Feature(deploy): support etcd authentication.

Signed-off-by: wanghai01 <[email protected]>

Author: Wine93

cli/command/deploy.go

@@ -44,6 +44,7 @@ const (
 	CREATE_CONTAINER           = playbook.CREATE_CONTAINER
 	SYNC_CONFIG                = playbook.SYNC_CONFIG
 	START_ETCD                 = playbook.START_ETCD
+	ENABLE_ETCD_AUTH           = playbook.ENABLE_ETCD_AUTH
 	START_MDS                  = playbook.START_MDS
 	CREATE_PHYSICAL_POOL       = playbook.CREATE_PHYSICAL_POOL
 	START_CHUNKSERVER          = playbook.START_CHUNKSERVER
@@ -66,6 +67,7 @@ var (
 		CREATE_CONTAINER,
 		SYNC_CONFIG,
 		START_ETCD,
+		ENABLE_ETCD_AUTH,
 		START_MDS,
 		CREATE_PHYSICAL_POOL,
 		START_CHUNKSERVER,
@@ -80,13 +82,15 @@ var (
 		CREATE_CONTAINER,
 		SYNC_CONFIG,
 		START_ETCD,
+		ENABLE_ETCD_AUTH,
 		START_MDS,
 		CREATE_LOGICAL_POOL,
 		START_METASERVER,
 	}
 
 	DEPLOY_FILTER_ROLE = map[int]string{
 		START_ETCD:           ROLE_ETCD,
+		ENABLE_ETCD_AUTH:     ROLE_ETCD,
 		START_MDS:            ROLE_MDS,
 		START_CHUNKSERVER:    ROLE_CHUNKSERVER,
 		START_SNAPSHOTCLONE:  ROLE_SNAPSHOTCLONE,
@@ -100,6 +104,7 @@ var (
 		CREATE_PHYSICAL_POOL: 1,
 		CREATE_LOGICAL_POOL:  1,
 		BALANCE_LEADER:       1,
+		ENABLE_ETCD_AUTH:     1,
 	}
 
 	CAN_SKIP_ROLES = []string{
@@ -162,11 +167,12 @@ func skipServiceRole(deployConfigs []*topology.DeployConfig, options deployOptio
 	return dcs
 }
 
-func skipDeploySteps(deploySteps []int, options deployOptions) []int {
+func skipDeploySteps(dcs []*topology.DeployConfig, deploySteps []int, options deployOptions) []int {
 	steps := []int{}
 	skipped := utils.Slice2Map(options.skip)
 	for _, step := range deploySteps {
-		if step == START_SNAPSHOTCLONE && skipped[ROLE_SNAPSHOTCLONE] {
+		if (step == START_SNAPSHOTCLONE && skipped[ROLE_SNAPSHOTCLONE]) ||
+			(step == ENABLE_ETCD_AUTH && len(dcs) > 0 && !dcs[0].GetEtcdAuthEnable()) {
 			continue
 		}
 		steps = append(steps, step)
@@ -220,7 +226,7 @@ func genDeployPlaybook(curveadm *cli.CurveAdm,
 	} else {
 		steps = CURVEFS_DEPLOY_STEPS
 	}
-	steps = skipDeploySteps(steps, options)
+	steps = skipDeploySteps(dcs, steps, options)
 	poolset := configure.Poolset{
 		Name: options.poolset,
 		Type: options.poolsetDiskType,

internal/configure/topology/dc_get.go

@@ -143,6 +143,9 @@ func (dc *DeployConfig) GetS3Address() string        { return dc.getString(CONFI
 func (dc *DeployConfig) GetS3BucketName() string     { return dc.getString(CONFIG_S3_BUCKET_NAME) }
 func (dc *DeployConfig) GetEnableRDMA() bool         { return dc.getBool(CONFIG_ENABLE_RDMA) }
 func (dc *DeployConfig) GetEnableRenameAt2() bool    { return dc.getBool(CONFIG_ENABLE_RENAMEAT2) }
+func (dc *DeployConfig) GetEtcdAuthEnable() bool     { return dc.getBool(CONFIG_ETCD_AUTH_ENABLE) }
+func (dc *DeployConfig) GetEtcdAuthUsername() string { return dc.getString(CONFIG_ETCD_AUTH_USERNAME) }
+func (dc *DeployConfig) GetEtcdAuthPassword() string { return dc.getString(CONFIG_ETCD_AUTH_PASSWORD) }
 func (dc *DeployConfig) GetEnableChunkfilePool() bool {
 	return dc.getBool(CONFIG_ENABLE_CHUNKFILE_POOL)
 }

internal/configure/topology/dc_item.go

@@ -283,6 +283,27 @@ var (
 		true,
 		nil,
 	)
+
+	CONFIG_ETCD_AUTH_ENABLE = itemset.insert(
+		"etcd.auth.enable",
+		REQUIRE_BOOL,
+		false,
+		false,
+	)
+
+	CONFIG_ETCD_AUTH_USERNAME = itemset.insert(
+		"etcd.auth.username",
+		REQUIRE_STRING,
+		false,
+		nil,
+	)
+
+	CONFIG_ETCD_AUTH_PASSWORD = itemset.insert(
+		"etcd.auth.password",
+		REQUIRE_STRING,
+		false,
+		nil,
+	)
 )
 
 func (i *item) Key() string {

internal/errno/errno.go

@@ -377,6 +377,7 @@ var (
 	ERR_INVALID_DEVICE_USAGE                 = EC(410020, "invalid device usage")
 	ERR_ENCRYPT_FILE_FAILED                  = EC(410021, "encrypt file failed")
 	ERR_CLIENT_ID_NOT_FOUND                  = EC(410022, "client id not found")
+	ERR_ENABLE_ETCD_AUTH_FAILED              = EC(410023, "enable etcd auth failed")
 
 	// 420: common (curvebs client)
 	ERR_VOLUME_ALREADY_MAPPED             = EC(420000, "volume already mapped")

internal/playbook/factory.go

@@ -58,6 +58,7 @@ const (
 	SYNC_CONFIG
 	START_SERVICE
 	START_ETCD
+	ENABLE_ETCD_AUTH
 	START_MDS
 	START_CHUNKSERVER
 	START_SNAPSHOTCLONE
@@ -196,6 +197,8 @@ func (p *Playbook) createTasks(step *PlaybookStep) (*tasks.Tasks, error) {
 			START_SNAPSHOTCLONE,
 			START_METASERVER:
 			t, err = comm.NewStartServiceTask(curveadm, config.GetDC(i))
+		case ENABLE_ETCD_AUTH:
+			t, err = comm.NewEnableEtcdAuthTask(curveadm, config.GetDC(i))
 		case STOP_SERVICE:
 			t, err = comm.NewStopServiceTask(curveadm, config.GetDC(i))
 		case RESTART_SERVICE:

internal/task/scripts/enable_etcd_auth.go

@@ -0,0 +1,50 @@
+/*
+*  Copyright (c) 2023 NetEase Inc.
+*
+*  Licensed under the Apache License, Version 2.0 (the "License");
+*  you may not use this file except in compliance with the License.
+*  You may obtain a copy of the License at
+*
+*      http://www.apache.org/licenses/LICENSE-2.0
+*
+*  Unless required by applicable law or agreed to in writing, software
+*  distributed under the License is distributed on an "AS IS" BASIS,
+*  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+*  See the License for the specific language governing permissions and
+*  limitations under the License.
+*/
+
+/*
+* Project: Curveadm
+* Created Date: 2023-08-02
+* Author: wanghai (SeanHai)
+*/
+
+package scripts
+
+var ENABLE_ETCD_AUTH = `
+#!/usr/bin/env bash
+
+if [ $# -ne 3 ]; then
+  echo "Usage: $0 endpoints username password"
+  exit 1
+fi
+
+endpoints=$1
+username=$2
+password=$3
+root_user=root
+
+# create root user
+etcdctl --endpoints=${endpoints} user add ${root_user}:${password} && \
+etcdctl --endpoints=${endpoints} user grant-role ${root_user} root || exit 1
+
+# create user if not root
+if [ "${username}" != "${root_user}" ]; then
+  etcdctl --endpoints=${endpoints} user add ${username}:${password} && \
+  etcdctl --endpoints=${endpoints} user grant-role ${username} root || exit 1
+fi
+
+# enable auth
+etcdctl --endpoints=${endpoints} auth enable --user=${root_user}:${password} || exit 1
+`

internal/task/task/common/etcd_auth_enable.go

@@ -0,0 +1,106 @@
+/*
+*  Copyright (c) 2023 NetEase Inc.
+*
+*  Licensed under the Apache License, Version 2.0 (the "License");
+*  you may not use this file except in compliance with the License.
+*  You may obtain a copy of the License at
+*
+*      http://www.apache.org/licenses/LICENSE-2.0
+*
+*  Unless required by applicable law or agreed to in writing, software
+*  distributed under the License is distributed on an "AS IS" BASIS,
+*  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+*  See the License for the specific language governing permissions and
+*  limitations under the License.
+ */
+
+/*
+* Project: Curveadm
+* Created Date: 2023-08-02
+* Author: wanghai (SeanHai)
+ */
+
+package common
+
+import (
+	"fmt"
+
+	"github.com/opencurve/curveadm/cli/cli"
+	"github.com/opencurve/curveadm/internal/configure/topology"
+	"github.com/opencurve/curveadm/internal/errno"
+	"github.com/opencurve/curveadm/internal/task/context"
+	"github.com/opencurve/curveadm/internal/task/scripts"
+	"github.com/opencurve/curveadm/internal/task/step"
+	"github.com/opencurve/curveadm/internal/task/task"
+	tui "github.com/opencurve/curveadm/internal/tui/common"
+)
+
+func checkEnableEtcdAuthStatus(success *bool, out *string) step.LambdaType {
+	return func(ctx *context.Context) error {
+		if !*success {
+			return errno.ERR_ENABLE_ETCD_AUTH_FAILED.S(*out)
+		}
+		return nil
+	}
+}
+
+func NewEnableEtcdAuthTask(curveadm *cli.CurveAdm, dc *topology.DeployConfig) (*task.Task, error) {
+	serviceId := curveadm.GetServiceId(dc.GetId())
+	containerId, err := curveadm.GetContainerId(serviceId)
+	if curveadm.IsSkip(dc) {
+		return nil, nil
+	} else if err != nil {
+		return nil, err
+	}
+	hc, err := curveadm.GetHost(dc.GetHost())
+	if err != nil {
+		return nil, err
+	}
+
+	var success bool
+	var out string
+	host, role := dc.GetHost(), dc.GetRole()
+	// new task
+	subname := fmt.Sprintf("host=%s role=%s containerId=%s",
+		dc.GetHost(), dc.GetRole(), tui.TrimContainerId(containerId))
+	t := task.NewTask("Enable Etcd Auth", subname, hc.GetSSHConfig())
+
+	script := scripts.ENABLE_ETCD_AUTH
+	layout := dc.GetProjectLayout()
+	scriptPath := fmt.Sprintf("%s/enable_auth.sh", layout.ServiceBinDir)
+
+	etcdEndPoints, err := dc.GetVariables().Get("cluster_etcd_addr")
+	if err != nil {
+		return nil, err
+	}
+
+	t.AddStep(&step.ListContainers{
+		ShowAll:     true,
+		Format:      `"{{.ID}}"`,
+		Filter:      fmt.Sprintf("id=%s", containerId),
+		Out:         &out,
+		ExecOptions: curveadm.ExecOptions(),
+	})
+	t.AddStep(&step.Lambda{
+		Lambda: checkContainerExist(host, role, containerId, &out),
+	})
+	t.AddStep(&step.InstallFile{ // install /curvebs(fs)/etcd/sbin/enable_auth.sh
+		ContainerId:       &containerId,
+		ContainerDestPath: scriptPath,
+		Content:           &script,
+		ExecOptions:       curveadm.ExecOptions(),
+	})
+	command := fmt.Sprintf("/bin/bash %s %s %s %s", scriptPath, etcdEndPoints, dc.GetEtcdAuthUsername(),
+		dc.GetEtcdAuthPassword())
+	t.AddStep(&step.ContainerExec{
+		ContainerId: &containerId,
+		Success:     &success,
+		Out:         &out,
+		Command:     command,
+		ExecOptions: curveadm.ExecOptions(),
+	})
+	t.AddStep(&step.Lambda{
+		Lambda: checkEnableEtcdAuthStatus(&success, &out),
+	})
+	return t, nil
+}