Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

etcdctl/ctlv3: auth: cannot create a root role who can readwrite all keys #6355

Closed
glycerine opened this issue Sep 6, 2016 · 6 comments · Fixed by #6356
Closed

etcdctl/ctlv3: auth: cannot create a root role who can readwrite all keys #6355

glycerine opened this issue Sep 6, 2016 · 6 comments · Fixed by #6356
Labels
area/performance

Comments

@glycerine
Copy link
Contributor

v3 api: I'd like to create a root role who can read and write anything. Unfortunately, the '*' wildcard is ignored, so this appears... to be impossible?

both full wildcard * and partial wildcard a* seem to be ignored.

osx 10.11.6
etcd at the recent commit 2e0dc8467d95904a20300b34e6ce4422f79cd2e7
$ env|grep ETCD
ETCDCTL_API=3
$ etcdctl version
etcdctl version
etcdctl version: 3.0.0+git
API version: 3.0
$ etcdctl user add root
etcdctl user add root
Password of root: 123

Type password of root again for confirmation: 123

User root created
$
$ etcdctl role add root
etcdctl role add root
Role root created
$ etcdctl user grant-role root root
etcdctl user grant-role root root
Role root is granted to user root
$ etcdctl role grant-permission root readwrite '*'
Role root updated
$ etcdctl role get root
etcdctl role get root
Role root
KV Read:
    *
KV Write:
    *
$ etcdctl get a z
etcdctl get a z
croca
dile
$ etcdctl auth enable
etcdctl auth enable
Authentication Enabled
$ etcdctl get a z
etcdctl get a z
Error:  rpc error: code = 2 desc = auth: revision in header is old
$ etcdctl --user root:123 get a z
etcdctl --user root:123 get a z
Error:  etcdserver: permission denied
$ etcdctl --user root:123 auth disable
etcdctl --user root:123 auth disable
Authentication Disabled
$ etcdctl get a z
etcdctl get a z
croca
dile
$  etcdctl user get root
 etcdctl user get root
User: root
Roles: root
$  etcdctl role get root
 etcdctl role get root
Role root
KV Read:
    *
KV Write:
    *
$ etcdctl --user root:123 auth enable
etcdctl --user root:123 auth enable
Error:  etcdserver: authentication is not enabled
$ etcdctl auth enable
etcdctl auth enable
Authentication Enabled
$ etcdctl --user root:123 auth disable
etcdctl --user root:123 auth disable
Authentication Disabled
$ etcdctl --user root:123 role grant-permission root readwrite 'croca'
etcdctl --user root:123 role grant-permission root readwrite 'croca'
Error:  etcdserver: authentication is not enabled
$ etcdctl role grant-permission root readwrite 'croca'
etcdctl role grant-permission root readwrite 'croca'
Role root updated
$ etcdctl role get root
etcdctl role get root
Role root
KV Read:
    *
    croca
KV Write:
    *
    croca
$ etcdctl get croca
etcdctl get croca
croca
dile
$ etcdctl auth enable
etcdctl auth enable
Authentication Enabled
$ etcdctl get croca
etcdctl get croca
Error:  rpc error: code = 2 desc = auth: revision in header is old
$ etcdctl --user root:123 get croca
etcdctl --user root:123 get croca
croca
dile
$ etcdctl --user root:123 put ali gator
etcdctl --user root:123 put ali gator
Error:  etcdserver: permission denied
$ etcdctl --user root:123 auth disable
etcdctl --user root:123 auth disable
Authentication Disabled
$ etcdctl role grant-permission root readwrite 'a*'
etcdctl role grant-permission root readwrite 'a*'
Role root updated
$ etcdctl role get root
etcdctl role get root
Role root
KV Read:
    *
    a*
    croca
KV Write:
    *
    a*
    croca
$ etcdctl get a z
etcdctl get a z
croca
dile
$ etcdctl put ali gator
etcdctl put ali gator
OK
$ etcdctl get a z
etcdctl get a z
ali
gator
croca
dile
$ etcdctl auth enable
etcdctl auth enable
Authentication Enabled
$ etcdctl --user root:123 get a z
etcdctl --user root:123 get a z
Error:  etcdserver: permission denied
$ etcdctl --user root:123 get ali
etcdctl --user root:123 get ali
Error:  etcdserver: permission denied
$ etcdctl --user root:123 get croca
etcdctl --user root:123 get croca
croca
dile
$
@soyking
Copy link

soyking commented Sep 6, 2016

I have the same question and I found this:

#5896

It seems that they have no plans about this:(

@xiang90
Copy link
Contributor

xiang90 commented Sep 6, 2016

@soyking These are different issues. We should make root role be able to readwrite all keys by default. /cc @mitake

@mitake
Copy link
Contributor

mitake commented Sep 6, 2016

@glycerine @soyking @xiang90 I think the root role and users who are granted the role should be able to access to all keys (currently the role doesn't have the permission). So I'd like to update the semantics of the root role.

It seems that the prefix permission is required by some people so I'll work on it.

mitake added a commit to mitake/etcd that referenced this issue Sep 6, 2016
@mitake
auth, e2e: the root role should be granted access to every key
3d0602b 
This commit changes the semantics of the root role. The role should be
able to access to every key.

Partially fixes etcd-io#6355
@mitake mitake mentioned this issue Sep 6, 2016
Merged
@soyking
Copy link

soyking commented Sep 6, 2016

@mitake

Looking forward it :)
But I think supporting * is better. the way in mitake@3d0602b is a little "rough":)

@mitake
Copy link
Contributor

mitake commented Sep 6, 2016

@soyking yes, the PR is just fixing the root role. The prefix permission is an independent topic from the PR.

mitake added a commit to mitake/etcd that referenced this issue Sep 6, 2016
@mitake
auth, e2e, clientv3: the root role should be granted access to every key
dff384e 
This commit changes the semantics of the root role. The role should be
able to access to every key.

Partially fixes etcd-io#6355
mitake added a commit to mitake/etcd that referenced this issue Sep 6, 2016
@mitake
auth, e2e, clientv3: the root role should be granted access to every key
b7f20aa 
This commit changes the semantics of the root role. The role should be
able to access to every key.

Partially fixes etcd-io#6355
mitake added a commit to mitake/etcd that referenced this issue Sep 6, 2016
@mitake
auth, e2e, clientv3: the root role should be granted access to every key
bc5d7bb 
This commit changes the semantics of the root role. The role should be
able to access to every key.

Partially fixes etcd-io#6355
@glycerine
Copy link
Contributor Author

Yay! Thank you @mitake and @xiang90.

@glycerine glycerine mentioned this issue Sep 6, 2016
Closed
gyuho pushed a commit that referenced this issue Oct 11, 2016
@mitake @gyuho
auth, e2e, clientv3: the root role should be granted access to every key
ca91f89 
This commit changes the semantics of the root role. The role should be
able to access to every key.

Partially fixes #6355
@mitake mitake mentioned this issue May 16, 2021
Closed
@mitake mitake mentioned this issue Aug 16, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/performance
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

auth, e2e: the root role should be granted access to every key mitake/etcd
4 participants
@glycerine @mitake @soyking @xiang90