hailin0 commented on code in PR #331: URL: https://github.com/apache/skywalking-banyandb/pull/331#discussion_r1365724065
########## docs/installation/cluster.md: ########## @@ -28,3 +28,45 @@ The host is registered to the etcd cluster by the `banyand-server` automatically - `node-host-provider=hostname` : Default. The OS's hostname is registered as the host part in the address. - `node-host-provider=ip` : The OS's the first non-loopback active IP address(IPv4) is registered as the host part in the address. - `node-host-provider=flag` : `node-host` is registered as the host part in the address. + +## Etcd Client Authentication + +etcd supports through tls certificates and RBAC based authentication for both clients to server communication. This section is intended to help users set up authentication in etcd client. + +### Client-to-server authentication with username/password + +The etcd user can be setup by the [etcd authentication guide](https://etcd.io/docs/v3.5/op-guide/authentication/) + +The username/password is configured in the following command: Review Comment: added `note` ########## docs/installation/cluster.md: ########## @@ -28,3 +28,45 @@ The host is registered to the etcd cluster by the `banyand-server` automatically - `node-host-provider=hostname` : Default. The OS's hostname is registered as the host part in the address. - `node-host-provider=ip` : The OS's the first non-loopback active IP address(IPv4) is registered as the host part in the address. - `node-host-provider=flag` : `node-host` is registered as the host part in the address. + +## Etcd Client Authentication + +etcd supports through tls certificates and RBAC based authentication for both clients to server communication. This section is intended to help users set up authentication in etcd client. + +### Client-to-server authentication with username/password + +The etcd user can be setup by the [etcd authentication guide](https://etcd.io/docs/v3.5/op-guide/authentication/) + +The username/password is configured in the following command: + +- `etcd-username`: The username for etcd client authentication. +- `etcd-password`: The password for etcd client authentication. + +```shell +$ ./banyand-server storage --etcd-endpoints=your-endpoints --etcd-username=your-username --etcd-password=your-password <flags> +$ ./banyand-server liaison --etcd-endpoints=your-endpoints --etcd-username=your-username --etcd-password=your-password <flags> +``` + +### Client-to-server transport security with HTTPS + +The etcd trusted certificate file can be setup by the [etcd transport security model](https://etcd.io/docs/v3.5/op-guide/security/#example-1-client-to-server-transport-security-with-https) + +- `etcd-tls-ca-file`: The path of the trusted certificate file. + +```shell +$ ./banyand-server storage --etcd-endpoints=your-https-endpoints --etcd-tls-ca-file=youf-file-path <flags> +$ ./banyand-server liaison --etcd-endpoints=your-https-endpoints --etcd-tls-ca-file=youf-file-path <flags> +``` + +### Client-to-server authentication with HTTPS client certificates Review Comment: fixed -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@skywalking.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org