Skip to content

Commit

Permalink
*: support creating a user without password
Browse files Browse the repository at this point in the history
This commit adds a feature for creating a user without password. The
purpose of the feature is reducing attack surface by configuring bad
passwords (CN based auth will be allowed for the user).

The feature can be used with `--no-password` of `etcdctl user add`
command.

Fix etcd-io#9590
  • Loading branch information
mitake committed Jun 19, 2018
1 parent bb744f6 commit ebb1385
Show file tree
Hide file tree
Showing 11 changed files with 638 additions and 338 deletions.
10 changes: 10 additions & 0 deletions Documentation/dev-guide/api_reference_v3.md
Original file line number Diff line number Diff line change
Expand Up @@ -245,6 +245,7 @@ Empty field.
| ----- | ----------- | ---- |
| name | | string |
| password | | string |
| options | | authpb.UserAddOptions |



Expand Down Expand Up @@ -945,6 +946,15 @@ User is a single entry in the bucket authUsers
| name | | bytes |
| password | | bytes |
| roles | | (slice of) string |
| options | | UserAddOptions |



##### message `UserAddOptions` (auth/authpb/auth.proto)

| Field | Description | Type |
| ----- | ----------- | ---- |
| no_password | | bool |



12 changes: 12 additions & 0 deletions Documentation/dev-guide/apispec/swagger/rpc.swagger.json
Original file line number Diff line number Diff line change
Expand Up @@ -1192,6 +1192,15 @@
"READWRITE"
]
},
"authpbUserAddOptions": {
"type": "object",
"properties": {
"no_password": {
"type": "boolean",
"format": "boolean"
}
}
},
"etcdserverpbAlarmMember": {
"type": "object",
"properties": {
Expand Down Expand Up @@ -1393,6 +1402,9 @@
"name": {
"type": "string"
},
"options": {
"$ref": "#/definitions/authpbUserAddOptions"
},
"password": {
"type": "string"
}
Expand Down
222 changes: 196 additions & 26 deletions auth/authpb/auth.pb.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions auth/authpb/auth.proto
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,16 @@ option (gogoproto.unmarshaler_all) = true;
option (gogoproto.goproto_getters_all) = false;
option (gogoproto.goproto_enum_prefix_all) = false;

message UserAddOptions {
bool no_password = 1;
};

// User is a single entry in the bucket authUsers
message User {
bytes name = 1;
bytes password = 2;
repeated string roles = 3;
UserAddOptions options = 4;
}

// Permission is a single entity
Expand Down
Loading

0 comments on commit ebb1385

Please sign in to comment.