etcd 的访问控制

Etcd Add comments

8月 152016

https://coreos.com/etcd/docs/latest/auth_api.html

auth enable 之前必须添加root用户，添加时设置密码：

etcdctl --endpoints http://172.16.22.36:2379 user add root

1	etcdctl --endpoints http://172.16.22.36:2379 user add root

开启认证：

etcdctl --endpoints http://172.16.22.36:2379 auth enable

1	etcdctl --endpoints http://172.16.22.36:2379 auth enable

添加一个非特权账号：（注意，这时候就需要有权限的用户来操作了）

etcdctl --endpoints http://172.16.22.36:2379 --username root:2379 user add phpor

1	etcdctl --endpoints http://172.16.22.36:2379 --username root:2379 user add phpor

查看有哪些账号：

etcdctl --endpoints http://172.16.22.36:2379 --username root:2379 user list

1	etcdctl --endpoints http://172.16.22.36:2379 --username root:2379 user list

添加角色：

etcdctl --endpoints http://172.16.22.36:2379 --username root:2379 role add test1

1	etcdctl --endpoints http://172.16.22.36:2379 --username root:2379 role add test1

给角色添加能力：

通过 –help 查看用法：

etcdctl --endpoints http://172.16.22.36:2379 --username root:2379 role grant --help

1	etcdctl --endpoints http://172.16.22.36:2379 --username root:2379 role grant --help

etcdctl --endpoints http://172.16.22.36:2379 --username root:2379 role grant --rw --path /test1 test1

1	etcdctl --endpoints http://172.16.22.36:2379 --username root:2379 role grant --rw --path /test1 test1

注意，这里只添加了 /test1 的读写权限，不包含其子目录（文件），如果需要包含，请这么写：

etcdctl --endpoints http://172.16.22.36:2379 --username root:2379 role grant --rw --path /test1/* test1

1	etcdctl --endpoints http://172.16.22.36:2379 --username root:2379 role grant --rw --path /test1/* test1

查看有哪些角色了：

etcdctl --endpoints http://172.16.22.36:2379 --username root:2379 role list

1	etcdctl --endpoints http://172.16.22.36:2379 --username root:2379 role list

查看指定角色的权限：

# etcdctl --endpoints http://172.16.22.36:2379 --username root:2379 role get test1
Role: test1
KV Read:
	/test1
	/test1/*
KV Write:
	/test1
	/test1/*

# etcdctl --endpoints http://172.16.22.36:2379 --username root:2379 role get test1

Role: test1

KV Read:

/test1

/test1/*

KV Write:

/test1

/test1/*

将用户添加到角色：

etcdctl --endpoints http://172.16.22.36:2379 --username root:2379 user grant --roles test1 phpor

1	etcdctl --endpoints http://172.16.22.36:2379 --username root:2379 user grant --roles test1 phpor

查看用户拥有哪些角色：

# etcdctl --endpoints http://172.16.22.36:2379 --username root:2379 user get phpor
User: phpor
Roles:  test1

# etcdctl --endpoints http://172.16.22.36:2379 --username root:2379 user get phpor

User: phpor

Roles: test1

列出etcd中的所有key：（-p 选项在目录的后面添加 /）

# etcdctl --endpoints http://172.16.22.36:2379 --username root:2379 ls / -r -p

1	# etcdctl --endpoints http://172.16.22.36:2379 --username root:2379 ls / -r -p

关于用户的更多操作：

# etcdctl --endpoints http://172.16.22.36:2379 --username root:2379 user --help
NAME:
   etcdctl user - user add, grant and revoke subcommands

USAGE:
   etcdctl user command [command options] [arguments...]

COMMANDS:
     add     add a new user for the etcd cluster
     get     get details for a user
     list    list all current users
     remove  remove a user for the etcd cluster
     grant   grant roles to an etcd user
     revoke  revoke roles for an etcd user
     passwd  change password for a user

OPTIONS:
   --help, -h  show help

# etcdctl --endpoints http://172.16.22.36:2379 --username root:2379 user --help

NAME:

etcdctl user - user add, grant and revoke subcommands

USAGE:

etcdctl user command [command options] [arguments...]

COMMANDS:

add add a new user for the etcd cluster

get get details for a user

list list all current users

remove remove a user for the etcd cluster

grant grant roles to an etcd user

revoke revoke roles for an etcd user

passwd change password for a user

OPTIONS:

--help, -h show help

原文链接：https://phpor.net/blog/post/3907

PHPor 的Blog

etcd 的访问控制

Leave a Reply Cancel reply