Basic AUTH Certification for ETCD Security Configuration

"Small and medium-sized team landing Configuration Center," The article describes how to build a configuration center based on ETCD+CONFD, finally mentioned ETCD security issues when said can use account password Authentication to achieve secure access, how to open authentication and how to design access to access it? This article will give you a detailed explanation

Certification notes

1. ETCD v2 and above support permission authentication, and only basic Auth is supported
2. ETCD Control access through user-role-permissions, user-associated roles, role-owned permissions, and users have the appropriate permissions
3. ETCD default authentication mechanism is not enabled, as long as the ability to connect to the ETCD service has all permissions, or very dangerous, another secure way to access is to turn on SSL, only use trusted certificates to access data
4. ETCD when basic auth is turned on, the default is to enable two roles root and guest,root roles with all permissions, Guest has read-only permission, neither role is deleted , or you may encounter unexpected bugs
5. ETCD's privileges are read-only, write-only, read-write, and can be authorized for ETCD's detailed key, such as:/conf/project/dev/nginx.conf, or the key prefix (directory), for example:/conf/project/, Authorization rules should be based on minimum requirements

Permission Design

Authority design should first consider our need for permissions, design permissions from the requirements

• Demand

1. For ease of follow-up management, all keys in the configuration center should have been/conf/start
2. Need two accounts, an account used in Kerrigan (WebUI) have read, write, modify, delete key permissions, an account used in CONFD, only read-only permissions, can read the configuration

• Design

1. The demand is very simple, we need to set up two accounts, corresponding to two roles, two roles are/conf/start key control, a read-write permission, a read-only permission
2. Define read-only account name READX, read-only role name is readconf, define read and Write permissions account name is Authz, read and Write permission is rootconf, operable key is/conf/start

Detailed steps

1. Add root User

# etcdctl user add rootNew password: 12345User root created

2. After creating the root account, Root has the root role by default and has read and write access to all KV

# etcdctl user get rootUser: rootRoles:  root# etcdctl role get rootRole: rootKV Read:    /*KV Write:    /*

3. Turn on AUTH certification

# etcdctl auth enableAuthentication Enabled开启权限认证后默认会多一个guest的角色# etcdctl --username root:12345 role listguestroot

4. Add a non-root account, a Authz account, a READX account

# etcdctl --username root:12345 user add authzNew password: User authz created# etcdctl --username root:12345 user add readxNew password: User readx created

5. Add roles, a rootconf role, a readconf role

# etcdctl --username root:12345 role add rootConfRole rootConf created# etcdctl --username root:12345 role add readConfRole readConf created

6. For role authorization, readconf role has read-only access to/conf, rootconf role has read and write permissions to/conf

# etcdctl --username root:12345 role grant --read --path /conf/* readConfRole readConf updated# etcdctl --username root:12345 role grant --readwrite --path /conf/* rootConfRole rootConf updated

7. Assign roles to users, Authz account assignment rootconf role, READX account assignment readconf role

# etcdctl --username root:12345 user grant --roles rootConf authzUser authz updated# etcdctl --username root:12345 user grant --roles readConf readxUser readx updated

8. View the roles owned by the user

# etcdctl --username root:12345 user get authzUser: authzRoles:  rootConf# etcdctl --username root:12345 user get readxUser: readxRoles:  readConf

This way the READX account has read-only access to all files under/conf, and Authz has read and write access to all files under/conf.

Common commands

Some of the commands above are not introduced and will be used as follows:

1. Turn off authentication

# etcdctl --username root:12345 auth disable

2. Delete a user

# etcdctl --username root:12345 user remove userx

3. User Revoke role

# etcdctl --username root:12345 user revoke rolex

4. Modify User Password

# etcdctl --username root:12345 user passwd

There are also delete roles, revoke role permissions to see user-related actions above

Record of stepping on pits

After the authentication is turned on, it is found that the guest role is added by default, and the guest role is deleted because it is useless, so the following error is reported when connecting to ETCD cluster:

Error:The request requires user authentication (Insufficient credentials)

FIX: Re-add the guest role

If you feel that the article is helpful to you, please forward it to more people. If you don't feel like reading, read the following articles:

• Small and medium Team floor configuration Center detailed
• Remember a weird troubleshooting experience