
"--cert-file", "tls.pem",
"--key-file", "tls.key",
"--client-cert-auth",
"--trusted-ca-file", "ca.pem",
"--peer-client-cert-auth",
"--peer-trusted-ca-file", "peer-ca.pem",
"--peer-cert-file", "peer-cert.pem",
"--peer-key-file", "peer.key",
Then I run following commands:
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem user add root
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem role add root
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem user add myuser
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem role add myrole
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem put /events/1 value
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem role grant-permisson myrole read /events/1
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem user grant-role root root
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem user grant-role myuser myrole
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem auth enable
Etcd documentation for Authentication says, that if client uses TLS certificate then CN is taken from that certificate and used as etcd user
. My certificate tls.pem
has CN=myuser
and therefore:
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem put /events/1 value
Will result in permission denied
, which is correct, since only read
permission is given for myuser
. However the documentation also says, that if --user
option is used along with TLS certificates, then that --user
will have priority over CN
. Which means, that if I run:
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem --user=root:mypass put /events/1 value
Then root
user should be used to perform that operation, which I expect it to result in OK
, however it doesn't happen, and instead I got the same stuff - permission denied
. What can cause that problem? Thank you in advance!
答案1
得分: 2
我无法帮助你解决--user
问题,也就是为什么它不起作用,但是,为什么你不尝试以下方法呢?你可以使用TLS认证,这很好,但是为什么不创建master.clientv3
和myuserN.clientv3
,其中Master
是一个带有CN=master
的主TLS证书,其他TLS证书遵循CN=myuserN
的模式,其中N=0,1,2,...
。然后,你将root
角色授予master
用户,将myrole
角色授予所有myuserN
用户。
在这种情况下,你可以使用主证书完全控制etcd,而其他证书则使用myrole
角色,即对/events/1
键只具有读取
权限。
按照这个思路,你基本上可以创建任何其他的权限
,并且只需要一个master
客户端来控制etcd中的所有内容。希望这对你有帮助
英文:
I cannot help with --user
issue, i.e why it doesn't work, however, why can't you use following approach. You use TLS auth, that's good, but why don't you create master.clientv3
and myuserN.clientv3
, where Master is kinda master TLS certificate with CN=master
and other TLS certificates follow the pattern of CN=myuserN
, where N=0,1,2,...
. Then you grant root
role to the master
user and myrole
to all myuserN
.
In such case you could use master certificate to fully control etcd and other certificates with myrole
role, i.e having only read
permission on /events/1
key.
Following that idea, you can basically create any other permissions
and having one master
client to control everything in etcd. Hope that helps
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论