Ability to create users without a password #9590
Assignees
Labels
Comments
|
/cc @mitake |
|
@crielly what is the use case of empty password users? I want to understand your motivation. |
|
@mitake Kubernetes. All auth to the etcd cluster will be done via client certificate, a password is just unnecessary attack surface for this situation. Additionally, it forces you to create users via the v3 API if you want cluster standup to be automated since etcdctl will prompt for password rather than accepting it as a flag (or a --nopass flag). |
|
@crielly I understood your motivation. So the user with no password shouldn't allow password based auth, right? I'll work on it when I can allocate a time (probably this week). |
|
@crielly BTW, just not enabling auth isn't suitable for your use case? |
|
@mitake Yeah, ideally you would be able to create a user without ever supplying a password, which would effectively also disable password authentication for that user No, no-auth is not an option. Etcd is effectively a backdoor into kubernetes without authorization. |
|
I can start working on this after merging #9730 |
mitake
added a commit
to mitake/etcd
that referenced
this issue
Jun 7, 2018
This commit adds a feature for creating a user without password. The purpose of the feature is reducing attack surface by configuring bad passwords (CN based auth will be allowed for the user). The feature can be used with `--no-password` of `etcdctl user add` command. Fix etcd-io#9590
mitake
added a commit
to mitake/etcd
that referenced
this issue
Jun 12, 2018
This commit adds a feature for creating a user without password. The purpose of the feature is reducing attack surface by configuring bad passwords (CN based auth will be allowed for the user). The feature can be used with `--no-password` of `etcdctl user add` command. Fix etcd-io#9590
mitake
added a commit
to mitake/etcd
that referenced
this issue
Jun 13, 2018
This commit adds a feature for creating a user without password. The purpose of the feature is reducing attack surface by configuring bad passwords (CN based auth will be allowed for the user). The feature can be used with `--no-password` of `etcdctl user add` command. Fix etcd-io#9590
mitake
added a commit
to mitake/etcd
that referenced
this issue
Jun 13, 2018
This commit adds a feature for creating a user without password. The purpose of the feature is reducing attack surface by configuring bad passwords (CN based auth will be allowed for the user). The feature can be used with `--no-password` of `etcdctl user add` command. Fix etcd-io#9590
mitake
added a commit
to mitake/etcd
that referenced
this issue
Jun 14, 2018
This commit adds a feature for creating a user without password. The purpose of the feature is reducing attack surface by configuring bad passwords (CN based auth will be allowed for the user). The feature can be used with `--no-password` of `etcdctl user add` command. Fix etcd-io#9590
mitake
added a commit
to mitake/etcd
that referenced
this issue
Jun 18, 2018
This commit adds a feature for creating a user without password. The purpose of the feature is reducing attack surface by configuring bad passwords (CN based auth will be allowed for the user). The feature can be used with `--no-password` of `etcdctl user add` command. Fix etcd-io#9590
mitake
added a commit
to mitake/etcd
that referenced
this issue
Jun 18, 2018
This commit adds a feature for creating a user without password. The purpose of the feature is reducing attack surface by configuring bad passwords (CN based auth will be allowed for the user). The feature can be used with `--no-password` of `etcdctl user add` command. Fix etcd-io#9590
mitake
added a commit
to mitake/etcd
that referenced
this issue
Jun 18, 2018
This commit adds a feature for creating a user without password. The purpose of the feature is reducing attack surface by configuring bad passwords (CN based auth will be allowed for the user). The feature can be used with `--no-password` of `etcdctl user add` command. Fix etcd-io#9590
mitake
added a commit
to mitake/etcd
that referenced
this issue
Jun 19, 2018
This commit adds a feature for creating a user without password. The purpose of the feature is reducing attack surface by configuring bad passwords (CN based auth will be allowed for the user). The feature can be used with `--no-password` of `etcdctl user add` command. Fix etcd-io#9590
mitake
added a commit
to mitake/etcd
that referenced
this issue
Jun 19, 2018
This commit adds a feature for creating a user without password. The purpose of the feature is reducing attack surface by configuring bad passwords (CN based auth will be allowed for the user). The feature can be used with `--no-password` of `etcdctl user add` command. Fix etcd-io#9590
mitake
added a commit
to mitake/etcd
that referenced
this issue
Jun 20, 2018
This commit adds a feature for creating a user without password. The purpose of the feature is reducing attack surface by configuring bad passwords (CN based auth will be allowed for the user). The feature can be used with `--no-password` of `etcdctl user add` command. Fix etcd-io#9590
mitake
added a commit
to mitake/etcd
that referenced
this issue
Jul 29, 2018
This commit adds a feature for creating a user without password. The purpose of the feature is reducing attack surface by configuring bad passwords (CN based auth will be allowed for the user). The feature can be used with `--no-password` of `etcdctl user add` command. Fix etcd-io#9590
mitake
added a commit
to mitake/etcd
that referenced
this issue
Sep 8, 2018
This commit adds a feature for creating a user without password. The purpose of the feature is reducing attack surface by configuring bad passwords (CN based auth will be allowed for the user). The feature can be used with `--no-password` of `etcdctl user add` command. Fix etcd-io#9590
mitake
added a commit
to mitake/etcd
that referenced
this issue
Oct 1, 2018
This commit adds a feature for creating a user without password. The purpose of the feature is reducing attack surface by configuring bad passwords (CN based auth will be allowed for the user). The feature can be used with `--no-password` of `etcdctl user add` command. Fix etcd-io#9590
mitake
added a commit
to mitake/etcd
that referenced
this issue
Jan 9, 2019
This commit adds a feature for creating a user without password. The purpose of the feature is reducing attack surface by configuring bad passwords (CN based auth will be allowed for the user). The feature can be used with `--no-password` of `etcdctl user add` command. Fix etcd-io#9590
mitake
added a commit
to mitake/etcd
that referenced
this issue
Jan 9, 2019
This commit adds a feature for creating a user without password. The purpose of the feature is reducing attack surface by configuring bad passwords (CN based auth will be allowed for the user). The feature can be used with `--no-password` of `etcdctl user add` command. Fix etcd-io#9590
mitake
added a commit
to mitake/etcd
that referenced
this issue
Apr 30, 2019
This commit adds a feature for creating a user without password. The purpose of the feature is reducing attack surface by configuring bad passwords (CN based auth will be allowed for the user). The feature can be used with `--no-password` of `etcdctl user add` command. Fix etcd-io#9590
mitake
added a commit
to mitake/etcd
that referenced
this issue
May 29, 2019
This commit adds a feature for creating a user without password. The purpose of the feature is reducing attack surface by configuring bad passwords (CN based auth will be allowed for the user). The feature can be used with `--no-password` of `etcdctl user add` command. Fix etcd-io#9590
mitake
added a commit
to mitake/etcd
that referenced
this issue
May 30, 2019
This commit adds a feature for creating a user without password. The purpose of the feature is reducing attack surface by configuring bad passwords (CN based auth will be allowed for the user). The feature can be used with `--no-password` of `etcdctl user add` command. Fix etcd-io#9590
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It would be useful to be able to create a user which does not have a password. Having attempted it via etcdctl, the v2 and v3 APIs, this does not currently seem possible.
Since one of the options for authentication is via Client Certificate CN, a password is not strictly necessary even for the root user. It would be nice if you could:
The text was updated successfully, but these errors were encountered: