当前位置:网站首页>Etcd cluster permission management and account password usage
Etcd cluster permission management and account password usage
2022-07-03 14:19:00 【Development, operation and maintenance Xuande public】
List of articles
1. Examples of operation
1.1 Environmental statement
| node | IP |
|---|---|
| etcd1 | 10.10.239.31:1379 |
| etcd2 | 10.10.239.31:2379 |
| etcd3 | 10.10.239.31:3379 |
1.2 establish root user
root Users have all their own permissions , So just create the user , Open the authentication and you have all permissions .
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user add root
- Output is as follows
Password of root:
Type password of root again for confirmation:
User root created
User password is required for interaction
1.3 Turn on Authentication
- Turn on Authentication
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 auth enable
- test : Use user actions
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' put name "guanyu"
OK
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' get name
name
guanyu
- test : Do not use the user password to operate and report an error
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl get name
{
"level":"warn","ts":"2022-07-02T08:11:34.599Z","logger":"etcd-client","caller":"v3/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc00014c000/127.0.0.1:2379","attempt":0,"error":"rpc error: code = InvalidArgument desc = etcdserver: user name is empty"}
Error: etcdserver: user name is empty
- If you decide to publish root user , Then it's OK to get here
- If you want to hide high permission root user , And publish ordinary users , Then continue to operate
1.4 General user management
1.4.1 Create a normal user
- Create a read user
Because password access has been enabled before , So here we need to add users and passwords . Of course, there is no need to add .
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user add myRead
- Create a write user
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user add myWrite
- Create read-write users
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user list
- To view the user
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user add myReadWrite
Output :
myRead
myReadWrite
myWrite
root
1.4.2 Create the role
- Create read roles
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role add roleRead
- Create a writing role
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role add roleWrite
- Create a read-write role
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role add roleReadWrite
- Check out the characters
I have no name!@75cdaac66149:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role list
result
roleRead
roleReadWrite
roleWrite
root
1.4.3 Empowering roles
- Read role grants read permission
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role grant-permission roleRead read /xishu/*
- Write role grants write permission
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role grant-permission roleWrite write /xishu/*
- Read / write role grants read / write permission
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role grant-permission roleReadWrite readwrite /xishu/*
- View role permissions
I have no name!@75cdaac66149:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role get roleReadWrite
Results show
Role roleReadWrite
KV Read:
/xishu/*
KV Write:
/xishu/*
1.4.4 Bind roles to users
- Read user binding read role
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user grant-role myRead roleRead
- Write user binding write role
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user grant-role myWrite roleWrite
- Read corner users are bound to read and write roles
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user grant-role myReadWrite roleReadWrite
- View results
I have no name!@75cdaac66149:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user get myReadWrite
Output
User: myReadWrite
Roles: roleReadWrite
1.1.5 test
- Write two pieces of data with write account
I have no name!@75cdaac66149:/opt/bitnami/etcd$ etcdctl --user='myWrite' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 put /xishu/name "liubei"
OK
I have no name!@75cdaac66149:/opt/bitnami/etcd$ etcdctl --user='myWrite' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 put /xishu/age "28"
OK
- Read it with the read account
I have no name!@75cdaac66149:/opt/bitnami/etcd$ etcdctl --user='myRead' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 get /xishu/age
/xishu/age
28
2. Common commands for permissions
2.1 User management
Create user
etcdctl user add user name
Delete user
etcdctl user del user name
Change Password
etcdctl user passwd user name
View all users
etcdctl user list
View the specified user and binding role
etcdctl user get user name
2.2 role
Add roles
etcdctl role add The role of
Empowering roles
etcdctl grant-permission The role of [read|write|readwrite] Range
The scope is as follows :
/xishu/*,/liubei
Reclaim role empowerment
etcdctl role revoke-permission The role of Recycled range
Delete the role
etcdctl role del The role of
Querying role list
etcdctl role list
Query the permissions of the specified role
etcdctl role get The role of
2.3 user & role
User binding role
etcdctl user grant-role user name The role of
Reclaim user binding permissions
etcdctl user revoke-role user name The role of
2.4 privilege use
etcdctl --user=' user name ' --password=' password ' ……
边栏推荐
- Although not necessarily the best, it must be the hardest!
- Message subscription and publishing
- Facebook 如何将 Instagram 从 AWS 搬到自己的服务器
- Too many files with unapproved license
- Strategy, tactics (and OKR)
- Toast UI editor (editor allows you to edit your markup document using text or WYSIWYG, with syntax highlighting, scrolling synchronization, real-time preview and chart functions.)
- simpleParallax. JS (create poor visual effects for website pictures)
- Recent learning summary
- JS first summary
- 中国PETG市场预测及战略研究报告(2022版)
猜你喜欢
Redis:字符串类型数据的操作命令
Jiuyi cloud black free encryption free version source code
7-9 find a small ball with a balance
QT learning 25 layout manager (4)
Scroll detection, so that the content in the lower right corner is not displayed at the top of the page, but is displayed as the mouse slides
Polestar美股上市:5.5万台交付如何支持得起超200亿美元估值
![[clean up the extraordinary image of Disk C]](/img/0d/331115bc5d82d6337ae975a08494b2.jpg)
[clean up the extraordinary image of Disk C]
Leetcode(4)——尋找兩個正序數組的中比特數
Exercise 10-2 recursive factorial sum
关于回溯问题中的排列问题的思考(LeetCode46题与47题)
随机推荐
Reflection -- basic usage
7-16 find the set of integers that meet the given conditions
JVM垃圾回收机
Global event bus
Strategy, tactics (and OKR)
String substitution
牛客网:过河卒
Find the sum of the elements of each row of the matrix
愉悦资本新双币基金近40亿元完成首次关账
7-7 12-24 hour system
7-2 and then what time (15 minutes)
C library function - qsort()
Nucleic acid modified metal organic framework drug carrier | pcn-223 metal organic framework encapsulated ad adamantane | zif-8 encapsulated adriamycin (DOX)
战略、战术(和 OKR)
Exercise 10-8 recursive implementation of sequential output of integers
剑指 Offer 28. 对称的二叉树
必贝特医药冲刺科创板:年营收97万亏损1.37亿 拟募资20亿
C language,%d% Difference between 2D%2d%02d
Collection of mobile adaptation related articles
String reverse order