BnR AIO-SX omits etcd users and auth enabled configuration
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
In Progress
|
Low
|
Michel Thebeau [WIND] |
Bug Description
Brief Description
-----------------
Security enabled etcd was added in R5. After restoring the AIO-SX platform from backup, the etcd configuration omits users and auth is not enabled.
Severity
--------
Minor: System/Feature is usable with minor issue
Steps to Reproduce
------------------
1) Complete commissioning of AIO-SX from ISO. Verify user list and auth is enabled using the following method:
sudo bash
port=2379
bind_
client_url="https:/
etcd_
etcd_
etcd_
etcdctl \
--cert-
--key-
--ca-
--endpoint=
user list
# Output:
# apiserver-
# root
etcdctl \
--cert-
--key-
--ca-
--endpoint=
-u root role get guest
# Press enter (no password)
# Output:
# Insufficient credentials
2) Perform Backup procedure (https:/
3) Poweroff the system and install the ISO again
4) Complete the restore operation (https:/
5) Reassert the etcd user list and auth enabled configuration per the method above.
# No users are listed for by the "user list" command
# And instead of "Insufficient credentials", the second command "role get guest" requiring authentication provides "auth: Role guest does not exist."
Expected Behavior
------------------
After restore of AIO-SX, etcd configuration includes users and auth is enabled.
Actual Behavior
----------------
After restore of AIO-SX, etcd configuration omits users and auth enabled.
Reproducibility
---------------
100% reproducible, AIO-SX
System Configuration
-------
AIO-SX
Branch/Pull Time/Commit
-------
Starlingx master, October 27, 2021 (Cengn Stx monolithic build iso 20211027T043000Z)
Last Pass
---------
N/A
Timestamp/Logs
--------------
N/A
Test Activity
-------------
Developer Testing
Workaround
----------
Manually restore users and auth enable:
sudo bash
port=2379
bind_
client_url="https:/
etcd_
etcd_
etcd_
cmds="user add root:sysadmin
user add apiserver-
auth enable"
while read cmd; do
etcdctl \
-
-
-
-
$cmd
done <<<"$cmds"
# Output:
# User root created
# User apiserver-
# Authentication Enabled
Changed in starlingx: | |
assignee: | nobody → Michel Thebeau [WIND] (mthebeau) |
tags: | added: stx.6.0 stx.update |
Changed in starlingx: | |
importance: | Undecided → Medium |
status: | New → Triaged |
It seems to be that the omission of users/roles and auth enable over BnR is due to their being two data-stores - one each for the v2 and v3 API of etcdctl. The etcdctl user/role creation and "auth enable" is run against etcdctl v2 API, while the backup/restore is run using the etcdctl v3 API. An external site explains that a different data-store is used when executing etcdctl using either v2 or v3 APIs. So, we create users/roles and enable auth within the data-store behind v2 API, but we backup and restore the data-store behind the v3 API.
"An etcd 3.x server can understand both version 2 and version 3 APIs but, and it's a huge but, anything you create with clients using one API version will be invisible to clients using the other API version. That's because around the back end, each API routes to a separate data store - they are so different that they are isolated from each other inside the server." - https:/ /www.compose. com/articles/ etcd2to3- new-apis- and-new- possibilities/
Kubernetes keys are stored in the data-store accessed through v3 API for example.
A BnR test with user/role added using v3 API confirms the explanation.