I start my etcd cluster using Go etcd/clientv3 with following parameters:
"--name", "etcd-cluster"
"--data-dir", "/var/lib/etcd",
"--wal-dir", "/var/lib",
"--listen-client-urls", "127.0.0.1:2379",
"--listen-peer-urls", , "127.0.0.1:2380",
"--advertise-client-urls", "127.0.0.1:2379",
"--initial-advertise-peer-urls", "127.0.0.1:2380",
"--initial-cluster", "cluster",
"--initial-cluster-state", "new",
"--initial-cluster-token", "election",
"--cert-file", "tls.pem",
"--key-file", "tls.key",
"--client-cert-auth",
"--trusted-ca-file", "ca.pem",
"--peer-client-cert-auth",
"--peer-trusted-ca-file", "peer-ca.pem",
"--peer-cert-file", "peer-cert.pem",
"--peer-key-file", "peer.key",
Then I run following commands:
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem user add root
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem role add root
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem user add myuser
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem role add myrole
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem put /events/1 value
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem role grant-permisson myrole read /events/1
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem user grant-role root root
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem user grant-role myuser myrole
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem auth enable
Etcd documentation for Authentication says, that if client uses TLS certificate then CN is taken from that certificate and used as etcd user. My certificate tls.pem has CN=myuser and therefore:
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem put /events/1 value
Will result in permission denied, which is correct, since only read permission is given for myuser. However the documentation also says, that if --user option is used along with TLS certificates, then that --user will have priority over CN. Which means, that if I run:
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem --user=root:mypass put /events/1 value
Then root user should be used to perform that operation, which I expect it to result in OK, however it doesn't happen, and instead I got the same stuff - permission denied. What can cause that problem? Thank you in advance!
I cannot help with
--userissue, i.e why it doesn't work, however, why can't you use following approach. You use TLS auth, that's good, but why don't you createmaster.clientv3andmyuserN.clientv3, where Master is kinda master TLS certificate withCN=masterand other TLS certificates follow the pattern ofCN=myuserN, whereN=0,1,2,.... Then you grantrootrole to themasteruser andmyroleto allmyuserN.In such case you could use master certificate to fully control etcd and other certificates with
myrolerole, i.e having onlyreadpermission on/events/1key.Following that idea, you can basically create any other
permissionsand having onemasterclient to control everything in etcd. Hope that helps :)