Authentication with etcd 3.3.*

[q-llewellynthomas]

Hi,

I'm running etcd 3.3.27 with docker:

  etcd:
    container_name: etcd
    profiles: ["etcd"]
    image: quay.io/coreos/etcd:v3.3.22
    command:
      /usr/local/bin/etcd
      -name etcd
      -advertise-client-urls http://etcd:2379,http://etcd:4001
      -listen-client-urls http://0.0.0.0:2379,http://0.0.0.0:4001
      -initial-advertise-peer-urls http://etcd:2380
      -listen-peer-urls http://0.0.0.0:2380
      -initial-cluster-token etcd-cluster-1
      -initial-cluster etcd=http://etcd:2380
      -initial-cluster-state new
    ports:
      - "2379:2379"

I can then run exec on the container and enable auth:

docker-compose up
docker exec -it etcd bash

And then

etcdctl user add root
etcdctl auth enable

And it appears that auth is enabled, but if I make a post request to create a token, I get a message saying auth is not enabled:

curl --location 'http://localhost:2379/v3beta/auth/authenticate' \
--header 'Content-Type: application/json' \
--data '{"name": "root", "password": "password"}'

Response:

{
    "error": "etcdserver: authentication is not enabled",
    "code": 9
}

Is there something I'm missing?
I noticed you don't have any instructions on adding auth for 3.3 versions, but only 2.3 and then 3.5.

• 2.3: https://etcd.io/docs/v2.3/authentication/
• 3.5: https://etcd.io/docs/v3.5/op-guide/authentication/authentication/
  Thanks

Llewellyn

[mitake]

hi @q-llewellynthomas

The root user should have the root role, it can be initialized like below:

$ etcdctl role add root
$ etcdctl user root root

But I strongly recommend to use the latest 3.5.x.

[q-llewellynthomas]

@mitake Thanks,

Upgrading will happen, but sadly not anytime soon.

When I create the root user it's automatically got the root role and if if I add it again it says duplicate role added? This is on 3.2 and 3.3

I'm thinking the reason I might have this issues is that when I create the user/add auth it's done on v2 and then the requests are done on V3?

Is this possible? I read that if you do anything on v2 it's not available on v3 api.

when I do etcdctl --version I get:

etcdctl version: 3.3.15
API version: 2

How do I enable api version 3 when I start etcd? I'm on windows.

Thanks

[q-llewellynthomas]

I figured out the solution to my problem:

ETCDCTL_API=3 etcdctl version

Without that and using any version of etcd lower than 3.4 it defaults to version 2 of the API, which has no affect on V3 of the api that our client code is using.

Setting auth with etcdctl on v2, means it's not set on v3 that our client code uses.

[mitake]

Sorry for my late response. Yeah the env var is needed for specifying the API version. v2 and v3 APIs are completely different things so please make sure that you are using the correct one.

[q-llewellynthomas]

Thanks! That was the solution, explicitly running the etcdctl command and setting the version to v3.