etcd-io · gyuho · Jun 1, 2019 · Jun 6, 2018 · Jun 12, 2018 · Jan 9, 2019
diff --git a/CHANGELOG-3.4.md b/CHANGELOG-3.4.md
@@ -57,6 +57,7 @@ See [code changes](https://github.com/etcd-io/etcd/compare/v3.3.0...v3.4.0) and
 - Add [consistency check in snapshot status](https://github.com/etcd-io/etcd/pull/10109). If consistency check on snapshot file fails, `snapshot status` returns `"snapshot file integrity check failed..."` error.
 - Add [`Verify` function to perform corruption check on WAL contents](https://github.com/etcd-io/etcd/pull/10603).
 - Improve [heartbeat send failure logging](https://github.com/etcd-io/etcd/pull/10663).
+- Support [users with no password](https://github.com/etcd-io/etcd/pull/9817) for reducing security risk introduced by leaked password. The users can only be authenticated with CommonName based auth.
 
 ### Breaking Changes
 

diff --git a/Documentation/dev-guide/api_reference_v3.md b/Documentation/dev-guide/api_reference_v3.md
@@ -246,6 +246,7 @@ Empty field.
 | ----- | ----------- | ---- |
 | name |  | string |
 | password |  | string |
+| options |  | authpb.UserAddOptions |
 
 
 
@@ -1001,6 +1002,15 @@ User is a single entry in the bucket authUsers
 | name |  | bytes |
 | password |  | bytes |
 | roles |  | (slice of) string |
+| options |  | UserAddOptions |
+
+
+
+##### message `UserAddOptions` (auth/authpb/auth.proto)
+
+| Field | Description | Type |
+| ----- | ----------- | ---- |
+| no_password |  | bool |
 
 
 
diff --git a/Documentation/dev-guide/apispec/swagger/rpc.swagger.json b/Documentation/dev-guide/apispec/swagger/rpc.swagger.json
@@ -1219,6 +1219,15 @@
         "READWRITE"
       ]
     },
+    "authpbUserAddOptions": {
+      "type": "object",
+      "properties": {
+        "no_password": {
+          "type": "boolean",
+          "format": "boolean"
+        }
+      }
+    },
     "etcdserverpbAlarmMember": {
       "type": "object",
       "properties": {
@@ -1420,6 +1429,9 @@
         "name": {
           "type": "string"
         },
+        "options": {
+          "$ref": "#/definitions/authpbUserAddOptions"
+        },
         "password": {
           "type": "string"
         }

diff --git a/auth/authpb/auth.pb.go b/auth/authpb/auth.pb.go
diff --git a/auth/authpb/auth.proto b/auth/authpb/auth.proto
@@ -9,11 +9,16 @@ option (gogoproto.unmarshaler_all) = true;
 option (gogoproto.goproto_getters_all) = false;
 option (gogoproto.goproto_enum_prefix_all) = false;
 
+message UserAddOptions {
+  bool no_password = 1;
+};
+
 // User is a single entry in the bucket authUsers
 message User {
   bytes name = 1;
   bytes password = 2;
   repeated string roles = 3;
+  UserAddOptions options = 4;
 }
 
 // Permission is a single entity