Accepting request 707856 from home:jsegitz:branches:devel:CaaSP:Head:ControllerNode

- Added README.security and wording in the configuration file to ensure users are aware that they need to configure etcd to require authentication OBS-URL: https://build.opensuse.org/request/show/707856 OBS-URL: https://build.opensuse.org/package/show/devel:CaaSP:Head:ControllerNode/etcd?expand=0&rev=15
2019-06-06 08:30:52 +00:00 · 2019-06-06 08:30:52 +00:00 · e6a51f563d
commit e6a51f563d
parent aaaacfe0a0
4 changed files with 24 additions and 1 deletions
--- a/README.security
+++ b/README.security
@ -0,0 +1,10 @@
+By default etcd doesn't require authentication.  If you configure etcd to be reachable
+over the network, have untrustworthy local users on the system where etc runs or store
+date in etcd that needs to be kept confidential please make sure to enable authentication.
+
+You can do that by configuring the settings under [security] in /etc/sysconfig/etcd.
+For additional guidance please red
+https://coreos.com/etcd/docs/latest/v2/security.html
+and
+https://coreos.com/etcd/docs/latest/op-guide/authentication.html
+to ensure that you enforce proper access control
--- a/etcd.changes
+++ b/etcd.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Jun  5 13:08:46 UTC 2019 -  <jsegitz@suse.com>
+
+- Added README.security and wording in the configuration file to
+  ensure users are aware that they need to configure etcd to require
+  authentication
+
 -------------------------------------------------------------------
 Wed Jan 30 11:58:15 UTC 2019 - Panagiotis Georgiadis pgeorgiadis@suse.com

--- a/etcd.conf
+++ b/etcd.conf
@ -5,6 +5,10 @@ ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
 #ETCD_SNAPSHOT_COUNT="10000"
 #ETCD_HEARTBEAT_INTERVAL="100"
 #ETCD_ELECTION_TIMEOUT="1000"
+# Before changing this setting allowing etcd to be reachable over the network
+# or if you have untrustworthy local users on the system where etc runs please
+# make sure to enable authentication in the [security] section below. Please
+# also read README.security for this package
 #ETCD_LISTEN_PEER_URLS="http://localhost:2380"
 ETCD_LISTEN_CLIENT_URLS="http://localhost:2379"
 #ETCD_MAX_SNAPSHOTS="5"
--- a/etcd.spec
+++ b/etcd.spec
@ -33,6 +33,7 @@ Source1:        %{name}.conf
 Source2:        %{name}.service
 Source3:        etcd_client_firewall
 Source4:        etcd_server_firewall
+Source5:        README.security
 BuildRequires:  golang-packaging
 BuildRequires:  shadow
 BuildRequires:  systemd-rpm-macros
@ -68,6 +69,7 @@ to explore an etcd cluster.

 %prep
 %setup -q
+cp %{SOURCE5} .

 %build
 %{goprep} github.com/coreos/etcd
@ -111,7 +113,7 @@ getent passwd %{name} >/dev/null || %{_sbindir}/useradd -r -g %{name} -d %{_loca

 %files
 %defattr(-,root,root)
-%doc CONTRIBUTING.md README.md DCO NOTICE
+%doc CONTRIBUTING.md README.md DCO NOTICE README.security
 %license LICENSE
 %{_sbindir}/%{name}