# Etcd访问控制 ## 1. ETCD资源类型 There are three types of resources in etcd * `permission resources`: users and roles in the user store * `key-value resources`: key-value pairs in the key-value store * `settings resources`: security settings, auth settings, and dynamic etcd cluster settings (election/heartbeat) ## 2. 权限资源 **Users**:user用来设置身份认证(user:passwd),一个用户可以拥有多个角色,每个角色被分配一定的权限(只读、只写、可读写),用户分为root用户和非root用户。 **Roles**:角色用来关联权限,角色主要三类:root角色。默认创建root用户时即创建了root角色,该角色拥有所有权限;guest角色,默认自动创建,主要用于非认证使用。普通角色,由root用户创建角色,并分配指定权限。 注意:如果没有指定任何验证方式,即没显示指定以什么用户进行访问,那么默认会设定为 guest 角色。默认情况下 guest 也是具有全局访问权限的。如果不希望未授权就获取或修改etcd的数据,则可收回guest角色的权限或删除该角色,etcdctl role revoke 。 **Permissions**:权限分为只读、只写、可读写三种权限,权限即对指定目录或key的读写权限。 ## 3. ETCD访问控制 ### 3.1. 访问控制相关命令 ```bash NAME: etcdctl - A simple command line client for etcd. USAGE: etcdctl [global options] command [command options] [arguments...] VERSION: 2.2.0 COMMANDS: user user add, grant and revoke subcommands role role add, grant and revoke subcommands auth overall auth controls GLOBAL OPTIONS: --peers, -C a comma-delimited list of machine addresses in the cluster (default: "http://127.0.0.1:4001,http://127.0.0.1:2379") --endpoint a comma-delimited list of machine addresses in the cluster (default: "http://127.0.0.1:4001,http://127.0.0.1:2379") --cert-file identify HTTPS client using this SSL certificate file --key-file identify HTTPS client using this SSL key file --ca-file verify certificates of HTTPS-enabled servers using this CA bundle --username, -u provide username[:password] and prompt if password is not supplied. --timeout '1s' connection timeout per request ``` ### 3.2. user相关命令 ```bash [root@localhost etcd]# etcdctl user --help NAME: etcdctl user - user add, grant and revoke subcommands USAGE: etcdctl user command [command options] [arguments...] COMMANDS: add add a new user for the etcd cluster get get details for a user list list all current users remove remove a user for the etcd cluster grant grant roles to an etcd user revoke revoke roles for an etcd user passwd change password for a user help, h Shows a list of commands or help for one command OPTIONS: --help, -h show help ``` ### 3.2.1. 添加root用户并设置密码 etcdctl --endpoints [http://172.16.22.36:2379](http://172.16.22.36:2379/) user add root ### 3.2.2. 添加非root用户并设置密码 etcdctl --endpoints [http://172.16.22.36:2379](http://172.16.22.36:2379/) --username root:123 user add huwh ### 3.2.3. 查看当前所有用户 etcdctl --endpoints [http://172.16.22.36:2379](http://172.16.22.36:2379/) --username root:123 user list ### 3.2.4. 将用户添加到对应角色 etcdctl --endpoints [http://172.16.22.36:2379](http://172.16.22.36:2379/) --username root:123 user grant --roles test1 phpor ### 3.2.5. 查看用户拥有哪些角色 etcdctl --endpoints [http://172.16.22.36:2379](http://172.16.22.36:2379/) --username root:123 user get phpor ### 3.3. role相关命令 ```bash [root@localhost etcd]# etcdctl role --help NAME: etcdctl role - role add, grant and revoke subcommands USAGE: etcdctl role command [command options] [arguments...] COMMANDS: add add a new role for the etcd cluster get get details for a role list list all roles remove remove a role from the etcd cluster grant grant path matches to an etcd role revoke revoke path matches for an etcd role help, h Shows a list of commands or help for one command OPTIONS: --help, -h show help ``` ### 3.3.1. 添加角色 etcdctl --endpoints [http://172.16.22.36:2379](http://172.16.22.36:2379/) --username root:2379 role add test1 ### 3.3.2. 查看所有角色 etcdctl --endpoints [http://172.16.22.36:2379](http://172.16.22.36:2379/) --username root:123 role list ### 3.3.3. 给角色分配权限 ```bash [root@localhost etcd]# etcdctl role grant --help NAME: grant - grant path matches to an etcd role USAGE: command grant [command options] [arguments...] OPTIONS: --path Path granted for the role to access --read Grant read-only access --write Grant write-only access --readwrite Grant read-write access ``` 1、只包含目录 etcdctl --endpoints [http://172.16.22.36:2379](http://172.16.22.36:2379/) --username root:123 role grant --readwrite --path /test1 test1 2、包括目录和子目录或文件 etcdctl --endpoints [http://172.16.22.36:2379](http://172.16.22.36:2379/) --username root:123 role grant --readwrite --path /test1/\* test1 ### 3.3.4. 查看角色所拥有的权限 etcdctl --endpoints [http://172.16.22.36:2379](http://172.16.22.36:2379/) --username root:2379 role get test1 ### 3.4. auth相关操作 ```bash [root@localhost etcd]# etcdctl auth --help NAME: etcdctl auth - overall auth controls USAGE: etcdctl auth command [command options] [arguments...] COMMANDS: enable enable auth access controls disable disable auth access controls help, h Shows a list of commands or help for one command OPTIONS: --help, -h show help ``` ### 3.4.1. 开启认证 etcdctl --endpoints [http://172.16.22.36:2379](http://172.16.22.36:2379/) auth enable ## 4. 访问控制设置步骤 | 顺序 | 步骤 | 命令 | | -- | -------------------- | --------------------------------------------------------------------------- | | 1 | 添加root用户 | etcdctl --endpoints http\://: user add root | | 2 | 开启认证 | etcdctl --endpoints http\://: auth enable | | 3 | 添加非root用户 | etcdctl --endpoints http\://: –username root: user add | | 4 | 添加角色 | etcdctl --endpoints http\://: –username root: role add | | 5 | 给角色授权(只读、只写、可读写) | etcdctl --endpoints http\://: –username root: role grant --readwrite --path | | 6 | 给用户分配角色(即分配了角色对应的权限) | etcdctl --endpoints http\://: –username root: user grant --roles | ## 5. 访问认证的API调用 更多参考 * * --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://k8s.huweihuang.com/project/etcd/etcd-auth-and-security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.