当前位置:网站首页>Etcd cluster permission management and account password usage
Etcd cluster permission management and account password usage
2022-07-03 14:19:00 【Development, operation and maintenance Xuande public】
List of articles
1. Examples of operation
1.1 Environmental statement
node | IP |
---|---|
etcd1 | 10.10.239.31:1379 |
etcd2 | 10.10.239.31:2379 |
etcd3 | 10.10.239.31:3379 |
1.2 establish root user
root Users have all their own permissions , So just create the user , Open the authentication and you have all permissions .
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user add root
- Output is as follows
Password of root:
Type password of root again for confirmation:
User root created
User password is required for interaction
1.3 Turn on Authentication
- Turn on Authentication
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 auth enable
- test : Use user actions
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' put name "guanyu"
OK
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' get name
name
guanyu
- test : Do not use the user password to operate and report an error
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl get name
{
"level":"warn","ts":"2022-07-02T08:11:34.599Z","logger":"etcd-client","caller":"v3/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc00014c000/127.0.0.1:2379","attempt":0,"error":"rpc error: code = InvalidArgument desc = etcdserver: user name is empty"}
Error: etcdserver: user name is empty
- If you decide to publish root user , Then it's OK to get here
- If you want to hide high permission root user , And publish ordinary users , Then continue to operate
1.4 General user management
1.4.1 Create a normal user
- Create a read user
Because password access has been enabled before , So here we need to add users and passwords . Of course, there is no need to add .
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user add myRead
- Create a write user
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user add myWrite
- Create read-write users
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user list
- To view the user
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user add myReadWrite
Output :
myRead
myReadWrite
myWrite
root
1.4.2 Create the role
- Create read roles
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role add roleRead
- Create a writing role
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role add roleWrite
- Create a read-write role
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role add roleReadWrite
- Check out the characters
I have no name!@75cdaac66149:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role list
result
roleRead
roleReadWrite
roleWrite
root
1.4.3 Empowering roles
- Read role grants read permission
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role grant-permission roleRead read /xishu/*
- Write role grants write permission
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role grant-permission roleWrite write /xishu/*
- Read / write role grants read / write permission
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role grant-permission roleReadWrite readwrite /xishu/*
- View role permissions
I have no name!@75cdaac66149:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 role get roleReadWrite
Results show
Role roleReadWrite
KV Read:
/xishu/*
KV Write:
/xishu/*
1.4.4 Bind roles to users
- Read user binding read role
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user grant-role myRead roleRead
- Write user binding write role
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user grant-role myWrite roleWrite
- Read corner users are bound to read and write roles
I have no name!@555187fb758c:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user grant-role myReadWrite roleReadWrite
- View results
I have no name!@75cdaac66149:/opt/bitnami/etcd$ etcdctl --user='root' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 user get myReadWrite
Output
User: myReadWrite
Roles: roleReadWrite
1.1.5 test
- Write two pieces of data with write account
I have no name!@75cdaac66149:/opt/bitnami/etcd$ etcdctl --user='myWrite' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 put /xishu/name "liubei"
OK
I have no name!@75cdaac66149:/opt/bitnami/etcd$ etcdctl --user='myWrite' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 put /xishu/age "28"
OK
- Read it with the read account
I have no name!@75cdaac66149:/opt/bitnami/etcd$ etcdctl --user='myRead' --password='[email protected]' --endpoints http://10.10.239.31:1379,http://10.10.239.31:2379,http://10.10.239.31:3379 get /xishu/age
/xishu/age
28
2. Common commands for permissions
2.1 User management
Create user
etcdctl user add user name
Delete user
etcdctl user del user name
Change Password
etcdctl user passwd user name
View all users
etcdctl user list
View the specified user and binding role
etcdctl user get user name
2.2 role
Add roles
etcdctl role add The role of
Empowering roles
etcdctl grant-permission The role of [read|write|readwrite] Range
The scope is as follows :
/xishu/*
,/liubei
Reclaim role empowerment
etcdctl role revoke-permission The role of Recycled range
Delete the role
etcdctl role del The role of
Querying role list
etcdctl role list
Query the permissions of the specified role
etcdctl role get The role of
2.3 user & role
User binding role
etcdctl user grant-role user name The role of
Reclaim user binding permissions
etcdctl user revoke-role user name The role of
2.4 privilege use
etcdctl --user=' user name ' --password=' password ' ……
边栏推荐
- Solr series of full-text search engines - basic principles of full-text search
- 7-6 mixed type data format input
- 修改数据库中的记录为什么报这个错
- Exercise 8-8 moving letters
- SSH access control, blocking the IP when logging in repeatedly to prevent brute force cracking
- Scroll detection of the navigation bar enables the navigation bar to slide and fix with no content
- Convert string to decimal integer
- Redis:字符串类型数据的操作命令
- 7-16 find the set of integers that meet the given conditions
- Vite project commissioning
猜你喜欢
Redis: operation command of string type data
JS input number and standard digit number are compared. The problem of adding 0 to 0
7-10 calculate salary
Exercise 6-6 use a function to output an integer in reverse order
Solution to failure or slow downloading of electron when electron uses electron builder to package
The small project (servlet+jsp+mysql+el+jstl) completes a servlet with login function, with the operation of adding, deleting, modifying and querying. Realize login authentication, prevent illegal log
Redis: redis data structure and key operation commands
Programmable logic device software testing
7-11 calculation of residential water charges by sections
编程语言:类型系统的本质
随机推荐
添加Zabbix计算类型项目Calculated items
7-17 crawling worms (break exercise)
Message subscription and publishing
Vite project commissioning
Webpage connection database ~ simple implementation of addition, deletion, modification and query complete code
JVM runtime data area
Folic acid modified metal organic framework (zif-8) baicalin loaded metal organic framework composite magnetic material (AU- [email
Exercise 9-3 plane vector addition
How to bold text in AI
Exercise 8-7 string sorting
Interface for querying IP home
7-11 calculation of residential water charges by sections
Concat and concat_ Ws() differences and groups_ Use of concat() and repeat() functions
Redis:Redis的数据结构、key的操作命令
Metal organic framework MOFs loaded with non steroidal anti-inflammatory drugs | zif-8 wrapped Prussian blue loaded quercetin (preparation method)
Metal organic framework (MOFs) antitumor drug carrier | pcn-223 loaded with metronidazole | uio-66 loaded with ciprofloxacin hydrochloride(
Too many files with unapproved license
Facebook 如何将 Instagram 从 AWS 搬到自己的服务器
Exercise 10-2 recursive factorial sum
String substitution