当前位置:网站首页>Etcd cluster permission management and account password usage
Etcd cluster permission management and account password usage
2022-07-03 14:19:00 【Development, operation and maintenance Xuande public】
List of articles
1. Examples of operation
1.1 Environmental statement
| node | IP |
|---|---|
| etcd1 | 10.10.239.31:1379 |
| etcd2 | 10.10.239.31:2379 |
| etcd3 | 10.10.239.31:3379 |
1.2 establish root user
root Users have all their own permissions , So just create the user , Open the authentication and you have all permissions .
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user add root
- Output is as follows
Password of root:
Type password of root again for confirmation:
User root created
User password is required for interaction
1.3 Turn on Authentication
- Turn on Authentication
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 auth enable
- test : Use user actions
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' put name "guanyu"
OK
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' get name
name
guanyu
- test : Do not use the user password to operate and report an error
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl get name
{
"level":"warn","ts":"2022-07-02T08:11:34.599Z","logger":"etcd-client","caller":"v3/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc00014c000/127.0.0.1:2379","attempt":0,"error":"rpc error: code = InvalidArgument desc = etcdserver: user name is empty"}
Error: etcdserver: user name is empty
- If you decide to publish root user , Then it's OK to get here
- If you want to hide high permission root user , And publish ordinary users , Then continue to operate
1.4 General user management
1.4.1 Create a normal user
- Create a read user
Because password access has been enabled before , So here we need to add users and passwords . Of course, there is no need to add .
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user add myRead
- Create a write user
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user add myWrite
- Create read-write users
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user list
- To view the user
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user add myReadWrite
Output :
myRead
myReadWrite
myWrite
root
1.4.2 Create the role
- Create read roles
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role add roleRead
- Create a writing role
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role add roleWrite
- Create a read-write role
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role add roleReadWrite
- Check out the characters
I have no name!@75cdaac66149:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role list
result
roleRead
roleReadWrite
roleWrite
root
1.4.3 Empowering roles
- Read role grants read permission
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role grant-permission roleRead read /xishu/*
- Write role grants write permission
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role grant-permission roleWrite write /xishu/*
- Read / write role grants read / write permission
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role grant-permission roleReadWrite readwrite /xishu/*
- View role permissions
I have no name!@75cdaac66149:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role get roleReadWrite
Results show
Role roleReadWrite
KV Read:
/xishu/*
KV Write:
/xishu/*
1.4.4 Bind roles to users
- Read user binding read role
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user grant-role myRead roleRead
- Write user binding write role
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user grant-role myWrite roleWrite
- Read corner users are bound to read and write roles
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user grant-role myReadWrite roleReadWrite
- View results
I have no name!@75cdaac66149:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user get myReadWrite
Output
User: myReadWrite
Roles: roleReadWrite
1.1.5 test
- Write two pieces of data with write account
I have no name!@75cdaac66149:/opt/bitnami/etcd$ etcdctl --user='myWrite' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 put /xishu/name "liubei"
OK
I have no name!@75cdaac66149:/opt/bitnami/etcd$ etcdctl --user='myWrite' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 put /xishu/age "28"
OK
- Read it with the read account
I have no name!@75cdaac66149:/opt/bitnami/etcd$ etcdctl --user='myRead' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 get /xishu/age
/xishu/age
28
2. Common commands for permissions
2.1 User management
Create user
etcdctl user add user name
Delete user
etcdctl user del user name
Change Password
etcdctl user passwd user name
View all users
etcdctl user list
View the specified user and binding role
etcdctl user get user name
2.2 role
Add roles
etcdctl role add The role of
Empowering roles
etcdctl grant-permission The role of [read|write|readwrite] Range
The scope is as follows :
/xishu/*,/liubei
Reclaim role empowerment
etcdctl role revoke-permission The role of Recycled range
Delete the role
etcdctl role del The role of
Querying role list
etcdctl role list
Query the permissions of the specified role
etcdctl role get The role of
2.3 user & role
User binding role
etcdctl user grant-role user name The role of
Reclaim user binding permissions
etcdctl user revoke-role user name The role of
2.4 privilege use
etcdctl --user=' user name ' --password=' password ' ……
边栏推荐
猜你喜欢
Message subscription and publishing
Programmable logic device software testing
QT learning 17 dialog box and its types
Similarities and differences between Allegro, OrCAD, net alias, port, off page connector and how to select them
Exercise 7-6 count capital consonants
Comprehensive evaluation of good-looking, easy-to-use and powerful handwriting note taking software: notability, goodnotes, marginnote, handwriting, notes writers, collanote, collanote, prodrafts, not
protobuf与grpc
Current situation, analysis and prediction of information and innovation industry
编程语言:类型系统的本质
关于回溯问题中的排列问题的思考(LeetCode46题与47题)
随机推荐
7-22 tortoise and rabbit race (result oriented)
Strategy, tactics (and OKR)
超简单手机地图开发
别再问自己适不适合做软件测试了
Exercise 9-3 plane vector addition
Canvas utility library fabric JS user manual
Back to top implementation
添加Zabbix计算类型项目Calculated items
Similarities and differences between Allegro, OrCAD, net alias, port, off page connector and how to select them
Exercise 8-8 moving letters
Nucleic acid modified metal organic framework drug carrier | pcn-223 metal organic framework encapsulated ad adamantane | zif-8 encapsulated adriamycin (DOX)
Why don't I have a rookie medal
愉悦资本新双币基金近40亿元完成首次关账
Facebook 如何将 Instagram 从 AWS 搬到自己的服务器
常见问题之PHP——ldap_add(): Add: Undefined attribute type in
556. 下一个更大元素 III
Redis: redis data structure and key operation commands
中感微冲刺科创板:年营收2.4亿净亏1782万 拟募资6亿
28: Chapter 3: develop Passport Service: 11: define attributes in the configuration file, and then obtain them in the code;
C library function - qsort()