Transport security
between clients and servers:
--cert-file ~/certs/cert_with_chain.crt
--key-file ~/certs/private.key
Between cluster nodes:
--peer-cert-file ~/certs/cert_with_chain.crt
--peer-key-file ~/certs/private.key
Authentication
Between clients and servers:
--trusted-ca-file ~/certs/clients/client-ca.crt
--client-cert-auth
Each client needs to have its own cert, otherwise it fails to connect. If the above lines are not used, then a client should be able to use basic authentication such as username/password to connect.
Between cluster nodes:
--peer-trusted-ca-file ~/certs/peers/peer-ca.crt
--peer-client-cert-auth
This means that the cluster nodes need to be able to verify each others certs, and offer up their own one for authentication.
for more info see 1.
User and permission management
etcdctl user list
etcdctl user add username
etcdctl user get username
etcdctl role add myrolename
etcdctl user grant-role username myrolename
etcdctl user revoke-role username old_role
etcdctl role list
etcdctl role grant-permission myrolename read --prefix=true myprefix
etcdctl role grant-permission myrolename write bar
etcdctl role get myrolename
etcdctl role revoke-permission myrolename bar
etcdctl role remove myrolename
For more details see Role-based access control
Current revision number
etcdctl get non-existing-key -w json | jq
{
"header": {
"cluster_id": 6634254315728197000,
"member_id": 4218402821677001000,
"revision": 427,
"raft_term": 21
}
}
Older
Older posts has been archived, view the archive or browse by tag to locate further content.