Page MenuHomePhabricator
Create Task
Maniphest T146355

Replace etcd internal auth mechanism with a frontend proxy
Closed, ResolvedPublic
Actions

Description

Etcd-based auth makes every call to etcd very slow (introduces a 0.1+ s lag on every authenticated call, and some on unauthenticated calls) and in general is not that reliable as an instrument of write control.

So what we should do is the following:

  • Create an nginx proxy that allows all GET requests, and for POST, PUT and DELETEs requires HTTP basic auth depending on some simple ACLs we could generate from the same rules we apply to etcd
  • Verify that reads can go through with particular attention to watch timeouts.
  • Progressively migrate all applications to use nginx
  • Disable etcd auth
  • firewall direct contact with etcd off to limit it to localhost (possibly the rest of the etcd cluster)

Event Timeline

Joe created this task.Sep 22 2016, 9:27 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 22 2016, 9:27 AM
elukey triaged this task as Medium priority.Oct 19 2016, 12:34 PM
elukey subscribed.
Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 8:50 PM
Joe closed this task as Resolved.Mar 2 2022, 7:16 AM
Joe claimed this task.

This has been implemented years ago.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL