Comments (7)
This duplicates #20. The tl;dr is:
This is a 'by design', GRPC does not allow sending credentials over insecure transports... You can see a tutorial on how to set up etcd with TLS here: https://github.com/kelseyhightower/etcd-production-setup
...
I would emphasize, however, that the cases where you want to use TLS are a superset of cases where you want to use password auth. If you're going over a public network, you definitely want TLS. If you're inside a private VIP you still should use TLS, as it's been demonstrated that there are adversaries capable of intercepting inter and intra-datacenter network traffic.
Let me know if you have any other questions 😄
from etcd3.
Yeah... I know but I think this is the responsibility of the develop not of the library no ?
Cause we need to do so internally and with your lib... I just can't... Is there no possibility to see that working one day ?
from etcd3.
You can raise the issue with grpc, this is a restriction imposed by grpc, not this library.
from etcd3.
For clarity, that throw was added to provide a more verbose alternative over what grpc would otherwise provide if we try to set up password credentials on an insecure channel:
unexpected error: TypeError: Cannot compose insecure credential
at Object.exports.combineChannelCredentials (/Users/xxx/node_modules/grpc/src/node/src/credentials.js:151:23)
at getCredentialsFromHost.then.token (/Users/xxx/node_modules/etcd3/lib/src/connection-pool.js:62:41)
at <anonymous
from etcd3.
Moreover, with official tool etcdctl, if I do
ETCDCTL_API=3 etcdctl --user="root:<redacted>" --insecure-transport=true --endpoints=[192.168.X.Y:2379] role list
it works very well and my server does not support ssl but username/password works great
from etcd3.
@reptilbud see the linked issue: the Go grpc library is different from the native implementation used by the Node version and it does not have this check. I have tested and confirmed that the latest version of Node's grpc still does not allow setting credentials on insecure channels (this is the assertion). For example, in the unit tests when removing that throw and adding password auth:
1) roles and auth password auth allows authentication using the correct credentials:
TypeError: Cannot compose insecure credential
at Object.exports.combineChannelCredentials (node_modules\grpc\src\node\src\credentials.js:178:23)
at getCredentialsFromHost.then.token (src\connection-pool.ts:83:35)
Please open an issue on the grpc repo if this is a problem, but, again:
I would emphasize, however, that the cases where you want to use TLS are a superset of cases where you want to use password auth. If you're going over a public network, you definitely want TLS. If you're inside a private VIP you still should use TLS, as it's been demonstrated that there are adversaries capable of intercepting inter and intra-datacenter network traffic.
Not using TLS with password auth is asking for a breach.
from etcd3.
I created a pull request for that, if you want to have a look at it
If you don't want this feature please let me know to publish it independently of your repo
Thanks a lot for your time
Cheers
from etcd3.
Related Issues (20)
- WatchBuilder.create() doesn't reject an error when erred
- Waiting two ttl-periods before declaring a lease lost seems wrong
- When a timeout is happens the node process is hanging and not finalized.
- Need a way to alter the hosts/endpoints at runtime? HOT 1
- Election example from doc elects 2 leaders after etcd restart, starts multiple workers, or fails to elect a leader HOT 3
- How to specify limit and offset? HOT 1
- ./node_modules/@grpc/grpc-js/build/src/server.js Module not found: Can't resolve 'http2' in 'node_modules/@grpc/grpc-js/build/src' HOT 1
- GRPCUnavailableError:UNAVAILABLE: No connection established HOT 1
- This library has no debug or verbose options.
- Set host:port in the source code HOT 2
- Best way to `getAll(keys)`? HOT 1
- Elections probably choose more than one leader HOT 1
- Deadlock when EtcdInvalidAuthTokenError HOT 2
- pkg was pack success, but crash in use pack file, error for rpc.proto file path HOT 1
- Send custom header along with requests
- Lease expiration does not fire delete event HOT 1
- ILeaseTimeToLiveResponse returns an empty array of keys
- break in nodejs v14 HOT 3
- Updates to the repository and fixes but no release HOT 3
- getAll() / MultiRangeBuilder not available under SoftwareTransaction
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from etcd3.