Enable auth with http about etcd3 HOT 7 CLOSED

This duplicates #20. The tl;dr is:

This is a 'by design', GRPC does not allow sending credentials over insecure transports... You can see a tutorial on how to set up etcd with TLS here: https://github.com/kelseyhightower/etcd-production-setup

...

I would emphasize, however, that the cases where you want to use TLS are a superset of cases where you want to use password auth. If you're going over a public network, you definitely want TLS. If you're inside a private VIP you still should use TLS, as it's been demonstrated that there are adversaries capable of intercepting inter and intra-datacenter network traffic.

Let me know if you have any other questions 😄

from etcd3.

Yeah... I know but I think this is the responsibility of the develop not of the library no ?
Cause we need to do so internally and with your lib... I just can't... Is there no possibility to see that working one day ?

from etcd3.

You can raise the issue with grpc, this is a restriction imposed by grpc, not this library.

from etcd3.

For clarity, that throw was added to provide a more verbose alternative over what grpc would otherwise provide if we try to set up password credentials on an insecure channel:

unexpected error:  TypeError: Cannot compose insecure credential
    at Object.exports.combineChannelCredentials (/Users/xxx/node_modules/grpc/src/node/src/credentials.js:151:23)
    at getCredentialsFromHost.then.token (/Users/xxx/node_modules/etcd3/lib/src/connection-pool.js:62:41)
    at <anonymous

from etcd3.

Moreover, with official tool etcdctl, if I do

ETCDCTL_API=3 etcdctl --user="root:<redacted>" --insecure-transport=true --endpoints=[192.168.X.Y:2379] role list

it works very well and my server does not support ssl but username/password works great

from etcd3.

@reptilbud see the linked issue: the Go grpc library is different from the native implementation used by the Node version and it does not have this check. I have tested and confirmed that the latest version of Node's grpc still does not allow setting credentials on insecure channels (this is the assertion). For example, in the unit tests when removing that throw and adding password auth:

  1) roles and auth password auth allows authentication using the correct credentials:
     TypeError: Cannot compose insecure credential
      at Object.exports.combineChannelCredentials (node_modules\grpc\src\node\src\credentials.js:178:23)
      at getCredentialsFromHost.then.token (src\connection-pool.ts:83:35)

Please open an issue on the grpc repo if this is a problem, but, again:

I would emphasize, however, that the cases where you want to use TLS are a superset of cases where you want to use password auth. If you're going over a public network, you definitely want TLS. If you're inside a private VIP you still should use TLS, as it's been demonstrated that there are adversaries capable of intercepting inter and intra-datacenter network traffic.

Not using TLS with password auth is asking for a breach.

from etcd3.

I created a pull request for that, if you want to have a look at it
If you don't want this feature please let me know to publish it independently of your repo
Thanks a lot for your time
Cheers

from etcd3.