How can I properly use etcd Roles to control write permission on specific etcd key?

Question

I start my etcd cluster using Go etcd/clientv3 with following parameters:

"--name", "etcd-cluster"                                    
"--data-dir", "/var/lib/etcd",                      
"--wal-dir", "/var/lib",                                      
"--listen-client-urls", "127.0.0.1:2379",                        
"--listen-peer-urls", , "127.0.0.1:2380",                                                              
"--advertise-client-urls", "127.0.0.1:2379",           
"--initial-advertise-peer-urls", "127.0.0.1:2380", 
"--initial-cluster", "cluster",                          
"--initial-cluster-state", "new",                               
"--initial-cluster-token", "election",                                                             
"--cert-file", "tls.pem",                                      
"--key-file", "tls.key",                                       
"--client-cert-auth",                                           
"--trusted-ca-file", "ca.pem",                                  
"--peer-client-cert-auth",                                      
"--peer-trusted-ca-file", "peer-ca.pem",                             
"--peer-cert-file", "peer-cert.pem",                                 
"--peer-key-file", "peer.key",

Then I run following commands:

env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem user add root
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem role add root
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem user add myuser
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem role add myrole
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem put /events/1 value
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem role grant-permisson myrole read /events/1
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem user grant-role root root
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem user grant-role myuser myrole
env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem auth enable

Etcd documentation for Authentication says, that if client uses TLS certificate then CN is taken from that certificate and used as etcd user. My certificate tls.pem has CN=myuser and therefore:

env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem put /events/1 value

Will result in permission denied, which is correct, since only read permission is given for myuser. However the documentation also says, that if --user option is used along with TLS certificates, then that --user will have priority over CN. Which means, that if I run:

env ETCDCTL_API=3 etcdctl --endpoints=localhost:2379 --cert tls.pem --key tls.key --cacert ca.pem --user=root:mypass put /events/1 value

Then root user should be used to perform that operation, which I expect it to result in OK, however it doesn't happen, and instead I got the same stuff - permission denied. What can cause that problem? Thank you in advance!

score 2 · Accepted Answer · answered Jun 27 '23 at 14:07

I cannot help with --user issue, i.e why it doesn't work, however, why can't you use following approach. You use TLS auth, that's good, but why don't you create master.clientv3 and myuserN.clientv3, where Master is kinda master TLS certificate with CN=master and other TLS certificates follow the pattern of CN=myuserN, where N=0,1,2,.... Then you grant root role to the master user and myrole to all myuserN.

In such case you could use master certificate to fully control etcd and other certificates with myrole role, i.e having only read permission on /events/1 key.

Following that idea, you can basically create any other permissions and having one master client to control everything in etcd. Hope that helps :)

Hmm, well it is interesting why still `--user` doesn't work, but your proposed one, indeed, works! Accepting — armaka, Jun 27 '23 at 14:09

How can I properly use etcd Roles to control write permission on specific etcd key?

1 Answers1