1. Examples of operation

1.1 Environmental statement

1.2 establish root user

root Users have all their own permissions , So just create the user , Open the authentication and you have all permissions .

I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user add root

• Output is as follows

Password of root:
Type password of root again for confirmation:
User root created

User password is required for interaction

1.3 Turn on Authentication

• Turn on Authentication

I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 auth enable

• test ： Use user actions

I have no name!@555187fb758c:/opt/bitnami/etcd$  etcdctl  --user='root' --password='[email protected]'   put name "guanyu"
OK
I have no name!@555187fb758c:/opt/bitnami/etcd$  etcdctl  --user='root' --password='[email protected]'   get name
name
guanyu

• test ： Do not use the user password to operate and report an error

I have no name!@555187fb758c:/opt/bitnami/etcd$  etcdctl  get name
{
    "level":"warn","ts":"2022-07-02T08:11:34.599Z","logger":"etcd-client","caller":"v3/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc00014c000/127.0.0.1:2379","attempt":0,"error":"rpc error: code = InvalidArgument desc = etcdserver: user name is empty"}
Error: etcdserver: user name is empty

• If you decide to publish root user , Then it's OK to get here
• If you want to hide high permission root user , And publish ordinary users , Then continue to operate

1.4 General user management

1.4.1 Create a normal user

• Create a read user

Because password access has been enabled before , So here we need to add users and passwords . Of course, there is no need to add .

I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]'  --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user add myRead

• Create a write user

I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user add myWrite

• Create read-write users

I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user list

• To view the user

I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user add myReadWrite

Output ：

myRead
myReadWrite
myWrite
root

1.4.2 Create the role

• Create read roles

I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl  --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379  role add roleRead 

• Create a writing role

I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl  --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role add roleWrite

• Create a read-write role

I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl  --user='root' --password='[email protected]'  --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role add roleReadWrite

• Check out the characters

I have no name!@75cdaac66149:/opt/bitnami/etcd$  etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role list

result

roleRead
roleReadWrite
roleWrite
root

1.4.3 Empowering roles

• Read role grants read permission

I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl  --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379  role grant-permission roleRead read /xishu/* 

• Write role grants write permission

I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role grant-permission roleWrite write /xishu/*

• Read / write role grants read / write permission

I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role grant-permission roleReadWrite readwrite /xishu/*

• View role permissions

I have no name!@75cdaac66149:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role get roleReadWrite

Results show

Role roleReadWrite
KV Read:
        /xishu/*
KV Write:
        /xishu/*

1.4.4 Bind roles to users

• Read user binding read role

I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl  --user='root' --password='[email protected]'  --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379  user grant-role myRead roleRead 

• Write user binding write role

I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]'  --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379  user grant-role myWrite roleWrite 

• Read corner users are bound to read and write roles

I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379  user grant-role myReadWrite roleReadWrite 

• View results

I have no name!@75cdaac66149:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user get myReadWrite

Output

User: myReadWrite
Roles: roleReadWrite

1.1.5 test

• Write two pieces of data with write account

I have no name!@75cdaac66149:/opt/bitnami/etcd$ etcdctl --user='myWrite' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 put /xishu/name "liubei"
OK
I have no name!@75cdaac66149:/opt/bitnami/etcd$ etcdctl --user='myWrite' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 put /xishu/age "28"
OK

• Read it with the read account

I have no name!@75cdaac66149:/opt/bitnami/etcd$ etcdctl --user='myRead' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 get /xishu/age
/xishu/age
28

2. Common commands for permissions

2.1 User management

Create user

etcdctl user add  user name 

Delete user

etcdctl user del  user name 

Change Password

etcdctl user passwd  user name 

View all users

etcdctl user list

View the specified user and binding role

etcdctl user get  user name 

2.2 role

Add roles

etcdctl role add  The role of  

Empowering roles

etcdctl grant-permission  The role of  [read|write|readwrite]  Range 

The scope is as follows ： /xishu/* ,/liubei

Reclaim role empowerment

etcdctl role revoke-permission   The role of    Recycled range 

Delete the role

etcdctl role del  The role of  

Querying role list

etcdctl role list 

Query the permissions of the specified role

etcdctl role get  The role of  

2.3 user & role

User binding role

etcdctl user grant-role  user name   The role of  

Reclaim user binding permissions

etcdctl user revoke-role  user name   The role of  

2.4 privilege use

etcdctl --user=' user name ' --password=' password ' ……