Etcd權限配置

目錄

• Etcd

• Auth

• Client

Etcd

go get -v go.etcd.io/etcd

關於go環境搭建可以參考Go起步

$GOPATH/bin/etcd

etcdctl set foo bar
# bar

etcdctl get foo
# bar

Auth

• 添加用戶root後默認有一個用戶: root和兩個角色: root / guest

etcdctl user list

etcdctl user add root
# User root created

etcdctl auth enable

etcdctl -u root:zhzhzh123 user list
# root

etcdctl -u root:zhzhzh123 role list
# guest
# root

etcdctl -u root:zhzhzh123 role get root
# Role: root
# KV Read:
#   /*
# KV Write:
#   /*

etcdctl -u root:zhzhzh123 role get guest
# Role: guest
# KV Read:
#   /*
# KV Write:
#   /*

• 添加用戶cronsun和角色cronsun

# 添加用戶cronsun
etcdctl -u root:zhzhzh123 user add cronsun
etcdctl -u root:zhzhzh123 user list
# cronsun
# root

# 添加角色cronsun
etcdctl -u root:zhzhzh123 role add cronsun
etcdctl -u root:zhzhzh123 role list
# cronsun
# guest
# root

# 給角色cronsun分配權限
etcdctl -u root:zhzhzh123 role grant cronsun -path '/*' -readwrite
etcdctl -u root:zhzhzh123 role get cronsun
# Role: cronsun
# KV Read:
#   /*
# KV Write:
#   /*

# 給用戶cronsun分配角色cronsun
etcdctl -u root:zhzhzh123 user grant cronsun -roles cronsun
etcdctl -u root:zhzhzh123 user get cronsun
# User: cronsun
# Roles:  cronsun

• 撤銷角色guest權限

etcdctl -u root:zhzhzh123 role revoke guest -path '/*' -readwrite
etcdctl -u root:zhzhzh123 role get guest
# Role: guest
# KV Read:
# KV Write:

Client

vim etcd.go

package main

import (
    "log"
    "time"
    "context"

    "go.etcd.io/etcd/client"
)

func main() {
    cfg := client.Config{
        Endpoints:               []string{"http://127.0.0.1:2379"},
        Transport:               client.DefaultTransport,
        // set timeout per request to fail fast when the target endpoint is unavailable
        HeaderTimeoutPerRequest: time.Second,
    }
    c, err := client.New(cfg)
    if err != nil {
        log.Fatal(err)
    }
    kapi := client.NewKeysAPI(c)
    // set "/foo" key with "bar" value
    log.Print("Setting '/foo' key with 'bar' value")
    resp, err := kapi.Set(context.Background(), "/foo", "bar", nil)
    if err != nil {
        log.Fatal(err)
    } else {
        // print common key info
        log.Printf("Set is done. Metadata is %q\n", resp)
    }
    // get "/foo" key's value
    log.Print("Getting '/foo' key value")
    resp, err = kapi.Get(context.Background(), "/foo", nil)
    if err != nil {
        log.Fatal(err)
    } else {
        // print common key info
        log.Printf("Get is done. Metadata is %q\n", resp)
        // print value
        log.Printf("%q key has %q value\n", resp.Node.Key, resp.Node.Value)
    }
}

go run etcd.go

2018/12/17 17:34:32 Setting '/foo' key with 'bar' value
2018/12/17 17:34:32 110: The request requires user authentication (Insufficient credentials) [0]
exit status 1

// 省略了未修改的代碼
    cfg := client.Config{
        Endpoints:               []string{"http://127.0.0.1:2379"},
        Username:                "cronsun",
        Password:                "zhzhzh123",
        Transport:               client.DefaultTransport,
        // set timeout per request to fail fast when the target endpoint is unavailable
        HeaderTimeoutPerRequest: time.Second,
    }
// 省略了未修改的代碼

go run etcd.go

2018/12/17 17:40:25 Setting '/foo' key with 'bar' value
2018/12/17 17:40:25 Set is done. Metadata is &{"set" "{Key: /foo, CreatedIndex: 21, ModifiedIndex: 21, TTL: 0}" "{Key: /foo, CreatedIndex: 12, ModifiedIndex: 12, TTL: 0}" '\x15' "cdf818194e3a8c32"}
2018/12/17 17:40:25 Getting '/foo' key value
2018/12/17 17:40:25 Get is done. Metadata is &{"get" "{Key: /foo, CreatedIndex: 21, ModifiedIndex: 21, TTL: 0}" <nil> '\x15' "cdf818194e3a8c32"}
2018/12/17 17:40:25 "/foo" key has "bar" value

參考

• Authentication Guide

• etcd / client

• etcd 使用入門

• etcd go 語言 v2 客戶端開發介紹