Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature]: It is necessary to add authentication to external etcd #28895

Open
1 task done
ViokingTung opened this issue Dec 1, 2023 · 13 comments
Open
1 task done

[Feature]: It is necessary to add authentication to external etcd #28895

ViokingTung opened this issue Dec 1, 2023 · 13 comments
Assignees
Labels
kind/feature Issues related to feature request from users

Comments

@ViokingTung
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Is your feature request related to a problem? Please describe.

I deployed milvus used helm(cpu), when I enable external etcd rbac auth, milvus cannot connect it cause service configuration only has two parameters :externalEtcd.enabled and externalEtcd.endpoints.

Describe the solution you'd like.

configuration need add some parameters like this.

###################################
# External etcd
# - these configs are only used when `externalEtcd.enabled` is true
###################################
externalEtcd:
  enabled: true
  endpoints:
    # host or ip e.g. http://172.20.148.99:2379
    - http://etcd.etcd.svc.cluster.local:2379
  # -- user for external etcd.
  user: root
  # -- if externalEtcd.existingSecret is empty, externalEtcd.password is the passsword for external etcd.
  password: "your-etcd-password"
  # -- externalEtcd.existingSecret is the name of secret containing the external etcd password
  existingSecret: ""
  # -- externalEtcd.secretPasswordKey Key inside the secret containing the external etcd password
  secretPasswordKey: "etcd-root-password"

Describe an alternate solution.

used milvus internal etcd or disabled external etcd auth, milvus will work well now.

Anything else? (Additional Context)

No response

@ViokingTung ViokingTung added the kind/feature Issues related to feature request from users label Dec 1, 2023
@xiaofan-luan
Copy link
Contributor

/assign @PowderLi

@haorenfsa
Copy link
Contributor

@PowderLi Will TLS endpoints be supported as well?

@PowderLi
Copy link
Contributor

@PowderLi Will TLS endpoints be supported as well?

you can find more from #20868

@PowderLi
Copy link
Contributor

PowderLi commented Mar 1, 2024

add configuration items like this:

etcd:
    auth:
         enable: true
         userName:
         password:

/unassign

@ViokingTung
Copy link
Author

add configuration items like this:

etcd:
    auth:
         enable: true
         userName:
         password:

/unassign

what about externalEtcd. how to add auth.

@PowderLi
Copy link
Contributor

PowderLi commented Mar 1, 2024

add configuration items like this:

etcd:
    auth:
         enable: true
         userName:
         password:

/unassign

what about externalEtcd. how to add auth.

you mean how to use helm to deploy?

@PowderLi
Copy link
Contributor

PowderLi commented Mar 1, 2024

update extraConfigFiles in your values.yaml
https://github.com/zilliztech/milvus-helm/blob/master/charts/milvus/values.yaml#L47

@ViokingTung
Copy link
Author

ViokingTung commented Mar 1, 2024

add configuration items like this:

etcd:
    auth:
         enable: true
         userName:
         password:

/unassign

what about externalEtcd. how to add auth.

you mean how to use helm to deploy?

yep, I deployed by helm chats. it still nor recongnized username and password.

rpc error: code = InvalidArgument desc = etcdserver: user name is empty

my config like this:

extraConfigFiles:
  user.yaml: |+
    common:
      security:
        authorizationEnabled: true
    etcd:
      auth:
         enable: true
         userName: etcdusername
         password: etcdpwd
........
externalEtcd:
  enabled: true
  endpoints:
    - http://etcd.etcd.svc.cluster.local:2379

@PowderLi
Copy link
Contributor

PowderLi commented Mar 1, 2024

maybe forget to update etcd.rbac.enable: true, just try it
https://github.com/zilliztech/milvus-helm/blob/master/charts/milvus/values.yaml#L555

if still fail, please upload etcd's log and related log

@ViokingTung
Copy link
Author

ViokingTung commented Mar 1, 2024

maybe forget to update etcd.rbac.enable: true, just try it https://github.com/zilliztech/milvus-helm/blob/master/charts/milvus/values.yaml#L555

if still fail, please upload etcd's log and related log

my external etcd work well(enabled rbac), it verified by other program.
etcd log when milvus connecting:

2024-03-01T10:19:55.551954935+08:00 {"level":"warn","ts":"2024-03-01T02:19:55.551697Z","caller":"etcdserver/util.go:170","msg":"apply request took too long","took":"311.635946ms","expected-duration":"100ms","prefix":"read-only range ","request":"key:\"health\" ","response":"","error":"auth: user name is empty"}

my etcd key config:

image:
  registry: docker.io
  repository: bitnami/etcd
  tag: 3.5.10-debian-11-r2
........
replicaCount: 5
........
auth:
  ## Role-based access control parameters
  ## ref: https://etcd.io/docs/current/op-guide/authentication/
  ##
  rbac:
    ## @param auth.rbac.create Switch to enable RBAC authentication
    ##
    create: true
    ## @param auth.rbac.allowNoneAuthentication Allow to use etcd without configuring RBAC authentication
    ##
    allowNoneAuthentication: true
    ## @param auth.rbac.rootPassword Root user password. The root user is always `root`
    ##
    rootPassword: "etcdpwd"
    

k8s milvus default.yaml

etcd:
  endpoints:
    - http://etcd.etcd.svc.cluster.local:2379

metastore:
  type: etcd

k8s milvus user.yaml

common:
  security:
    authorizationEnabled: true
etcd:
  auth:
     enable: true
     userName: etcdusernmae
     password: etcdpwd

@PowderLi
Copy link
Contributor

PowderLi commented Mar 1, 2024

sorry, I'm not good at answering such questions: etcd's warning log, may related to network
you can found more useful information from k3s-io/k3s#9207

did milvus run well? any ERROR/WARN log?

@ViokingTung
Copy link
Author

sorry, I'm not good at answering such questions: etcd's warning log, may related to network you can found more useful information from k3s-io/k3s#9207

did milvus run well? any ERROR/WARN log?

Thank you for your many thoughtful answer, I think it caused by milvus connected etcd uncorrectly,maybe has a little bug, I wait someone have same issue with me and find a way to solve this problem. thanks for your work.

@ViokingTung
Copy link
Author

ViokingTung commented Mar 1, 2024

@PowderLi hi, I find the problem, no matter true or false for etcd.rbac.enable, the etcd authentication is still off in fact, so you get a wrong tested result. this is a bug.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature Issues related to feature request from users
Projects
None yet
Development

No branches or pull requests

4 participants