A user can configure the ACL of etcd by providing an init-acl config in the config file, (See config.example.yaml for examples).
The ACL config will be applied by the Seeder during provision, and it's ONLY applied once during that period. After that, if a user wants to update the init-acl config, he needs to restart the Seeder, or kill the Seeder and wait for another node to become the Seeder.
Once the init-acl is applied, the etcd authentication will be turned on.
The operator will not turn off the etcd authentication by itself, and after that moment,
only a user with "root" access to the etcd are able to turn it off manually with etcdctl auth disable.
The init-acl config contains 3 parts, rootPassword, roles and users.
The rootPassword is the password for the root user, it's optional.
An etcd client could provide the rootPassword (if it's not empty),
or provide a signed TLS ceritificate with CN = root (if the rootPassword is empty) to authenticate as a root user without password.
The roles section defines a list of roles with their permissions.
The permissions are consist of a list of range keys, mode, whether the key is prefixed.
E.g.
- mode: readwrite
key: /registry
prefix: true
Allows the readwrite permission on all the paths whose prefix is /registry, such as /registry/foo, /registry/bar, etc.
- mode: read
key: /foo1
rangeEnd: /foo5
Allows the read permission on paths from /foo1 to /foo5.
The users section defines a list of users, each user can be assigned to multiple roles.
Optionally, a password can be also set for the user.
Without a password, etcd will checks the client's TLS cert and use the CommonName (CN) to authenticate the user.