etcdctl/ctlv3: auth: cannot create a root role who can readwrite all keys #6355

glycerine · 2016-09-06T00:57:55Z

v3 api: I'd like to create a root role who can read and write anything. Unfortunately, the '*' wildcard is ignored, so this appears... to be impossible?

both full wildcard * and partial wildcard a* seem to be ignored.

osx 10.11.6
etcd at the recent commit 2e0dc8467d95904a20300b34e6ce4422f79cd2e7
$ env|grep ETCD
ETCDCTL_API=3
$ etcdctl version
etcdctl version
etcdctl version: 3.0.0+git
API version: 3.0
$ etcdctl user add root
etcdctl user add root
Password of root: 123

Type password of root again for confirmation: 123

User root created
$
$ etcdctl role add root
etcdctl role add root
Role root created
$ etcdctl user grant-role root root
etcdctl user grant-role root root
Role root is granted to user root
$ etcdctl role grant-permission root readwrite '*'
Role root updated
$ etcdctl role get root
etcdctl role get root
Role root
KV Read:
    *
KV Write:
    *
$ etcdctl get a z
etcdctl get a z
croca
dile
$ etcdctl auth enable
etcdctl auth enable
Authentication Enabled
$ etcdctl get a z
etcdctl get a z
Error:  rpc error: code = 2 desc = auth: revision in header is old
$ etcdctl --user root:123 get a z
etcdctl --user root:123 get a z
Error:  etcdserver: permission denied
$ etcdctl --user root:123 auth disable
etcdctl --user root:123 auth disable
Authentication Disabled
$ etcdctl get a z
etcdctl get a z
croca
dile
$  etcdctl user get root
 etcdctl user get root
User: root
Roles: root
$  etcdctl role get root
 etcdctl role get root
Role root
KV Read:
    *
KV Write:
    *
$ etcdctl --user root:123 auth enable
etcdctl --user root:123 auth enable
Error:  etcdserver: authentication is not enabled
$ etcdctl auth enable
etcdctl auth enable
Authentication Enabled
$ etcdctl --user root:123 auth disable
etcdctl --user root:123 auth disable
Authentication Disabled
$ etcdctl --user root:123 role grant-permission root readwrite 'croca'
etcdctl --user root:123 role grant-permission root readwrite 'croca'
Error:  etcdserver: authentication is not enabled
$ etcdctl role grant-permission root readwrite 'croca'
etcdctl role grant-permission root readwrite 'croca'
Role root updated
$ etcdctl role get root
etcdctl role get root
Role root
KV Read:
    *
    croca
KV Write:
    *
    croca
$ etcdctl get croca
etcdctl get croca
croca
dile
$ etcdctl auth enable
etcdctl auth enable
Authentication Enabled
$ etcdctl get croca
etcdctl get croca
Error:  rpc error: code = 2 desc = auth: revision in header is old
$ etcdctl --user root:123 get croca
etcdctl --user root:123 get croca
croca
dile
$ etcdctl --user root:123 put ali gator
etcdctl --user root:123 put ali gator
Error:  etcdserver: permission denied
$ etcdctl --user root:123 auth disable
etcdctl --user root:123 auth disable
Authentication Disabled
$ etcdctl role grant-permission root readwrite 'a*'
etcdctl role grant-permission root readwrite 'a*'
Role root updated
$ etcdctl role get root
etcdctl role get root
Role root
KV Read:
    *
    a*
    croca
KV Write:
    *
    a*
    croca
$ etcdctl get a z
etcdctl get a z
croca
dile
$ etcdctl put ali gator
etcdctl put ali gator
OK
$ etcdctl get a z
etcdctl get a z
ali
gator
croca
dile
$ etcdctl auth enable
etcdctl auth enable
Authentication Enabled
$ etcdctl --user root:123 get a z
etcdctl --user root:123 get a z
Error:  etcdserver: permission denied
$ etcdctl --user root:123 get ali
etcdctl --user root:123 get ali
Error:  etcdserver: permission denied
$ etcdctl --user root:123 get croca
etcdctl --user root:123 get croca
croca
dile
$

The text was updated successfully, but these errors were encountered:

soyking · 2016-09-06T01:55:16Z

I have the same question and I found this:

#5896

It seems that they have no plans about this:(

xiang90 · 2016-09-06T02:04:30Z

@soyking These are different issues. We should make root role be able to readwrite all keys by default. /cc @mitake

mitake · 2016-09-06T02:14:03Z

@glycerine @soyking @xiang90 I think the root role and users who are granted the role should be able to access to all keys (currently the role doesn't have the permission). So I'd like to update the semantics of the root role.

It seems that the prefix permission is required by some people so I'll work on it.

This commit changes the semantics of the root role. The role should be able to access to every key. Partially fixes etcd-io#6355

soyking · 2016-09-06T02:43:32Z

@mitake

Looking forward it :)
But I think supporting * is better. the way in mitake@3d0602b is a little "rough":)

mitake · 2016-09-06T02:46:07Z

@soyking yes, the PR is just fixing the root role. The prefix permission is an independent topic from the PR.

This commit changes the semantics of the root role. The role should be able to access to every key. Partially fixes etcd-io#6355

glycerine · 2016-09-06T14:09:07Z

Yay! Thank you @mitake and @xiang90.

This commit changes the semantics of the root role. The role should be able to access to every key. Partially fixes #6355

xiang90 added component/etcdserver/auth area/performance and removed component/etcdserver/auth labels Sep 6, 2016

mitake added a commit to mitake/etcd that referenced this issue Sep 6, 2016

auth, e2e: the root role should be granted access to every key

3d0602b

This commit changes the semantics of the root role. The role should be able to access to every key. Partially fixes etcd-io#6355

mitake mentioned this issue Sep 6, 2016

auth, e2e: the root role should be granted access to every key #6356

Merged

mitake added a commit to mitake/etcd that referenced this issue Sep 6, 2016

auth, e2e, clientv3: the root role should be granted access to every key

dff384e

This commit changes the semantics of the root role. The role should be able to access to every key. Partially fixes etcd-io#6355

mitake added a commit to mitake/etcd that referenced this issue Sep 6, 2016

auth, e2e, clientv3: the root role should be granted access to every key

b7f20aa

This commit changes the semantics of the root role. The role should be able to access to every key. Partially fixes etcd-io#6355

mitake added a commit to mitake/etcd that referenced this issue Sep 6, 2016

auth, e2e, clientv3: the root role should be granted access to every key

bc5d7bb

This commit changes the semantics of the root role. The role should be able to access to every key. Partially fixes etcd-io#6355

xiang90 closed this as completed in #6356 Sep 6, 2016

glycerine mentioned this issue Sep 6, 2016

etcdctl/ctlv3: auth: how to create /home/ directory ? #6359

Closed

gyuho pushed a commit that referenced this issue Oct 11, 2016

auth, e2e, clientv3: the root role should be granted access to every key

ca91f89

This commit changes the semantics of the root role. The role should be able to access to every key. Partially fixes #6355

mitake mentioned this issue May 16, 2021

Auth Permission is not work fine. #12966

Closed

mitake mentioned this issue Aug 16, 2021

Remove the outdated gif screenshot and refine the behavior of auth etcd-io/website#446

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

etcdctl/ctlv3: auth: cannot create a root role who can readwrite all keys #6355

etcdctl/ctlv3: auth: cannot create a root role who can readwrite all keys #6355

glycerine commented Sep 6, 2016

soyking commented Sep 6, 2016

xiang90 commented Sep 6, 2016

mitake commented Sep 6, 2016

soyking commented Sep 6, 2016

mitake commented Sep 6, 2016

glycerine commented Sep 6, 2016

etcdctl/ctlv3: auth: cannot create a root role who can readwrite all keys #6355

etcdctl/ctlv3: auth: cannot create a root role who can readwrite all keys #6355

Comments

glycerine commented Sep 6, 2016

soyking commented Sep 6, 2016

xiang90 commented Sep 6, 2016

mitake commented Sep 6, 2016

soyking commented Sep 6, 2016

mitake commented Sep 6, 2016

glycerine commented Sep 6, 2016