Etcd: Ability to create users without a password
It would be useful to be able to create a user which does not have a password. Having attempted it via etcdctl, the v2 and v3 APIs, this does not currently seem possible.
Since one of the options for authentication is via Client Certificate CN, a password is not strictly necessary even for the root user. It would be nice if you could:
- create a user via API with an empty string for a password
- create a user via etcdctl with a flag like --nopass so it didn't prompt you for one (useful for scripted setup of a cluster)
crielly
All 7 comments
/cc @mitake
hexfusion
on 19 Apr 2018
@crielly what is the use case of empty password users? I want to understand your motivation.
mitake
on 20 Apr 2018
@mitake Kubernetes. All auth to the etcd cluster will be done via client certificate, a password is just unnecessary attack surface for this situation. Additionally, it forces you to create users via the v3 API if you want cluster standup to be automated since etcdctl will prompt for password rather than accepting it as a flag (or a --nopass flag).
crielly
on 20 Apr 2018
@crielly I understood your motivation. So the user with no password shouldn't allow password based auth, right? I'll work on it when I can allocate a time (probably this week).
mitake
on 25 Apr 2018
@crielly BTW, just not enabling auth isn't suitable for your use case?
mitake
on 25 Apr 2018
@mitake Yeah, ideally you would be able to create a user without ever supplying a password, which would effectively also disable password authentication for that user
No, no-auth is not an option. Etcd is effectively a backdoor into kubernetes without authorization.
crielly
on 25 Apr 2018
I can start working on this after merging https://github.com/coreos/etcd/pull/9730
mitake
on 29 May 2018
Related issues
gek0
路
3Comments
itnikita
路
3Comments
govine
路
3Comments
zhousoft
路
3Comments
primeroz
路
3Comments