Grant-permissions with wildcards in V3

[sergeyfd]

Hello,

How can I grant permissions to all keys, or to keys wit a certain prefix, in V3 etcd to some role? I created a role with the following permissions:

Role etcd
KV Read:
    *
    [*, *)
    .*
    /*
    etcd
    etcd*
KV Write:
    *
    [*, *)
    .*
    /*
    etcd
    etcd*

But so far this role is only able to get/put etcd key and nothing else.

[xiang90]

we do not support widecard for auth right now. only explicit range is supported

[sergeyfd]

What is a range in this context?

[xiang90]

@sergeyfd Permission on a range of keys like from foo to foo10.

[sergeyfd]

But:

get etcd
Role etcd
KV Read:
    *
    [*, *)
    .*
    /*
    etcd
    etcd*
    [etcd0, etcd100)
KV Write:
    *
    [*, *)
    .*
    /*
    etcd
    etcd*
    [etcd0, etcd100)

-bash-4.2$ etcdctl --user etcd:etcd get etcd20
Error:  etcdserver: permission denied

[xiang90]

etcd20 is not in any range I think. etcd20 > etcd100.

[sergeyfd]

Kind of weird but Ok. get on etcd020 works. Thanks for the explanation.

[xiang90]

@sergeyfd Shall we close this issue? Or you still want the wide card support?

[sergeyfd]

Will you add it if I keep it open? :-)

If you have no plans for adding such support, then yes, it's Ok to close it.

[xiang90]

@sergeyfd We do not have plan. But if there is a strong use case, we might consider. If you think range can achieve what you want for now, we shall close it. Based on your reply, seems that range is good enough for you.

[sergeyfd]

I should be Ok for now. But I bet you that eventually you'll have to add that support.