current v3.4.0 v3.3.13 v3.3.12 v3.2.17 v3.1.12 v2
Version current home Overview Demo Download and build FAQ Branch management Libraries and tools Metrics Reporting bugs Tuning Discovery service protocol etcd release guide Logging conventions Golang modules Learning Data model etcd client design etcd learner design etcd v3 authentication design etcd3 API KV API guarantees etcd versus other key-value stores Glossary Developer guide Set up a local cluster Interacting with etcd Why gRPC gateway gRPC naming and discovery System limits Experimental APIs and features Operations guide Configuration flags Role-based access control Transport security model Clustering Guide Run etcd clusters inside containers Failure modes Disaster recovery etcd gateway gRPC proxy Hardware recommendations Maintenance Monitoring etcd Performance Design of runtime reconfiguration Runtime reconfiguration Supported systems Migrate applications from using API v2 to API v3 Versioning Benchmarks Storage Memory Usage Benchmark Watch Memory Usage Benchmark Benchmarking etcd v3 Benchmarking etcd v2.2.0-rc-memory Benchmarking etcd v2.2.0-rc Benchmarking etcd v2.2.0 Benchmarking etcd v2.1.0 Upgrading Upgrading etcd clusters and applications Upgrade etcd from 3.4 to 3.5 Upgrade etcd from 3.3 to 3.4 Upgrade etcd from 3.2 to 3.3 Upgrade etcd from 3.1 to 3.2 Upgrade etcd from 3.0 to 3.1 Upgrade etcd from 2.3 to 3.0 Platforms Amazon Web Services Container Linux with systemd FreeBSD Triage Issue Triage Guidelines
Edit this page

Role-based access control

A basic authentication and role-based access control guide

Overview

Authentication was added in etcd 2.1. The etcd v3 API slightly modified the authentication feature’s API and user interface to better fit the new data model. This guide is intended to help users set up basic authentication and role-based access control in etcd v3.

Special users and roles

There is one special user, root, and one special role, root.

User root

The root user, which has full access to etcd, must be created before activating authentication. The idea behind the root user is for administrative purposes: managing roles and ordinary users. The root user must have the root role and is allowed to change anything inside etcd.

Role root

The role root may be granted to any user, in addition to the root user. A user with the root role has both global read-write access and permission to update the cluster’s authentication configuration. Furthermore, the root role grants privileges for general cluster maintenance, including modifying cluster membership, defragmenting the store, and taking snapshots.

Working with users

The user subcommand for etcdctl handles all things having to do with user accounts.

A listing of users can be found with:

$ etcdctl user list

Creating a user is as easy as

$ etcdctl user add myusername

Creating a new user will prompt for a new password. The password can be supplied from standard input when an option --interactive=false is given. --new-user-password can also be used for supplying the password.

Roles can be granted and revoked for a user with:

$ etcdctl user grant-role myusername foo
$ etcdctl user revoke-role myusername bar

The user’s settings can be inspected with:

$ etcdctl user get myusername

And the password for a user can be changed with

$ etcdctl user passwd myusername

Changing the password will prompt again for a new password. The password can be supplied from standard input when an option --interactive=false is given.

Delete an account with:

$ etcdctl user delete myusername

Working with roles

The role subcommand for etcdctl handles all things having to do with access controls for particular roles, as were granted to individual users.

List roles with:

$ etcdctl role list

Create a new role with:

$ etcdctl role add myrolename

A role has no password; it merely defines a new set of access rights.

Roles are granted access to a single key or a range of keys.

The range can be specified as an interval [start-key, end-key) where start-key should be lexically less than end-key in an alphabetical manner.

Access can be granted as either read, write, or both, as in the following examples:

# Give read access to a key /foo
$ etcdctl role grant-permission myrolename read /foo

# Give read access to keys with a prefix /foo/. The prefix is equal to the range [/foo/, /foo0)
$ etcdctl role grant-permission myrolename --prefix=true read /foo/

# Give write-only access to the key at /foo/bar
$ etcdctl role grant-permission myrolename write /foo/bar

# Give full access to keys in a range of [key1, key5)
$ etcdctl role grant-permission myrolename readwrite key1 key5

# Give full access to keys with a prefix /pub/
$ etcdctl role grant-permission myrolename --prefix=true readwrite /pub/

To see what’s granted, we can look at the role at any time:

$ etcdctl role get myrolename

Revocation of permissions is done the same logical way:

$ etcdctl role revoke-permission myrolename /foo/bar

As is removing a role entirely:

$ etcdctl role delete myrolename

Enabling authentication

The minimal steps to enabling auth are as follows. The administrator can set up users and roles before or after enabling authentication, as a matter of preference.

Make sure the root user is created:

$ etcdctl user add root
Password of root:

Enable authentication:

$ etcdctl auth enable

After this, etcd is running with authentication enabled. To disable it for any reason, use the reciprocal command:

$ etcdctl --user root:rootpw auth disable

Using etcdctl to authenticate

etcdctl supports a similar flag as curl for authentication.

$ etcdctl --user user:password get foo

The password can be taken from a prompt:

$ etcdctl --user user get foo

The password can also be taken from a command line flag --password:

$ etcdctl --user user --password password get foo

Otherwise, all etcdctl commands remain the same. Users and roles can still be created and modified, but require authentication by a user with the root role.

Using TLS Common Name

As of version v3.2 if an etcd server is launched with the option --client-cert-auth=true, the field of Common Name (CN) in the client’s TLS cert will be used as an etcd user. In this case, the common name authenticates the user and the client does not need a password. Note that if both of 1. --client-cert-auth=true is passed and CN is provided by the client, and 2. username and password are provided by the client, the username and password based authentication is prioritized. Note that this feature cannot be used with gRPC-proxy and gRPC-gateway. This is because gRPC-proxy terminates TLS from its client so all the clients share a cert of the proxy. gRPC-gateway uses a TLS connection internally for transforming HTTP request to gRPC request so it shares the same limitation. Therefore the clients cannot provide their CN to the server correctly. gRPC-proxy will cause an error and stop if a given cert has non empty CN. gRPC-proxy returns an error which indicates that the client has an non empty CN in its cert.

As of version v3.3 if an etcd server is launched with the option --peer-cert-allowed-cn or --peer-cert-allowed-hostname filtering of inter-peer connections is enabled. Nodes can only join the etcd cluster if their TLS certificate identity match the allowed one. See etcd security page for more details.

Notes on password strength

The etcdctl and etcd API do not enforce a specific password length during user creation or user password update operations. It is the responsibility of the administrator to enforce these requirements.

© etcd Authors 2021 | Documentation Distributed under CC-BY-4.0

© 2021 The Linux Foundation. All rights reserved. The Linux Foundation has registered trademarks and uses trademarks.
For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.

Role-based access control