目录大纲
本文主要介绍etcd的权限管理与RBAC(基于角色的访问控制)认证配置,风哥教程参考etcd官方文档的安全相关内容。通过实战演示,帮助读者掌握etcd的用户管理、角色分配和权限控制。
Part01-基础概念与理论知识
1.1 etcd安全模型
etcd提供了完整的安全模型,包括认证(Authentication)和授权(Authorization)两个部分。认证用于验证用户身份,授权用于控制用户对资源的访问权限。风哥提示:在生产环境中,必须启用etcd的安全认证,学习交流加群风哥QQ113257174。
1.2 RBAC原理
RBAC(Role-Based Access Control)是一种基于角色的访问控制机制,通过将权限分配给角色,再将角色分配给用户,实现细粒度的权限控制。
Part02-生产环境规划与建议
2.1 安全规划
- 启用TLS加密通信
- 配置RBAC权限控制
- 定期轮换证书和密码
- 设置合理的权限策略
2.2 角色设计
- admin:拥有所有权限
- write:拥有写入权限
- read:只拥有读取权限
- guest:最小权限
Part03-生产环境项目实施方案
3.1 启用认证
mkdir -p /bigdata/app/etcd/ssl
cd /bigdata/app/etcd/ssl
# 生成CA证书
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -days 3650 -out ca.crt -subj “/CN=etcd-ca”
# 生成etcd服务器证书
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr -subj “/CN=etcd-server”
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650
# 生成客户端证书
openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr -subj “/CN=etcd-client”
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 3650
…………………………………………………..+++
…………………………………………….+++
e is 65537 (0x10001)
Generating RSA private key, 2048 bit long modulus
…………………………………………………………………..+++
……………………………………………………………………………+++
e is 65537 (0x10001)
Signature ok
subject=/CN=etcd-server
Getting CA Private Key
Generating RSA private key, 2048 bit long modulus
……………………………………………………………………..+++
…………………………………………………………………………………………..+++
e is 65537 (0x10001)
Signature ok
subject=/CN=etcd-client
Getting CA Private Key
3.2 配置etcd启用认证
cat > /etc/etcd/etcd.conf << EOF ETCD_NAME="etcd1" ETCD_DATA_DIR="/bigdata/fgdata/etcd/data" ETCD_LISTEN_PEER_URLS="https://192.168.1.100:2380" ETCD_LISTEN_CLIENT_URLS="https://192.168.1.100:2379,https://127.0.0.1:2379" ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.1.100:2380" ETCD_ADVERTISE_CLIENT_URLS="https://192.168.1.100:2379" ETCD_INITIAL_CLUSTER="etcd1=https://192.168.1.100:2380,etcd2=https://192.168.1.101:2380,etcd3=https://192.168.1.102:2380" ETCD_INITIAL_CLUSTER_STATE="new" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster-1" ETCD_CERT_FILE="/bigdata/app/etcd/ssl/server.crt" ETCD_KEY_FILE="/bigdata/app/etcd/ssl/server.key" ETCD_TRUSTED_CA_FILE="/bigdata/app/etcd/ssl/ca.crt" ETCD_CLIENT_CERT_AUTH="true" ETCD_AUTO_TLS="true" ETCD_PEER_CERT_FILE="/bigdata/app/etcd/ssl/server.crt" ETCD_PEER_KEY_FILE="/bigdata/app/etcd/ssl/server.key" ETCD_PEER_TRUSTED_CA_FILE="/bigdata/app/etcd/ssl/ca.crt" ETCD_PEER_CLIENT_CERT_AUTH="true" ETCD_PEER_AUTO_TLS="true" EOF
Part04-生产案例与实战讲解
4.1 创建用户和角色
etcdctl –endpoints=https://192.168.1.100:2379 –cacert=/bigdata/app/etcd/ssl/ca.crt –cert=/bigdata/app/etcd/ssl/client.crt –key=/bigdata/app/etcd/ssl/client.key user add root
Type password again for confirmation:
# 创建admin角色
etcdctl –endpoints=https://192.168.1.100:2379 –cacert=/bigdata/app/etcd/ssl/ca.crt –cert=/bigdata/app/etcd/ssl/client.crt –key=/bigdata/app/etcd/ssl/client.key role add admin
# 创建write角色
etcdctl –endpoints=https://192.168.1.100:2379 –cacert=/bigdata/app/etcd/ssl/ca.crt –cert=/bigdata/app/etcd/ssl/client.crt –key=/bigdata/app/etcd/ssl/client.key role add write
# 创建read角色
etcdctl –endpoints=https://192.168.1.100:2379 –cacert=/bigdata/app/etcd/ssl/ca.crt –cert=/bigdata/app/etcd/ssl/client.crt –key=/bigdata/app/etcd/ssl/client.key role add read
Role write created
Role read created
4.2 分配权限
etcdctl –endpoints=https://192.168.1.100:2379 –cacert=/bigdata/app/etcd/ssl/ca.crt –cert=/bigdata/app/etcd/ssl/client.crt –key=/bigdata/app/etcd/ssl/client.key role grant-permission admin readwrite /
# 为write角色分配写入权限
etcdctl –endpoints=https://192.168.1.100:2379 –cacert=/bigdata/app/etcd/ssl/ca.crt –cert=/bigdata/app/etcd/ssl/client.crt –key=/bigdata/app/etcd/ssl/client.key role grant-permission write readwrite /fgedu
# 为read角色分配读取权限
etcdctl –endpoints=https://192.168.1.100:2379 –cacert=/bigdata/app/etcd/ssl/ca.crt –cert=/bigdata/app/etcd/ssl/client.crt –key=/bigdata/app/etcd/ssl/client.key role grant-permission read readonly /fgedu
Role write updated
Role read updated
4.3 分配角色给用户
etcdctl –endpoints=https://192.168.1.100:2379 –cacert=/bigdata/app/etcd/ssl/ca.crt –cert=/bigdata/app/etcd/ssl/client.crt –key=/bigdata/app/etcd/ssl/client.key user grant-role root admin
# 创建普通用户并分配角色
# 创建fgedu用户
etcdctl –endpoints=https://192.168.1.100:2379 –cacert=/bigdata/app/etcd/ssl/ca.crt –cert=/bigdata/app/etcd/ssl/client.crt –key=/bigdata/app/etcd/ssl/client.key user add fgedu
# 将write角色分配给fgedu用户
etcdctl –endpoints=https://192.168.1.100:2379 –cacert=/bigdata/app/etcd/ssl/ca.crt –cert=/bigdata/app/etcd/ssl/client.crt –key=/bigdata/app/etcd/ssl/client.key user grant-role fgedu write
Password of fgedu:
Type password again for confirmation:
User fgedu updated
4.4 测试权限
etcdctl –endpoints=https://192.168.1.100:2379 –cacert=/bigdata/app/etcd/ssl/ca.crt –cert=/bigdata/app/etcd/ssl/client.crt –key=/bigdata/app/etcd/ssl/client.key –user=fgedu:password put /fgedu/test “Hello etcd”
etcdctl –endpoints=https://192.168.1.100:2379 –cacert=/bigdata/app/etcd/ssl/ca.crt –cert=/bigdata/app/etcd/ssl/client.crt –key=/bigdata/app/etcd/ssl/client.key –user=fgedu:password get /fgedu/test
Hello etcd
Part05-风哥经验总结与分享
5.1 安全最佳实践
- 使用强密码和证书认证
- 遵循最小权限原则
- 定期审计权限配置
- 启用访问日志
5.2 常见问题与解决方案
5.3 性能与安全平衡
在配置etcd安全时,需要平衡安全性和性能。过于严格的安全配置可能会影响性能,需要根据实际需求进行调整。更多学习教程公众号风哥教程itpux_com。
from bigdata视频:www.itpux.com
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
联系我们
在线咨询:
微信号:itpux-com
工作日:9:30-18:30,节假日休息
