*: support creating a user without password

This commit adds a feature for creating a user without password. The purpose of the feature is reducing attack surface by configuring bad passwords (CN based auth will be allowed for the user). The feature can be used with `--no-password` of `etcdctl user add` command. Fix #9590
etcd-io · Jun 13, 2018 · 76a93df · 76a93df
1 parent bb744f6
commit 76a93df
Show file tree

Hide file tree

Showing 11 changed files with 399 additions and 295 deletions.
diff --git a/Documentation/dev-guide/api_reference_v3.md b/Documentation/dev-guide/api_reference_v3.md
@@ -245,6 +245,7 @@ Empty field.
 | ----- | ----------- | ---- |
 | name |  | string |
 | password |  | string |
+| no_password |  | bool |
 
 
 
@@ -945,6 +946,7 @@ User is a single entry in the bucket authUsers
 | name |  | bytes |
 | password |  | bytes |
 | roles |  | (slice of) string |
+| no_password |  | bool |
 
 
 
diff --git a/Documentation/dev-guide/apispec/swagger/rpc.swagger.json b/Documentation/dev-guide/apispec/swagger/rpc.swagger.json
@@ -1393,6 +1393,10 @@
         "name": {
           "type": "string"
         },
+        "no_password": {
+          "type": "boolean",
+          "format": "boolean"
+        },
         "password": {
           "type": "string"
         }

diff --git a/auth/authpb/auth.pb.go b/auth/authpb/auth.pb.go
diff --git a/auth/authpb/auth.proto b/auth/authpb/auth.proto
@@ -14,6 +14,7 @@ message User {
   bytes name = 1;
   bytes password = 2;
   repeated string roles = 3;
+  bool no_password = 4;
 }
 
 // Permission is a single entity

diff --git a/auth/store.go b/auth/store.go
@@ -301,6 +301,10 @@ func (as *authStore) Authenticate(ctx context.Context, username, password string
 		return nil, ErrAuthFailed
 	}
 
+	if user.NoPassword {
+		return nil, ErrAuthFailed
+	}
+
 	// Password checking is already performed in the API layer, so we don't need to check for now.
 	// Staleness of password can be detected with OCC in the API layer, too.
 
@@ -335,6 +339,10 @@ func (as *authStore) CheckPassword(username, password string) (uint64, error) {
 		return 0, ErrAuthFailed
 	}
 
+	if user.NoPassword {
+		return 0, ErrAuthFailed
+	}
+
 	if bcrypt.CompareHashAndPassword(user.Password, []byte(password)) != nil {
 		if as.lg != nil {
 			as.lg.Info("invalid password", zap.String("user-name", username))
@@ -372,18 +380,23 @@ func (as *authStore) UserAdd(r *pb.AuthUserAddRequest) (*pb.AuthUserAddResponse,
 		return nil, ErrUserEmpty
 	}
 
-	hashed, err := bcrypt.GenerateFromPassword([]byte(r.Password), as.bcryptCost)
-	if err != nil {
-		if as.lg != nil {
-			as.lg.Warn(
-				"failed to bcrypt hash password",
-				zap.String("user-name", r.Name),
-				zap.Error(err),
-			)
-		} else {
-			plog.Errorf("failed to hash password: %s", err)
+	hashed := make([]byte, 0)
+	var err error
+
+	if !r.NoPassword {
+		hashed, err = bcrypt.GenerateFromPassword([]byte(r.Password), as.bcryptCost)
+		if err != nil {
+			if as.lg != nil {
+				as.lg.Warn(
+					"failed to bcrypt hash password",
+					zap.String("user-name", r.Name),
+					zap.Error(err),
+				)
+			} else {
+				plog.Errorf("failed to hash password: %s", err)
+			}
+			return nil, err
 		}
-		return nil, err
 	}
 
 	tx := as.be.BatchTx()
@@ -396,8 +409,9 @@ func (as *authStore) UserAdd(r *pb.AuthUserAddRequest) (*pb.AuthUserAddResponse,
 	}
 
 	newUser := &authpb.User{
-		Name:     []byte(r.Name),
-		Password: hashed,
+		Name:       []byte(r.Name),
+		Password:   hashed,
+		NoPassword: r.NoPassword,
 	}
 
 	putUser(as.lg, tx, newUser)

diff --git a/clientv3/auth.go b/clientv3/auth.go
@@ -61,7 +61,7 @@ type Auth interface {
 	AuthDisable(ctx context.Context) (*AuthDisableResponse, error)
 
 	// UserAdd adds a new user to an etcd cluster.
-	UserAdd(ctx context.Context, name string, password string) (*AuthUserAddResponse, error)
+	UserAdd(ctx context.Context, name string, password string, noPassword bool) (*AuthUserAddResponse, error)
 
 	// UserDelete deletes a user from an etcd cluster.
 	UserDelete(ctx context.Context, name string) (*AuthUserDeleteResponse, error)
@@ -123,8 +123,8 @@ func (auth *authClient) AuthDisable(ctx context.Context) (*AuthDisableResponse,
 	return (*AuthDisableResponse)(resp), toErr(ctx, err)
 }
 
-func (auth *authClient) UserAdd(ctx context.Context, name string, password string) (*AuthUserAddResponse, error) {
-	resp, err := auth.remote.UserAdd(ctx, &pb.AuthUserAddRequest{Name: name, Password: password}, auth.callOpts...)
+func (auth *authClient) UserAdd(ctx context.Context, name string, password string, noPassword bool) (*AuthUserAddResponse, error) {
+	resp, err := auth.remote.UserAdd(ctx, &pb.AuthUserAddRequest{Name: name, Password: password, NoPassword: noPassword}, auth.callOpts...)
 	return (*AuthUserAddResponse)(resp), toErr(ctx, err)
 }
 

diff --git a/clientv3/example_auth_test.go b/clientv3/example_auth_test.go
@@ -35,7 +35,7 @@ func ExampleAuth() {
 	if _, err = cli.RoleAdd(context.TODO(), "root"); err != nil {
 		log.Fatal(err)
 	}
-	if _, err = cli.UserAdd(context.TODO(), "root", "123"); err != nil {
+	if _, err = cli.UserAdd(context.TODO(), "root", "123", true); err != nil {
 		log.Fatal(err)
 	}
 	if _, err = cli.UserGrantRole(context.TODO(), "root", "root"); err != nil {
@@ -55,7 +55,7 @@ func ExampleAuth() {
 	); err != nil {
 		log.Fatal(err)
 	}
-	if _, err = cli.UserAdd(context.TODO(), "u", "123"); err != nil {
+	if _, err = cli.UserAdd(context.TODO(), "u", "123", true); err != nil {
 		log.Fatal(err)
 	}
 	if _, err = cli.UserGrantRole(context.TODO(), "u", "r"); err != nil {

diff --git a/etcdctl/ctlv3/command/user_command.go b/etcdctl/ctlv3/command/user_command.go
@@ -48,6 +48,7 @@ func NewUserCommand() *cobra.Command {
 var (
 	passwordInteractive bool
 	passwordFromFlag    string
+	noPassword          bool
 )
 
 func newUserAddCommand() *cobra.Command {
@@ -59,6 +60,7 @@ func newUserAddCommand() *cobra.Command {
 
 	cmd.Flags().BoolVar(&passwordInteractive, "interactive", true, "Read password from stdin instead of interactive terminal")
 	cmd.Flags().StringVar(&passwordFromFlag, "new-user-password", "", "Supply password from the command line flag")
+	cmd.Flags().BoolVar(&noPassword, "no-password", false, "Create a user without password (CN based auth only)")
 
 	return &cmd
 }
@@ -128,28 +130,32 @@ func userAddCommandFunc(cmd *cobra.Command, args []string) {
 	var password string
 	var user string
 
-	if passwordFromFlag != "" {
-		user = args[0]
-		password = passwordFromFlag
-	} else {
-		splitted := strings.SplitN(args[0], ":", 2)
-		if len(splitted) < 2 {
+	if !noPassword {
+		if passwordFromFlag != "" {
 			user = args[0]
-			if !passwordInteractive {
-				fmt.Scanf("%s", &password)
-			} else {
-				password = readPasswordInteractive(args[0])
-			}
+			password = passwordFromFlag
 		} else {
-			user = splitted[0]
-			password = splitted[1]
-			if len(user) == 0 {
-				ExitWithError(ExitBadArgs, fmt.Errorf("empty user name is not allowed."))
+			splitted := strings.SplitN(args[0], ":", 2)
+			if len(splitted) < 2 {
+				user = args[0]
+				if !passwordInteractive {
+					fmt.Scanf("%s", &password)
+				} else {
+					password = readPasswordInteractive(args[0])
+				}
+			} else {
+				user = splitted[0]
+				password = splitted[1]
+				if len(user) == 0 {
+					ExitWithError(ExitBadArgs, fmt.Errorf("empty user name is not allowed."))
+				}
 			}
 		}
+	} else {
+		user = args[0]
 	}
 
-	resp, err := mustClientFromCmd(cmd).Auth.UserAdd(context.TODO(), user, password)
+	resp, err := mustClientFromCmd(cmd).Auth.UserAdd(context.TODO(), user, password, noPassword)
 	if err != nil {
 		ExitWithError(ExitError, err)
 	}