remco icon indicating copy to clipboard operation
remco copied to clipboard
verified publisher icon HeavyHorst

Required permissions for watching keys on authorization enabled ETCD cluster

Open ArtemKaba opened this issue 2 years ago • 2 comments

Hi!

I'm having trouble watching etcd keys after authorization has been enabled on my etcd cluster.

Remco return errors lile this: 2023-06-15T22:31:08.947+0000 [ERROR] error: backend=etcdv3 prefix=remco[252942] resource=haproxy message="rpc error: code = PermissionDenied desc = etcdserver: permission denied"

Step to reproduce:

# run simple local etcd cluster (version 3.5.5)
etcd --log-level=debug &

# create root user with full permissions
etcdctl user add root:root
etcdctl user grant-role root root

# create regular user with read only access
etcdctl user add test:test
etcdctl role add test
etcdctl role grant-permission test read / --prefix
etcdctl user grant-role test test

# enable authorization
etcdctl auth enable

# create remco configuration file
cat > config.toml <<EOF
log_level   = "debug"

[default_backends]
[default_backends.etcd]
  nodes    = ["http://localhost:2379"]
  keys     = ["/apiv1/key1"]
  watch     = true
  interval  = 10
  version   = 3
  username  = "test"
  password  = "test"

[[resource]]
name = "haproxy"
EOF

# remco version 
remco -version
remco Version: 0.12.4
UTC Build Time: 2023-06-06-21:59:56
Git Commit Hash: 90b462666110ab9f437a29e4ccf131d6b20616f7+CHANGES
Go Version: go1.20.5
Go OS/Arch: linux/amd64

# run
remco -config config.toml
2023-06-15T23:11:18.068+0000 [INFO]  set backend nodes: backend=etcdv3 nodes=["http://localhost:2379"] prefix=remco[280220]
2023-06-15T23:11:18.136+0000 [DEBUG] retrieving keys: backend=etcdv3 key_prefix="" prefix=remco[280220] resource=haproxy
2023-06-15T23:11:18.200+0000 [ERROR] error: backend=etcdv3 prefix=remco[280220] resource=haproxy message="rpc error: code = PermissionDenied desc = etcdserver: permission denied"

When set watch = false the error is gone. Run remco with etcd root permissions also works fine.

Run watch request by curl (REST API call doing through etcd's GRPC gateway, yes) with non-privileged user returning no errors:

export TOKEN=$(curl -s http://localhost:2379/v3/auth/authenticate -XPOST -d '{"name":"test","password":"test"}' | jq -r .token)
curl -H "Authorization: $TOKEN" -s http://localhost:2379/v3/watch -X POST -d '{"create_request": {"key":"L2FwaXYxL2tleTE="} }'

Please help me find a solution to this problem.

ArtemKaba avatar Jun 16 '23 13:06 ArtemKaba

Same problem here, after a quick search I couldn't quite pin point where the problem was coming from. EasyKV creates a request to watch a prefix here. The error comes from here, after this check, but I don't know why etcd is saying we don't have permission.

bendem avatar Aug 31 '23 12:08 bendem

Hi, you should use a non-empty "prefix" in the backend configuration and the error will be fixed.

ArtemKaba avatar Oct 11 '23 04:10 ArtemKaba