ETCD未授权访问风险安全漏洞修复方案ETCD未授权访问风险介绍基于角色认证的访问控制BASIC认证基于ca证书的https访问控制TLS传输下载cfssl认证配置工具生成ca认证证书修改etcd配置方式一方式二访问etcd节点信息patroni使用配置调整参考链接ETCD未授权访问风险介绍未授权访问可能产生的风险为攻击者可以从ETCD中拿到节点的注册信息http://IP:2379/v2/keys http://IP:2379/v2/keys/?recursivetrue常规修复方案有以下两种方案一基于角色认证的访问控制BASIC认证方案二基于ca证书的https访问控制TLS传输简单点理解方案一就是添加用户密码认证后续访问需要用户密码才能正常访问方案二就是使用ca证书将原先的http通信改成https后续访问需要使用证书才能正常访问备注基于角色认证和ca证书的访问控制支持同时配置基于角色认证的访问控制BASIC认证# 创建测试数据etcdctlset/testkey testvalue# 可直接查看测试数据etcdctl ls etcdctl get testkey# 创建root用户etcd V2客户端版本输入密码间期时间很短且只输入一次etcdctluseraddroot# 启用认证etcdctl authenable此处测试我们把root用户密码设置为root# 开启 Basic Auth 默认会启用拥有所有权限的两个角色 root 和 guest ,并默认用 guest 角色进行的操作不能删除得收回 guest 的权限进行限制etcdctl--username root:password role revoke guest --path /* --rw# 检查 guest 角色权限etcdctl--username root:password role get guest# 再次查看测试数据失败需要加上用户密码才能正常查看etcdctl--username root:password get testkey至此基于角色认证的访问控制配置结束还是比较简单的。基于ca证书的https访问控制TLS传输下载cfssl认证配置工具cfssl认证配置工具下载网址https://github.com/cloudflare/cfssl若github网站打不开或下载太慢可关注公众号「钥道不止」并于后台回复关键字cfssl获取X86和ARM架构版本的工具# X86 版本wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64授予可执行权限并加入bin目录chmodx cfssl*cp-v cfssl_linux-amd64/usr/local/bin/cfssl cp-v cfssljson_linux-amd64/usr/local/bin/cfssljson cp-v cfssl-certinfo_linux-amd64/usr/local/bin/cfssl-certinfo ls/usr/local/bin/cfssl*生成ca认证证书有多个节点ca证书的生成在任意节点上操作即可mkdir-p/etc/etcd/etcdSSL cd/etc/etcd/etcdSSL1)、创建 CA 配置文件ca-config.json可配置证书有效期100年vi ca-config.json{signing: {default: {expiry:876000h},profiles: {etcd: {usages:[signing,key encipherment,server auth,client auth],expiry:876000h} } } }字段说明ca-config.json可以定义多个 profiles分别指定不同的过期时间、使用场景等参数后续在签名证书时使用某个 profile此处只定义一个etcd通用认证的profilesigning表示该证书可用于签名其它证书生成的 ca.pem 证书中 CATRUEserver auth表示client可以用该CA对server提供的证书进行验证client auth表示server可以用该CA对client提供的证书进行验证2)、创建 CA 证书签名请求文件ca-csr.jsonvi ca-csr.json{CN:etcd,key: {algo:rsa,size:2048},names:[{C:CN,ST:shenzhen,L:shenzhen,O:etcd,OU:System}]}字段说明CNCommon Nameetcd 从证书中提取该字段作为请求的用户名 (User Name)浏览器使用该字段验证网站是否合法OOrganizationetcd 从证书中提取该字段作为请求用户所属的组 (Group)3)、生成 CA 证书和私钥(ca-key.pem ca.pem)cfssl gencert-initca ca-csr.json|cfssljson-bare ca4)、创建 etcd 证书签名请求修改配置节点的IP文件etcd-csr.jsonvi etcd-csr.json{CN:etcd,hosts:[127.0.0.1,192.168.56.101,192.168.56.102,192.168.56.103],key: {algo:rsa,size:2048},names:[{C:CN,ST:shenzhen,L:shenzhen,O:etcd,OU:System}]}5)、生成 etcd 证书和私钥(etcd-key.pem etcd.pem)cfssl gencert-caca.pem-ca-keyca-key.pem-configca-config.json-profileetcd etcd-csr.json|cfssljson-bare etcd将生成的证书文件拷贝至其他节点scp/etc/etcd/etcdSSL/*.pem192.168.56.102:/etc/etcd/etcdSSL/scp/etc/etcd/etcdSSL/*.pem192.168.56.103:/etc/etcd/etcdSSL/修改etcd配置从官网的说明介绍可以看到这里有两种配置方式用 --config-file 指定配置文件路径 或 用ETCD_CONFIG_FILE环境变量https://etcd.io/docs/v3.5/op-guide/configuration/方式一配置 etcd 的 service 服务文件修改3个节点IP、–name配置[rootdba01~]# vi /usr/lib/systemd/system/etcd.service[Unit]DescriptionEtcd ServerAfternetwork.target network-online.target Wantsnetwork-online.target[Service]Typenotify# EnvironmentETCD_UNSUPPORTED_ARCHarm64 #Just for ARMWorkingDirectory/var/lib/etcd/EnvironmentFile-/etc/etcd/etcd.conf# set GOMAXPROCS to number of processorsExecStart/usr/bin/etcd \--name etcd01 \--data-dir/etc/etcd/etcd01 \--initial-advertise-peer-urls https://192.168.56.101:2380 \--listen-peer-urls https://192.168.56.101:2380 \--listen-client-urls https://192.168.56.101:2379,http://127.0.0.1:2379 \--advertise-client-urls https://192.168.56.101:2379 \--initial-cluster-token etcd-cluster \--initial-cluster etcd01https://192.168.56.101:2380,etcd02https://192.168.56.102:2380,etcd03https://192.168.56.103:2380 \--initial-cluster-state new \--cert-file/etc/etcd/etcdSSL/etcd.pem \--key-file/etc/etcd/etcdSSL/etcd-key.pem \--peer-cert-file/etc/etcd/etcdSSL/etcd.pem \--peer-key-file/etc/etcd/etcdSSL/etcd-key.pem \--trusted-ca-file/etc/etcd/etcdSSL/ca.pem \--peer-trusted-ca-file/etc/etcd/etcdSSL/ca.pemRestarton-failure LimitNOFILE65536[Install]WantedBymulti-user.target方式二配置 etcd 的 service 服务文件采用 --config-file所有参数配置都从配置文件里读取[rootdba01~]# vi /usr/lib/systemd/system/etcd.service[Unit]DescriptionEtcd ServerAfternetwork.target network-online.target Wantsnetwork-online.target[Service]Typenotify# EnvironmentETCD_UNSUPPORTED_ARCHarm64 #Just for ARMExecStart/usr/bin/etcd--config-file /etc/etcd/etcd.confRestarton-failure LimitNOFILE65536[Install]WantedBymulti-user.target在etcd原配置基础上追加如下ca证书配置并调整网络协议http为https[rootdba01]# cat /etc/etcd/etcd.confname: etcd01data-dir:/etc/etcd/etcd01 initial-advertise-peer-urls: https://192.168.56.101:2380listen-peer-urls: https://192.168.56.101:2380listen-client-urls: https://192.168.56.101:2379,http://127.0.0.1:2379advertise-client-urls: https://192.168.56.101:2379initial-cluster-token: dcs-cluster initial-cluster: etcd01https://192.168.56.101:2380,etcd02https://192.168.56.102:2380,etcd03https://192.168.56.103:2380enable-v2:trueinitial-cluster-state: new#[Security]client-transport-security: cert-file:/etc/etcd/etcdSSL/etcd.pemkey-file:/etc/etcd/etcdSSL/etcd-key.pem client-cert-auth:truetrusted-ca-file:/etc/etcd/etcdSSL/ca.pem peer-transport-security: cert-file:/etc/etcd/etcdSSL/etcd.pemkey-file:/etc/etcd/etcdSSL/etcd-key.pem client-cert-auth:truetrusted-ca-file:/etc/etcd/etcdSSL/ca.pem若是已经运行过存在缓存的需要先清理etcd缓存三个节点都要清理物理缓存文件清理后会导致方案一配置的角色认证失效若要开启用户密码认证需重新操作上述步骤rm-rf/etc/etcd/etcd0*然后重启 etcd 服务systemctl daemon-reload systemctlstartetcd systemctlstatusetcd至此基于ca证书的https访问控制配置结束。访问etcd节点信息检查etcd集群服务的健康不带证书将无法正常访问# 不带ca证书访问etcdctl cluster-health# 带ca证书访问etcdctl \--ca-file/etc/etcd/etcdSSL/ca.pem \--cert-file/etc/etcd/etcdSSL/etcd.pem \--key-file/etc/etcd/etcdSSL/etcd-key.pem \cluster-healthpatroni使用配置调整在PostgreSQLetcdpatroni的高可用架构中etcd开启访问控制后patroni得相应的做调整期间涉及patronide重启也就是涉及PostgreSQL数据库的重启需要窗口时间操作方案一基于角色认证的访问控制BASIC认证# patroniusername: root password: root方案二基于ca证书的https访问控制TLS传输chown-R postgres.postgres/etc/etcd/etcdSSL/*.pem# patroniprotocol: https cacert:/etc/etcd/etcdSSL/ca.pem cert:/etc/etcd/etcdSSL/etcd.pemkey:/etc/etcd/etcdSSL/etcd-key.pempatroni配置文件更新etcd的配置https://patroni.readthedocs.io/en/latest/yaml_configuration.html#etcd# 同时开启用户认证和ca证书的访问etcdctl \--ca-file/etc/etcd/etcdSSL/ca.pem \--cert-file/etc/etcd/etcdSSL/etcd.pem \--key-file/etc/etcd/etcdSSL/etcd-key.pem \--username root:rootcluster-health参考链接etcd 的实现原理https://draveness.me/etcd-introduction/RAFT协议工作原理http://thesecretlivesofdata.com/raft/etcd单台部署启用https以及ca自签名https://cloud.tencent.com/developer/article/1441188etcd多台部署启用https以及ca自签名https://cloud.tencent.com/developer/article/1441194etcd的配置参数https://github.com/etcd-io/etcd/blob/main/etcd.conf.yml.sample发现了一个前沿巨牛的宝藏人工智能学习网站通俗易懂风趣幽默忍不住给大家分享一下。戳一下跳转到学习
ETCD未授权访问风险基于角色认证和启用https的ca证书修复方案
发布时间:2026/6/10 10:48:06
ETCD未授权访问风险安全漏洞修复方案ETCD未授权访问风险介绍基于角色认证的访问控制BASIC认证基于ca证书的https访问控制TLS传输下载cfssl认证配置工具生成ca认证证书修改etcd配置方式一方式二访问etcd节点信息patroni使用配置调整参考链接ETCD未授权访问风险介绍未授权访问可能产生的风险为攻击者可以从ETCD中拿到节点的注册信息http://IP:2379/v2/keys http://IP:2379/v2/keys/?recursivetrue常规修复方案有以下两种方案一基于角色认证的访问控制BASIC认证方案二基于ca证书的https访问控制TLS传输简单点理解方案一就是添加用户密码认证后续访问需要用户密码才能正常访问方案二就是使用ca证书将原先的http通信改成https后续访问需要使用证书才能正常访问备注基于角色认证和ca证书的访问控制支持同时配置基于角色认证的访问控制BASIC认证# 创建测试数据etcdctlset/testkey testvalue# 可直接查看测试数据etcdctl ls etcdctl get testkey# 创建root用户etcd V2客户端版本输入密码间期时间很短且只输入一次etcdctluseraddroot# 启用认证etcdctl authenable此处测试我们把root用户密码设置为root# 开启 Basic Auth 默认会启用拥有所有权限的两个角色 root 和 guest ,并默认用 guest 角色进行的操作不能删除得收回 guest 的权限进行限制etcdctl--username root:password role revoke guest --path /* --rw# 检查 guest 角色权限etcdctl--username root:password role get guest# 再次查看测试数据失败需要加上用户密码才能正常查看etcdctl--username root:password get testkey至此基于角色认证的访问控制配置结束还是比较简单的。基于ca证书的https访问控制TLS传输下载cfssl认证配置工具cfssl认证配置工具下载网址https://github.com/cloudflare/cfssl若github网站打不开或下载太慢可关注公众号「钥道不止」并于后台回复关键字cfssl获取X86和ARM架构版本的工具# X86 版本wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64授予可执行权限并加入bin目录chmodx cfssl*cp-v cfssl_linux-amd64/usr/local/bin/cfssl cp-v cfssljson_linux-amd64/usr/local/bin/cfssljson cp-v cfssl-certinfo_linux-amd64/usr/local/bin/cfssl-certinfo ls/usr/local/bin/cfssl*生成ca认证证书有多个节点ca证书的生成在任意节点上操作即可mkdir-p/etc/etcd/etcdSSL cd/etc/etcd/etcdSSL1)、创建 CA 配置文件ca-config.json可配置证书有效期100年vi ca-config.json{signing: {default: {expiry:876000h},profiles: {etcd: {usages:[signing,key encipherment,server auth,client auth],expiry:876000h} } } }字段说明ca-config.json可以定义多个 profiles分别指定不同的过期时间、使用场景等参数后续在签名证书时使用某个 profile此处只定义一个etcd通用认证的profilesigning表示该证书可用于签名其它证书生成的 ca.pem 证书中 CATRUEserver auth表示client可以用该CA对server提供的证书进行验证client auth表示server可以用该CA对client提供的证书进行验证2)、创建 CA 证书签名请求文件ca-csr.jsonvi ca-csr.json{CN:etcd,key: {algo:rsa,size:2048},names:[{C:CN,ST:shenzhen,L:shenzhen,O:etcd,OU:System}]}字段说明CNCommon Nameetcd 从证书中提取该字段作为请求的用户名 (User Name)浏览器使用该字段验证网站是否合法OOrganizationetcd 从证书中提取该字段作为请求用户所属的组 (Group)3)、生成 CA 证书和私钥(ca-key.pem ca.pem)cfssl gencert-initca ca-csr.json|cfssljson-bare ca4)、创建 etcd 证书签名请求修改配置节点的IP文件etcd-csr.jsonvi etcd-csr.json{CN:etcd,hosts:[127.0.0.1,192.168.56.101,192.168.56.102,192.168.56.103],key: {algo:rsa,size:2048},names:[{C:CN,ST:shenzhen,L:shenzhen,O:etcd,OU:System}]}5)、生成 etcd 证书和私钥(etcd-key.pem etcd.pem)cfssl gencert-caca.pem-ca-keyca-key.pem-configca-config.json-profileetcd etcd-csr.json|cfssljson-bare etcd将生成的证书文件拷贝至其他节点scp/etc/etcd/etcdSSL/*.pem192.168.56.102:/etc/etcd/etcdSSL/scp/etc/etcd/etcdSSL/*.pem192.168.56.103:/etc/etcd/etcdSSL/修改etcd配置从官网的说明介绍可以看到这里有两种配置方式用 --config-file 指定配置文件路径 或 用ETCD_CONFIG_FILE环境变量https://etcd.io/docs/v3.5/op-guide/configuration/方式一配置 etcd 的 service 服务文件修改3个节点IP、–name配置[rootdba01~]# vi /usr/lib/systemd/system/etcd.service[Unit]DescriptionEtcd ServerAfternetwork.target network-online.target Wantsnetwork-online.target[Service]Typenotify# EnvironmentETCD_UNSUPPORTED_ARCHarm64 #Just for ARMWorkingDirectory/var/lib/etcd/EnvironmentFile-/etc/etcd/etcd.conf# set GOMAXPROCS to number of processorsExecStart/usr/bin/etcd \--name etcd01 \--data-dir/etc/etcd/etcd01 \--initial-advertise-peer-urls https://192.168.56.101:2380 \--listen-peer-urls https://192.168.56.101:2380 \--listen-client-urls https://192.168.56.101:2379,http://127.0.0.1:2379 \--advertise-client-urls https://192.168.56.101:2379 \--initial-cluster-token etcd-cluster \--initial-cluster etcd01https://192.168.56.101:2380,etcd02https://192.168.56.102:2380,etcd03https://192.168.56.103:2380 \--initial-cluster-state new \--cert-file/etc/etcd/etcdSSL/etcd.pem \--key-file/etc/etcd/etcdSSL/etcd-key.pem \--peer-cert-file/etc/etcd/etcdSSL/etcd.pem \--peer-key-file/etc/etcd/etcdSSL/etcd-key.pem \--trusted-ca-file/etc/etcd/etcdSSL/ca.pem \--peer-trusted-ca-file/etc/etcd/etcdSSL/ca.pemRestarton-failure LimitNOFILE65536[Install]WantedBymulti-user.target方式二配置 etcd 的 service 服务文件采用 --config-file所有参数配置都从配置文件里读取[rootdba01~]# vi /usr/lib/systemd/system/etcd.service[Unit]DescriptionEtcd ServerAfternetwork.target network-online.target Wantsnetwork-online.target[Service]Typenotify# EnvironmentETCD_UNSUPPORTED_ARCHarm64 #Just for ARMExecStart/usr/bin/etcd--config-file /etc/etcd/etcd.confRestarton-failure LimitNOFILE65536[Install]WantedBymulti-user.target在etcd原配置基础上追加如下ca证书配置并调整网络协议http为https[rootdba01]# cat /etc/etcd/etcd.confname: etcd01data-dir:/etc/etcd/etcd01 initial-advertise-peer-urls: https://192.168.56.101:2380listen-peer-urls: https://192.168.56.101:2380listen-client-urls: https://192.168.56.101:2379,http://127.0.0.1:2379advertise-client-urls: https://192.168.56.101:2379initial-cluster-token: dcs-cluster initial-cluster: etcd01https://192.168.56.101:2380,etcd02https://192.168.56.102:2380,etcd03https://192.168.56.103:2380enable-v2:trueinitial-cluster-state: new#[Security]client-transport-security: cert-file:/etc/etcd/etcdSSL/etcd.pemkey-file:/etc/etcd/etcdSSL/etcd-key.pem client-cert-auth:truetrusted-ca-file:/etc/etcd/etcdSSL/ca.pem peer-transport-security: cert-file:/etc/etcd/etcdSSL/etcd.pemkey-file:/etc/etcd/etcdSSL/etcd-key.pem client-cert-auth:truetrusted-ca-file:/etc/etcd/etcdSSL/ca.pem若是已经运行过存在缓存的需要先清理etcd缓存三个节点都要清理物理缓存文件清理后会导致方案一配置的角色认证失效若要开启用户密码认证需重新操作上述步骤rm-rf/etc/etcd/etcd0*然后重启 etcd 服务systemctl daemon-reload systemctlstartetcd systemctlstatusetcd至此基于ca证书的https访问控制配置结束。访问etcd节点信息检查etcd集群服务的健康不带证书将无法正常访问# 不带ca证书访问etcdctl cluster-health# 带ca证书访问etcdctl \--ca-file/etc/etcd/etcdSSL/ca.pem \--cert-file/etc/etcd/etcdSSL/etcd.pem \--key-file/etc/etcd/etcdSSL/etcd-key.pem \cluster-healthpatroni使用配置调整在PostgreSQLetcdpatroni的高可用架构中etcd开启访问控制后patroni得相应的做调整期间涉及patronide重启也就是涉及PostgreSQL数据库的重启需要窗口时间操作方案一基于角色认证的访问控制BASIC认证# patroniusername: root password: root方案二基于ca证书的https访问控制TLS传输chown-R postgres.postgres/etc/etcd/etcdSSL/*.pem# patroniprotocol: https cacert:/etc/etcd/etcdSSL/ca.pem cert:/etc/etcd/etcdSSL/etcd.pemkey:/etc/etcd/etcdSSL/etcd-key.pempatroni配置文件更新etcd的配置https://patroni.readthedocs.io/en/latest/yaml_configuration.html#etcd# 同时开启用户认证和ca证书的访问etcdctl \--ca-file/etc/etcd/etcdSSL/ca.pem \--cert-file/etc/etcd/etcdSSL/etcd.pem \--key-file/etc/etcd/etcdSSL/etcd-key.pem \--username root:rootcluster-health参考链接etcd 的实现原理https://draveness.me/etcd-introduction/RAFT协议工作原理http://thesecretlivesofdata.com/raft/etcd单台部署启用https以及ca自签名https://cloud.tencent.com/developer/article/1441188etcd多台部署启用https以及ca自签名https://cloud.tencent.com/developer/article/1441194etcd的配置参数https://github.com/etcd-io/etcd/blob/main/etcd.conf.yml.sample发现了一个前沿巨牛的宝藏人工智能学习网站通俗易懂风趣幽默忍不住给大家分享一下。戳一下跳转到学习
)
)
