/opt/etcd-v3.5.6-linux-amd64/bin/etcdctl --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/server.pem --key=/data/etcd/ssl/server-key.pem --endpoints="https://node1.local:2379,https://node2.local:2379,https://node3.local:2379" endpoint health
集群健康则显示:
1 2 3
https://node3.local:2379 is healthy: successfully committed proposal: took = 23.967506ms https://node1.local:2379 is healthy: successfully committed proposal: took = 36.438089ms https://node2.local:2379 is healthy: successfully committed proposal: took = 36.013216ms
7.2. 查看集群节点列表
true 代表 leader,由其负责处理客户端请求信息
1
/opt/etcd-v3.5.6-linux-amd64/bin/etcdctl --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/server.pem --key=/data/etcd/ssl/server-key.pem --endpoints="https://node1.local:2379,https://node2.local:2379,https://node3.local:2379" endpoint status
[root@node2 ~]# /opt/etcd-v3.5.6-linux-amd64/bin/etcdctl --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/server.pem --key=/data/etcd/ssl/server-key.pem --endpoints="https://node1.local:2379,https://node2.local:2379,https://node3.local:2379" put /name "first" OK [root@node2 ~]# /opt/etcd-v3.5.6-linux-amd64/bin/etcdctl --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/server.pem --key=/data/etcd/ssl/server-key.pem --endpoints="https://node1.local:2379,https://node2.local:2379,https://node3.local:2379" put /name "second" OK
10.128.170.133 监控界面便打印出修改记录:
1 2 3 4 5 6 7
[root@node3 ~]# /opt/etcd-v3.5.6-linux-amd64/bin/etcdctl --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/server.pem --key=/data/etcd/ssl/server-key.pem --endpoints="https://node1.local:2379,https://node2.local:2379,https://node3.local:2379" watch /name PUT /name first PUT /name second
[root@node1 ~]# /opt/etcd-v3.5.6-linux-amd64/bin/etcdctl --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/server.pem --key=/data/etcd/ssl/server-key.pem --endpoints="https://node1.local:2379,https://node2.local:2379,https://node3.local:2379" user add root Password of root: Type password of root again for confirmation: User root created
赋予 root 用户 root 角色
1 2
[root@node1 ~]# /opt/etcd-v3.5.6-linux-amd64/bin/etcdctl --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/server.pem --key=/data/etcd/ssl/server-key.pem --endpoints="https://node1.local:2379,https://node2.local:2379,https://node3.local:2379" user grant-role root root Role root is granted to user root
11.2. 查看 root 用户详情
1 2 3
[root@node1 ~]# /opt/etcd-v3.5.6-linux-amd64/bin/etcdctl --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/server.pem --key=/data/etcd/ssl/server-key.pem --endpoints="https://node1.local:2379,https://node2.local:2379,https://node3.local:2379" user get root User: root Roles: root
[root@node1 ~]# /opt/etcd-v3.5.6-linux-amd64/bin/etcdctl --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/server.pem --key=/data/etcd/ssl/server-key.pem --endpoints="https://node1.local:2379,https://node2.local:2379,https://node3.local:2379" --user=root:cluster user add server Password of server: Type password of server again for confirmation: User server created
查看用户列表和 server 用户详情
1 2 3 4 5 6
[root@node1 ~]# /opt/etcd-v3.5.6-linux-amd64/bin/etcdctl --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/server.pem --key=/data/etcd/ssl/server-key.pem --endpoints="https://node1.local:2379,https://node2.local:2379,https://node3.local:2379" --user=root:cluster user list root server [root@node1 ~]# /opt/etcd-v3.5.6-linux-amd64/bin/etcdctl --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/server.pem --key=/data/etcd/ssl/server-key.pem --endpoints="https://node1.local:2379,https://node2.local:2379,https://node3.local:2379" --user=root:cluster user get server User: server Roles:
11.5. 创建角色
(内置的 root 角色无法通过 role list 查看,我们可以创建名字同样为 root 的角色,但是后续为 user 赋予 root 角色时,将使用自定义的 root 角色,而不是内置的 root 角色)
创建 server 角色
1 2
[root@node1 ~]# /opt/etcd-v3.5.6-linux-amd64/bin/etcdctl --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/server.pem --key=/data/etcd/ssl/server-key.pem --endpoints="https://node1.local:2379,https://node2.local:2379,https://node3.local:2379" --user=root:cluster role add server Role server created
查看角色列表和 server 角色详情(新创建的角色没有任何权限)
1 2 3 4 5 6
[root@node1 ~]# /opt/etcd-v3.5.6-linux-amd64/bin/etcdctl --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/server.pem --key=/data/etcd/ssl/server-key.pem --endpoints="https://node1.local:2379,https://node2.local:2379,https://node3.local:2379" --user=root:cluster role list server [root@node1 ~]# /opt/etcd-v3.5.6-linux-amd64/bin/etcdctl --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/server.pem --key=/data/etcd/ssl/server-key.pem --endpoints="https://node1.local:2379,https://node2.local:2379,https://node3.local:2379" --user=root:cluster role get server Role server KV Read: KV Write:
[root@node1 ~]# /opt/etcd-v3.5.6-linux-amd64/bin/etcdctl --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/server.pem --key=/data/etcd/ssl/server-key.pem --endpoints="https://node1.local:2379,https://node2.local:2379,https://node3.local:2379" --user=root:cluster role grant-permission server readwrite /hello --prefix=true Role server updated
1 2 3 4 5 6
[root@node1 ~]# /opt/etcd-v3.5.6-linux-amd64/bin/etcdctl --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/server.pem --key=/data/etcd/ssl/server-key.pem --endpoints="https://node1.local:2379,https://node2.local:2379,https://node3.local:2379" --user=root:cluster role get server Role server KV Read: [/hello, /hellp) (prefix /hello) KV Write: [/hello, /hellp) (prefix /hello)
给 server 角色赋予键 /hello 目录读写操作权限
1 2
[root@node1 ~]# /opt/etcd-v3.5.6-linux-amd64/bin/etcdctl --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/server.pem --key=/data/etcd/ssl/server-key.pem --endpoints="https://node1.local:2379,https://node2.local:2379,https://node3.local:2379" --user=root:cluster role grant-permission server readwrite /hello/* --prefix=true Role server updated
1 2 3 4 5 6 7 8
[root@node1 ~]# /opt/etcd-v3.5.6-linux-amd64/bin/etcdctl --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/server.pem --key=/data/etcd/ssl/server-key.pem --endpoints="https://node1.local:2379,https://node2.local:2379,https://node3.local:2379" --user=root:cluster role get server Role server KV Read: [/hello, /hellp) (prefix /hello) [/hello/*, /hello/+) (prefix /hello/*) KV Write: [/hello, /hellp) (prefix /hello) [/hello/*, /hello/+) (prefix /hello/*)
11.7. 赋予用户角色
赋予 server 用户 server 角色
1 2
[root@node1 ~]# /opt/etcd-v3.5.6-linux-amd64/bin/etcdctl --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/server.pem --key=/data/etcd/ssl/server-key.pem --endpoints="https://node1.local:2379,https://node2.local:2379,https://node3.local:2379" --user=root:cluster user grant-role server server Role server is granted to user server
1 2 3
[root@node1 ~]# /opt/etcd-v3.5.6-linux-amd64/bin/etcdctl --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/server.pem --key=/data/etcd/ssl/server-key.pem --endpoints="https://node1.local:2379,https://node2.local:2379,https://node3.local:2379" --user=root:cluster user get server User: server Roles: server
11.8. 测试 server 用户权限
1 2 3 4 5 6 7 8 9 10
[root@node3 ~]# /opt/etcd-v3.5.6-linux-amd64/bin/etcdctl --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/server.pem --key=/data/etcd/ssl/server-key.pem --endpoints="https://node1.local:2379,https://node2.local:2379,https://node3.local:2379" --user=root:cluster put /hello world OK [root@node3 ~]# /opt/etcd-v3.5.6-linux-amd64/bin/etcdctl --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/server.pem --key=/data/etcd/ssl/server-key.pem --endpoints="https://node1.local:2379,https://node2.local:2379,https://node3.local:2379" --user=root:cluster put /name wylu OK [root@node3 ~]# /opt/etcd-v3.5.6-linux-amd64/bin/etcdctl --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/server.pem --key=/data/etcd/ssl/server-key.pem --endpoints="https://node1.local:2379,https://node2.local:2379,https://node3.local:2379" --user=server:cluster get /hello /hello world [root@node3 ~]# /opt/etcd-v3.5.6-linux-amd64/bin/etcdctl --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/server.pem --key=/data/etcd/ssl/server-key.pem --endpoints="https://node1.local:2379,https://node2.local:2379,https://node3.local:2379" --user=server:cluster get /wylu {"level":"warn","ts":"2023-01-06T14:31:02.431+0800","logger":"etcd-client","caller":"v3@v3.5.6/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc000558540/node1.local:2379","attempt":0,"error":"rpc error: code = PermissionDenied desc = etcdserver: permission denied"} Error: etcdserver: permission denied
11.8.1. 不添加用户密码参数
提示错误:
1 2 3
[root@node3 ~]# /opt/etcd-v3.5.6-linux-amd64/bin/etcdctl --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/server.pem --key=/data/etcd/ssl/server-key.pem --endpoints="https://node1.local:2379,https://node2.local:2379,https://node3.local:2379" get /hello {"level":"warn","ts":"2023-01-06T14:32:37.153+0800","logger":"etcd-client","caller":"v3@v3.5.6/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc00034a380/node1.local:2379","attempt":0,"error":"rpc error: code = InvalidArgument desc = etcdserver: user name is empty"} Error: etcdserver: user name is empty
11.8.2. 添加用户密码参数
1 2 3
[root@node3 ~]# /opt/etcd-v3.5.6-linux-amd64/bin/etcdctl --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/server.pem --key=/data/etcd/ssl/server-key.pem --endpoints="https://node1.local:2379,https://node2.local:2379,https://node3.local:2379" --user=server:cluster get /hello /hello world