1. ETCD资源类型

There are three types of resources in etcd

  • permission resources: users and roles in the user store
  • key-value resources: key-value pairs in the key-value store
  • settings resources: security settings, auth settings, and dynamic etcd cluster settings (election/heartbeat)

2. 权限资源

Users:user用来设置身份认证(user:passwd),一个用户可以拥有多个角色,每个角色被分配一定的权限(只读、只写、可读写),用户分为root用户和非root用户。

Roles:角色用来关联权限,角色主要三类:root角色。默认创建root用户时即创建了root角色,该角色拥有所有权限;guest角色,默认自动创建,主要用于非认证使用。普通角色,由root用户创建角色,并分配指定权限。

注意:如果没有指定任何验证方式,即没显示指定以什么用户进行访问,那么默认会设定为 guest 角色。默认情况下 guest 也是具有全局访问权限的。如果不希望未授权就获取或修改etcd的数据,则可收回guest角色的权限或删除该角色,etcdctl role revoke 。

Permissions:权限分为只读、只写、可读写三种权限,权限即对指定目录或key的读写权限。

3. ETCD访问控制

3.1. 访问控制相关命令

  1. NAME:
  2.    etcdctl - A simple command line client for etcd.
  3. USAGE:
  4.    etcdctl [global options] command [command options] [arguments...]
  5. VERSION:
  6.    2.2.0
  7. COMMANDS:
  8.    user         user add, grant and revoke subcommands
  9.    role         role add, grant and revoke subcommands
  10.    auth         overall auth controls  
  11. GLOBAL OPTIONS:
  12.    --peers, -C          a comma-delimited list of machine addresses in the cluster (default: "http://127.0.0.1:4001,http://127.0.0.1:2379")
  13.    --endpoint           a comma-delimited list of machine addresses in the cluster (default: "http://127.0.0.1:4001,http://127.0.0.1:2379")
  14.    --cert-file          identify HTTPS client using this SSL certificate file
  15.    --key-file           identify HTTPS client using this SSL key file
  16.    --ca-file            verify certificates of HTTPS-enabled servers using this CA bundle
  17.    --username, -u       provide username[:password] and prompt if password is not supplied.
  18.    --timeout '1s'       connection timeout per request

3.2. user相关命令

  1. [root@localhost etcd]# etcdctl user --help
  2. NAME:
  3.    etcdctl user - user add, grant and revoke subcommands
  4. USAGE:
  5.    etcdctl user command [command options] [arguments...]
  6. COMMANDS:
  7.    add      add a new user for the etcd cluster
  8.    get      get details for a user
  9.    list     list all current users
  10.    remove   remove a user for the etcd cluster
  11.    grant    grant roles to an etcd user
  12.    revoke   revoke roles for an etcd user
  13.    passwd   change password for a user
  14.    help, h  Shows a list of commands or help for one command
  16. OPTIONS:
  17.    --help, -h   show help

3.2.1. 添加root用户并设置密码

etcdctl —endpoints http://172.16.22.36:2379 user add root

3.2.2. 添加非root用户并设置密码

etcdctl —endpoints http://172.16.22.36:2379 —username root:123 user add huwh

3.2.3. 查看当前所有用户

etcdctl —endpoints http://172.16.22.36:2379 —username root:123 user list

3.2.4. 将用户添加到对应角色

etcdctl —endpoints http://172.16.22.36:2379 —username root:123 user grant —roles test1 phpor

3.2.5. 查看用户拥有哪些角色

etcdctl —endpoints http://172.16.22.36:2379 —username root:123 user get phpor

3.3. role相关命令

  1. [root@localhost etcd]# etcdctl role --help
  2. NAME:
  3.    etcdctl role - role add, grant and revoke subcommands
  4. USAGE:
  5.    etcdctl role command [command options] [arguments...]
  6. COMMANDS:
  7.    add      add a new role for the etcd cluster
  8.    get      get details for a role
  9.    list     list all roles
  10.    remove   remove a role from the etcd cluster
  11.    grant    grant path matches to an etcd role
  12.    revoke   revoke path matches for an etcd role
  13.    help, h  Shows a list of commands or help for one command
  15. OPTIONS:
  16.    --help, -h   show help

3.3.1. 添加角色

etcdctl —endpoints http://172.16.22.36:2379 —username root:2379 role add test1

3.3.2. 查看所有角色

etcdctl —endpoints http://172.16.22.36:2379 —username root:123 role list

3.3.3. 给角色分配权限

  1. [root@localhost etcd]# etcdctl role grant --help
  2. NAME:
  3.    grant - grant path matches to an etcd role
  4. USAGE:
  5.    command grant [command options] [arguments...]
  6. OPTIONS:
  7.    --path   Path granted for the role to access
  8.    --read   Grant read-only access
  9.    --write  Grant write-only access
  10.    --readwrite  Grant read-write access

1、只包含目录
etcdctl —endpoints http://172.16.22.36:2379 —username root:123 role grant —readwrite —path /test1 test1

2、包括目录和子目录或文件
etcdctl —endpoints http://172.16.22.36:2379 —username root:123 role grant —readwrite —path /test1/* test1

3.3.4. 查看角色所拥有的权限

etcdctl —endpoints http://172.16.22.36:2379 —username root:2379 role get test1

3.4. auth相关操作

  1. [root@localhost etcd]# etcdctl auth --help
  2. NAME:
  3.    etcdctl auth - overall auth controls
  4. USAGE:
  5.    etcdctl auth command [command options] [arguments...]
  6. COMMANDS:
  7.    enable   enable auth access controls
  8.    disable  disable auth access controls
  9.    help, h  Shows a list of commands or help for one command
  11. OPTIONS:
  12.    --help, -h   show help

3.4.1. 开启认证

etcdctl —endpoints http://172.16.22.36:2379 auth enable

4. 访问控制设置步骤

顺序 步骤 命令
1 添加root用户 etcdctl —endpoints http://: user add root
2 开启认证 etcdctl —endpoints http://: auth enable
3 添加非root用户 etcdctl —endpoints http://: –username root: user add
4 添加角色 etcdctl —endpoints http://: –username root: role add
5 给角色授权(只读、只写、可读写) etcdctl —endpoints http://: –username root: role grant —readwrite —path
6 给用户分配角色(即分配了角色对应的权限) etcdctl —endpoints http://: –username root: user grant —roles

5. 访问认证的API调用

更多参考