Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Required permissions for watching keys on authorization enabled ETCD cluster #92

Open
ArtemKaba opened this issue Jun 16, 2023 · 2 comments
Open

Required permissions for watching keys on authorization enabled ETCD cluster #92

ArtemKaba opened this issue Jun 16, 2023 · 2 comments
Assignees
@HeavyHorst

Comments

@ArtemKaba
Copy link

Hi!

I'm having trouble watching etcd keys after authorization has been enabled on my etcd cluster.

Remco return errors lile this:
2023-06-15T22:31:08.947+0000 [ERROR] error: backend=etcdv3 prefix=remco[252942] resource=haproxy message="rpc error: code = PermissionDenied desc = etcdserver: permission denied"

Step to reproduce:

# run simple local etcd cluster (version 3.5.5)
etcd --log-level=debug &

# create root user with full permissions
etcdctl user add root:root
etcdctl user grant-role root root

# create regular user with read only access
etcdctl user add test:test
etcdctl role add test
etcdctl role grant-permission test read / --prefix
etcdctl user grant-role test test

# enable authorization
etcdctl auth enable

# create remco configuration file
cat > config.toml <<EOF
log_level   = "debug"

[default_backends]
[default_backends.etcd]
  nodes    = ["http://localhost:2379"]
  keys     = ["/apiv1/key1"]
  watch     = true
  interval  = 10
  version   = 3
  username  = "test"
  password  = "test"

[[resource]]
name = "haproxy"
EOF

# remco version 
remco -version
remco Version: 0.12.4
UTC Build Time: 2023-06-06-21:59:56
Git Commit Hash: 90b462666110ab9f437a29e4ccf131d6b20616f7+CHANGES
Go Version: go1.20.5
Go OS/Arch: linux/amd64

# run
remco -config config.toml
2023-06-15T23:11:18.068+0000 [INFO]  set backend nodes: backend=etcdv3 nodes=["http://localhost:2379"] prefix=remco[280220]
2023-06-15T23:11:18.136+0000 [DEBUG] retrieving keys: backend=etcdv3 key_prefix="" prefix=remco[280220] resource=haproxy
2023-06-15T23:11:18.200+0000 [ERROR] error: backend=etcdv3 prefix=remco[280220] resource=haproxy message="rpc error: code = PermissionDenied desc = etcdserver: permission denied"

When set watch = false the error is gone.
Run remco with etcd root permissions also works fine.

Run watch request by curl (REST API call doing through etcd's GRPC gateway, yes) with non-privileged user returning no errors:

export TOKEN=$(curl -s http://localhost:2379/v3/auth/authenticate -XPOST -d '{"name":"test","password":"test"}' | jq -r .token)
curl -H "Authorization: $TOKEN" -s http://localhost:2379/v3/watch -X POST -d '{"create_request": {"key":"L2FwaXYxL2tleTE="} }'

Please help me find a solution to this problem.
@bendem
Copy link

bendem commented Aug 31, 2023

Same problem here, after a quick search I couldn't quite pin point where the problem was coming from. EasyKV creates a request to watch a prefix here. The error comes from here, after this check, but I don't know why etcd is saying we don't have permission.

@HeavyHorst HeavyHorst self-assigned this Aug 31, 2023
@ArtemKaba
Copy link
Author

Hi,
you should use a non-empty "prefix" in the backend configuration and the error will be fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@HeavyHorst HeavyHorst

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bendem @ArtemKaba @HeavyHorst