当前位置:网站首页>Etcd cluster permission management and account password usage
Etcd cluster permission management and account password usage
2022-07-03 14:19:00 【Development, operation and maintenance Xuande public】
List of articles
1. Examples of operation
1.1 Environmental statement
| node | IP |
|---|---|
| etcd1 | 10.10.239.31:1379 |
| etcd2 | 10.10.239.31:2379 |
| etcd3 | 10.10.239.31:3379 |
1.2 establish root user
root Users have all their own permissions , So just create the user , Open the authentication and you have all permissions .
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user add root
- Output is as follows
Password of root:
Type password of root again for confirmation:
User root created
User password is required for interaction
1.3 Turn on Authentication
- Turn on Authentication
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 auth enable
- test : Use user actions
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' put name "guanyu"
OK
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' get name
name
guanyu
- test : Do not use the user password to operate and report an error
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl get name
{
"level":"warn","ts":"2022-07-02T08:11:34.599Z","logger":"etcd-client","caller":"v3/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc00014c000/127.0.0.1:2379","attempt":0,"error":"rpc error: code = InvalidArgument desc = etcdserver: user name is empty"}
Error: etcdserver: user name is empty
- If you decide to publish root user , Then it's OK to get here
- If you want to hide high permission root user , And publish ordinary users , Then continue to operate
1.4 General user management
1.4.1 Create a normal user
- Create a read user
Because password access has been enabled before , So here we need to add users and passwords . Of course, there is no need to add .
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user add myRead
- Create a write user
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user add myWrite
- Create read-write users
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user list
- To view the user
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user add myReadWrite
Output :
myRead
myReadWrite
myWrite
root
1.4.2 Create the role
- Create read roles
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role add roleRead
- Create a writing role
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role add roleWrite
- Create a read-write role
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role add roleReadWrite
- Check out the characters
I have no name!@75cdaac66149:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role list
result
roleRead
roleReadWrite
roleWrite
root
1.4.3 Empowering roles
- Read role grants read permission
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role grant-permission roleRead read /xishu/*
- Write role grants write permission
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role grant-permission roleWrite write /xishu/*
- Read / write role grants read / write permission
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role grant-permission roleReadWrite readwrite /xishu/*
- View role permissions
I have no name!@75cdaac66149:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role get roleReadWrite
Results show
Role roleReadWrite
KV Read:
/xishu/*
KV Write:
/xishu/*
1.4.4 Bind roles to users
- Read user binding read role
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user grant-role myRead roleRead
- Write user binding write role
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user grant-role myWrite roleWrite
- Read corner users are bound to read and write roles
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user grant-role myReadWrite roleReadWrite
- View results
I have no name!@75cdaac66149:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user get myReadWrite
Output
User: myReadWrite
Roles: roleReadWrite
1.1.5 test
- Write two pieces of data with write account
I have no name!@75cdaac66149:/opt/bitnami/etcd$ etcdctl --user='myWrite' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 put /xishu/name "liubei"
OK
I have no name!@75cdaac66149:/opt/bitnami/etcd$ etcdctl --user='myWrite' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 put /xishu/age "28"
OK
- Read it with the read account
I have no name!@75cdaac66149:/opt/bitnami/etcd$ etcdctl --user='myRead' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 get /xishu/age
/xishu/age
28
2. Common commands for permissions
2.1 User management
Create user
etcdctl user add user name
Delete user
etcdctl user del user name
Change Password
etcdctl user passwd user name
View all users
etcdctl user list
View the specified user and binding role
etcdctl user get user name
2.2 role
Add roles
etcdctl role add The role of
Empowering roles
etcdctl grant-permission The role of [read|write|readwrite] Range
The scope is as follows :
/xishu/*,/liubei
Reclaim role empowerment
etcdctl role revoke-permission The role of Recycled range
Delete the role
etcdctl role del The role of
Querying role list
etcdctl role list
Query the permissions of the specified role
etcdctl role get The role of
2.3 user & role
User binding role
etcdctl user grant-role user name The role of
Reclaim user binding permissions
etcdctl user revoke-role user name The role of
2.4 privilege use
etcdctl --user=' user name ' --password=' password ' ……
边栏推荐
- [clean up the extraordinary image of Disk C]
- Scroll detection of the navigation bar enables the navigation bar to slide and fix with no content
- Redis: redis data structure and key operation commands
- fpga阻塞赋值和非阻塞赋值
- JS Part 2
- 添加Zabbix计算类型项目Calculated items
- QT learning 17 dialog box and its types
- Concat and concat_ Ws() differences and groups_ Use of concat() and repeat() functions
- 中国PETG市场预测及战略研究报告(2022版)
- 八大排序
猜你喜欢
NFT新的契机,多媒体NFT聚合平台OKALEIDO即将上线
QT learning 25 layout manager (4)
x86汇编语言-从实模式到保护模式 笔记
Similarities and differences between Allegro, OrCAD, net alias, port, off page connector and how to select them
JS matrix zero
Uio-66-cooh loaded bendamostine | hydroxyapatite (HA) coated MIL-53 (FE) nanoparticles | baicalin loaded manganese based metal organic skeleton material
![[clean up the extraordinary image of Disk C]](/img/0d/331115bc5d82d6337ae975a08494b2.jpg)
[clean up the extraordinary image of Disk C]
Solution to failure or slow downloading of electron when electron uses electron builder to package
天图投资冲刺港股:资产管理规模249亿 投了小红书与奈雪
Exercise 10-3 recursive implementation of exponential functions
随机推荐
Nucleic acid modified metal organic framework drug carrier | pcn-223 metal organic framework encapsulated ad adamantane | zif-8 encapsulated adriamycin (DOX)
fpga阻塞赋值和非阻塞赋值
泰凌冲刺科创板:拟募资13亿 国家大基金与小米长江是股东
八大排序
Strategy, tactics (and OKR)
Toast UI editor (editor allows you to edit your markup document using text or WYSIWYG, with syntax highlighting, scrolling synchronization, real-time preview and chart functions.)
JS matrix zero
JS Part III
Raft agreement
7-11 calculation of residential water charges by sections
7-9 find a small ball with a balance
Uio-66-cooh loaded bendamostine | hydroxyapatite (HA) coated MIL-53 (FE) nanoparticles | baicalin loaded manganese based metal organic skeleton material
js . Find the first palindrome string in the array
How to delete an attribute or method of an object
Too many files with unapproved license
Why don't I have a rookie medal
常见问题之PHP——ldap_add(): Add: Undefined attribute type in
Interface for querying IP home
Find specified characters
Back to top implementation