apache · membphis · Jun 26, 2020 · Jun 24, 2020 · Jun 25, 2020 · Jun 25, 2020
diff --git a/conf/config.yaml b/conf/config.yaml
@@ -122,7 +122,8 @@ etcd:
     - "http://127.0.0.1:2379"     # multiple etcd address
   prefix: "/apisix"               # apisix configurations prefix
   timeout: 3                      # 3 seconds
-
+  # user: root                     # root username for etcd
+  # password: 5tHkHhYkjr6cQY        # root password for etcd
 #eureka:
 #  host:                           # it's possible to define multiple eureka hosts addresses of the same eureka cluster.
 #    - "http://127.0.0.1:8761"

diff --git a/t/APISIX.pm b/t/APISIX.pm
@@ -79,6 +79,14 @@ $yaml_config =~ s/enable_heartbeat: true/enable_heartbeat: false/;
 $yaml_config =~ s/  # stream_proxy:/  stream_proxy:\n    tcp:\n      - 9100/;
 $yaml_config =~ s/admin_key:/disable_admin_key:/;
 
+my $etcd_enable_auth = $ENV{"ETCD_ENABLE_AUTH"} || "false";
+
+if ($etcd_enable_auth eq "true") {
+    $yaml_config =~ s/  # user:/  user:/;
+    $yaml_config =~ s/  # password:/  password:/;
+}
+
+
 my $profile = $ENV{"APISIX_PROFILE"};
 
 
@@ -102,6 +110,7 @@ add_block_preprocessor(sub {
 
     my $main_config = $block->main_config // <<_EOC_;
 worker_rlimit_core  500M;
+env ENABLE_ETCD_AUTH;
 env APISIX_PROFILE;
 _EOC_
 

diff --git a/t/core/etcd-auth-fail.t b/t/core/etcd-auth-fail.t
@@ -0,0 +1,56 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+BEGIN {
+    $ENV{"ETCD_ENABLE_AUTH"} = "false"
+}
+
+use t::APISIX 'no_plan';
+
+repeat_each(1);
+no_long_string();
+no_root_location();
+log_level("info");
+
+# Authentication is enabled at etcd and credentials are set
+system('etcdctl --endpoints="http://127.0.0.1:2376" -u root:5tHkHhYkjr6cQY user add root:5tHkHhYkjr6cQY');
+system('etcdctl --endpoints="http://127.0.0.1:2376" -u root:5tHkHhYkjr6cQY auth enable');
+system('etcdctl --endpoints="http://127.0.0.1:2376" -u root:5tHkHhYkjr6cQY role revoke --path "/*" -rw guest');
+
+run_tests;
+
+# Authentication is disabled at etcd & guest access is granted
+system('etcdctl --endpoints="http://127.0.0.1:2376" -u root:5tHkHhYkjr6cQY auth disable');
+system('etcdctl --endpoints="http://127.0.0.1:2376" -u root:5tHkHhYkjr6cQY role grant --path "/*" -rw guest');
+
+
+__DATA__
+
+=== TEST 1: Set and Get a value pass
+--- config
+    location /t {
+        content_by_lua_block {
+            local core = require("apisix.core")
+            local key = "/test_key"
+            local val = "test_value"
+            local res, err = core.etcd.set(key, val)
+            ngx.say(err)
+        }
+    }
+--- request
+GET /t
+--- response_body
+insufficient credentials code: 401
diff --git a/t/core/etcd.t b/t/core/etcd.t
@@ -0,0 +1,59 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+BEGIN {
+    $ENV{"ETCD_ENABLE_AUTH"} = "true"
+}
+
+use t::APISIX 'no_plan';
+
+repeat_each(1);
+no_long_string();
+no_root_location();
+log_level("info");
+
+# Authentication is enabled at etcd and credentials are set
+system('etcdctl --endpoints="http://127.0.0.1:2376" -u root:5tHkHhYkjr6cQY user add root:5tHkHhYkjr6cQY');
+system('etcdctl --endpoints="http://127.0.0.1:2376" -u root:5tHkHhYkjr6cQY auth enable');
+system('etcdctl --endpoints="http://127.0.0.1:2376" -u root:5tHkHhYkjr6cQY role revoke --path "/*" -rw guest');
+
+run_tests;
+
+# Authentication is disabled at etcd & guest access is granted
+system('etcdctl --endpoints="http://127.0.0.1:2376" -u root:5tHkHhYkjr6cQY auth disable');
+system('etcdctl --endpoints="http://127.0.0.1:2376" -u root:5tHkHhYkjr6cQY role grant --path "/*" -rw guest');
+
+__DATA__
+
+=== TEST 1: Set and Get a value pass with authentication
+--- config
+    location /t {
+        content_by_lua_block {
+            local core = require("apisix.core")
+            local key = "/test_key"
+            local val = "test_value"
+            core.etcd.set(key, val)
+            local res, err = core.etcd.get(key)
+            ngx.say(res.body.node.value)
+            core.etcd.delete(val)
+        }
+    }
+--- request
+GET /t
+--- response_body
+test_value
+--- no_error_log
+[error]