Authentication of multiple users

[benmccann]

etcd appears currently to allow only authentication using only a single certificate. When starting etcd you can specify -ca-file -cert-file -key-file. I see no mention in the documentation of being able to specify multiple values here, so I assume only one can be provided.

In order to support ACLs we probably need to have multiple users each with their own authentication key.

[efuquen]

Couldn't user management be linked in with how the cluster configs users already work on the OS level with cloud-config, described briefly here: https://coreos.com/docs/cluster-management/setup/cloudinit-cloud-config/#users ?

You would still want etcd to manage it's own users but being able to translate from the cluster users to etcd users via some extra option would be super convenient, with the ability to use the same password and keys for encrypted communication.

It looks like the data for cloud-init isn't stored anywhere, just happening on setup of the cluster, is this true? To make this work the user data would need to be to stored in etcd, in a protected private namespace.

[xiang90]

@benmccann

we have a rfc for security at https://github.com/coreos/etcd/blob/master/Documentation/rfc/api_security.md

the implementation progress will be tracking at #2384.