feat: support etcd authentication (#30226)

issue: #28895
add 3 configuration for ETCD config

Signed-off-by: PowderLi <min.li@zilliz.com>

cmd/tools/migration/backend/etcd.go

@@ -20,8 +20,11 @@ func (b etcdBasedBackend) CleanWithPrefix(prefix string) error {
 }
 
 func newEtcdBasedBackend(cfg *configs.MilvusConfig) (*etcdBasedBackend, error) {
-	etcdCli, err := etcd.GetEtcdClient(
+	etcdCli, err := etcd.CreateEtcdClient(
 		cfg.EtcdCfg.UseEmbedEtcd.GetAsBool(),
+		cfg.EtcdCfg.EtcdEnableAuth.GetAsBool(),
+		cfg.EtcdCfg.EtcdAuthUserName.GetValue(),
+		cfg.EtcdCfg.EtcdAuthPassword.GetValue(),
 		cfg.EtcdCfg.EtcdUseSSL.GetAsBool(),
 		cfg.EtcdCfg.Endpoints.GetAsStrings(),
 		cfg.EtcdCfg.EtcdTLSCert.GetValue(),

cmd/tools/migration/migration/runner.go

@@ -68,8 +68,11 @@ func (r *Runner) WatchSessions() {
 }
 
 func (r *Runner) initEtcdCli() {
-	cli, err := etcd.GetEtcdClient(
+	cli, err := etcd.CreateEtcdClient(
 		r.cfg.EtcdCfg.UseEmbedEtcd.GetAsBool(),
+		r.cfg.EtcdCfg.EtcdEnableAuth.GetAsBool(),
+		r.cfg.EtcdCfg.EtcdAuthUserName.GetValue(),
+		r.cfg.EtcdCfg.EtcdAuthPassword.GetValue(),
 		r.cfg.EtcdCfg.EtcdUseSSL.GetAsBool(),
 		r.cfg.EtcdCfg.Endpoints.GetAsStrings(),
 		r.cfg.EtcdCfg.EtcdTLSCert.GetValue(),

internal/distributed/datacoord/service.go

@@ -90,8 +90,11 @@ func (s *Server) init() error {
 	params := paramtable.Get()
 	etcdConfig := &params.EtcdCfg
 
-	etcdCli, err := etcd.GetEtcdClient(
+	etcdCli, err := etcd.CreateEtcdClient(
 		etcdConfig.UseEmbedEtcd.GetAsBool(),
+		etcdConfig.EtcdEnableAuth.GetAsBool(),
+		etcdConfig.EtcdAuthUserName.GetValue(),
+		etcdConfig.EtcdAuthPassword.GetValue(),
 		etcdConfig.EtcdUseSSL.GetAsBool(),
 		etcdConfig.Endpoints.GetAsStrings(),
 		etcdConfig.EtcdTLSCert.GetValue(),

internal/distributed/datanode/service.go

@@ -227,8 +227,11 @@ func (s *Server) init() error {
 		log.Warn("DataNode found available port during init", zap.Int("port", Params.Port.GetAsInt()))
 	}
 
-	etcdCli, err := etcd.GetEtcdClient(
+	etcdCli, err := etcd.CreateEtcdClient(
 		etcdConfig.UseEmbedEtcd.GetAsBool(),
+		etcdConfig.EtcdEnableAuth.GetAsBool(),
+		etcdConfig.EtcdAuthUserName.GetValue(),
+		etcdConfig.EtcdAuthPassword.GetValue(),
 		etcdConfig.EtcdUseSSL.GetAsBool(),
 		etcdConfig.Endpoints.GetAsStrings(),
 		etcdConfig.EtcdTLSCert.GetValue(),

internal/distributed/indexnode/service.go

@@ -168,8 +168,11 @@ func (s *Server) init() error {
 		return err
 	}
 
-	etcdCli, err := etcd.GetEtcdClient(
+	etcdCli, err := etcd.CreateEtcdClient(
 		etcdConfig.UseEmbedEtcd.GetAsBool(),
+		etcdConfig.EtcdEnableAuth.GetAsBool(),
+		etcdConfig.EtcdAuthUserName.GetValue(),
+		etcdConfig.EtcdAuthPassword.GetValue(),
 		etcdConfig.EtcdUseSSL.GetAsBool(),
 		etcdConfig.Endpoints.GetAsStrings(),
 		etcdConfig.EtcdTLSCert.GetValue(),

internal/distributed/proxy/service.go

@@ -443,8 +443,11 @@ func (s *Server) init() error {
 	serviceName := fmt.Sprintf("Proxy ip: %s, port: %d", Params.IP, Params.Port.GetAsInt())
 	log.Debug("init Proxy's tracer done", zap.String("service name", serviceName))
 
-	etcdCli, err := etcd.GetEtcdClient(
+	etcdCli, err := etcd.CreateEtcdClient(
 		etcdConfig.UseEmbedEtcd.GetAsBool(),
+		etcdConfig.EtcdEnableAuth.GetAsBool(),
+		etcdConfig.EtcdAuthUserName.GetValue(),
+		etcdConfig.EtcdAuthPassword.GetValue(),
 		etcdConfig.EtcdUseSSL.GetAsBool(),
 		etcdConfig.Endpoints.GetAsStrings(),
 		etcdConfig.EtcdTLSCert.GetValue(),

internal/distributed/querycoord/service.go

@@ -117,8 +117,11 @@ func (s *Server) init() error {
 	etcdConfig := &params.EtcdCfg
 	rpcParams := &params.QueryCoordGrpcServerCfg
 
-	etcdCli, err := etcd.GetEtcdClient(
+	etcdCli, err := etcd.CreateEtcdClient(
 		etcdConfig.UseEmbedEtcd.GetAsBool(),
+		etcdConfig.EtcdEnableAuth.GetAsBool(),
+		etcdConfig.EtcdAuthUserName.GetValue(),
+		etcdConfig.EtcdAuthPassword.GetValue(),
 		etcdConfig.EtcdUseSSL.GetAsBool(),
 		etcdConfig.Endpoints.GetAsStrings(),
 		etcdConfig.EtcdTLSCert.GetValue(),

internal/distributed/querynode/service.go

@@ -99,8 +99,11 @@ func (s *Server) init() error {
 
 	log.Debug("QueryNode", zap.Int("port", Params.Port.GetAsInt()))
 
-	etcdCli, err := etcd.GetEtcdClient(
+	etcdCli, err := etcd.CreateEtcdClient(
 		etcdConfig.UseEmbedEtcd.GetAsBool(),
+		etcdConfig.EtcdEnableAuth.GetAsBool(),
+		etcdConfig.EtcdAuthUserName.GetValue(),
+		etcdConfig.EtcdAuthPassword.GetValue(),
 		etcdConfig.EtcdUseSSL.GetAsBool(),
 		etcdConfig.Endpoints.GetAsStrings(),
 		etcdConfig.EtcdTLSCert.GetValue(),

internal/distributed/rootcoord/service.go

@@ -175,8 +175,11 @@ func (s *Server) init() error {
 	rpcParams := &params.RootCoordGrpcServerCfg
 	log.Debug("init params done..")
 
-	etcdCli, err := etcd.GetEtcdClient(
+	etcdCli, err := etcd.CreateEtcdClient(
 		etcdConfig.UseEmbedEtcd.GetAsBool(),
+		etcdConfig.EtcdEnableAuth.GetAsBool(),
+		etcdConfig.EtcdAuthUserName.GetValue(),
+		etcdConfig.EtcdAuthPassword.GetValue(),
 		etcdConfig.EtcdUseSSL.GetAsBool(),
 		etcdConfig.Endpoints.GetAsStrings(),
 		etcdConfig.EtcdTLSCert.GetValue(),

internal/kv/etcd/metakv_factory.go

@@ -53,8 +53,11 @@ func NewWatchKVFactory(rootPath string, etcdCfg *paramtable.EtcdConfig) (kv.Watc
 		}
 		return watchKv, err
 	}
-	client, err := etcd.GetEtcdClient(
+	client, err := etcd.CreateEtcdClient(
 		etcdCfg.UseEmbedEtcd.GetAsBool(),
+		etcdCfg.EtcdEnableAuth.GetAsBool(),
+		etcdCfg.EtcdAuthUserName.GetValue(),
+		etcdCfg.EtcdAuthPassword.GetValue(),
 		etcdCfg.EtcdUseSSL.GetAsBool(),
 		etcdCfg.Endpoints.GetAsStrings(),
 		etcdCfg.EtcdTLSCert.GetValue(),

internal/util/dependency/kv/kv_client_handler.go

@@ -62,8 +62,11 @@ func getEtcdAndPath() (*clientv3.Client, string) {
 // Function that calls the Etcd constructor
 func createEtcdClient() (*clientv3.Client, error) {
 	cfg := &paramtable.Get().ServiceParam
-	return etcd.GetEtcdClient(
+	return etcd.CreateEtcdClient(
 		cfg.EtcdCfg.UseEmbedEtcd.GetAsBool(),
+		cfg.EtcdCfg.EtcdEnableAuth.GetAsBool(),
+		cfg.EtcdCfg.EtcdAuthUserName.GetValue(),
+		cfg.EtcdCfg.EtcdAuthPassword.GetValue(),
 		cfg.EtcdCfg.EtcdUseSSL.GetAsBool(),
 		cfg.EtcdCfg.Endpoints.GetAsStrings(),
 		cfg.EtcdCfg.EtcdTLSCert.GetValue(),

pkg/util/etcd/etcd_util.go

@@ -66,8 +66,21 @@ func GetRemoteEtcdClient(endpoints []string) (*clientv3.Client, error) {
 	})
 }
 
+func GetRemoteEtcdClientWithAuth(endpoints []string, userName, password string) (*clientv3.Client, error) {
+	return clientv3.New(clientv3.Config{
+		Endpoints:   endpoints,
+		DialTimeout: 5 * time.Second,
+		Username:    userName,
+		Password:    password,
+	})
+}
+
 func GetRemoteEtcdSSLClient(endpoints []string, certFile string, keyFile string, caCertFile string, minVersion string) (*clientv3.Client, error) {
 	var cfg clientv3.Config
+	return GetRemoteEtcdSSLClientWithCfg(endpoints, certFile, keyFile, caCertFile, minVersion, cfg)
+}
+
+func GetRemoteEtcdSSLClientWithCfg(endpoints []string, certFile string, keyFile string, caCertFile string, minVersion string, cfg clientv3.Config) (*clientv3.Client, error) {
 	cfg.Endpoints = endpoints
 	cfg.DialTimeout = 5 * time.Second
 	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
@@ -108,6 +121,31 @@ func GetRemoteEtcdSSLClient(endpoints []string, certFile string, keyFile string,
 	return clientv3.New(cfg)
 }
 
+func CreateEtcdClient(
+	useEmbedEtcd bool,
+	enableAuth bool,
+	userName,
+	password string,
+	useSSL bool,
+	endpoints []string,
+	certFile string,
+	keyFile string,
+	caCertFile string,
+	minVersion string,
+) (*clientv3.Client, error) {
+	if !enableAuth || useEmbedEtcd {
+		return GetEtcdClient(useEmbedEtcd, useSSL, endpoints, certFile, keyFile, caCertFile, minVersion)
+	}
+	log.Info("create etcd client(enable auth)",
+		zap.Bool("useSSL", useSSL),
+		zap.Any("endpoints", endpoints),
+		zap.String("minVersion", minVersion))
+	if useSSL {
+		return GetRemoteEtcdSSLClientWithCfg(endpoints, certFile, keyFile, caCertFile, minVersion, clientv3.Config{Username: userName, Password: password})
+	}
+	return GetRemoteEtcdClientWithAuth(endpoints, userName, password)
+}
+
 func min(a, b int) int {
 	if a < b {
 		return a

pkg/util/paramtable/service_param.go

@@ -107,6 +107,11 @@ type EtcdConfig struct {
 	UseEmbedEtcd ParamItem `refreshable:"false"`
 	ConfigPath   ParamItem `refreshable:"false"`
 	DataDir      ParamItem `refreshable:"false"`
+
+	// --- ETCD Authentication ---
+	EtcdEnableAuth   ParamItem `refreshable:"false"`
+	EtcdAuthUserName ParamItem `refreshable:"false"`
+	EtcdAuthPassword ParamItem `refreshable:"false"`
 }
 
 func (p *EtcdConfig) Init(base *BaseTable) {
@@ -267,6 +272,35 @@ We recommend using version 1.2 and above.`,
 		Export:       true,
 	}
 	p.RequestTimeout.Init(base.mgr)
+
+	p.EtcdEnableAuth = ParamItem{
+		Key:          "etcd.auth.enabled",
+		DefaultValue: "false",
+		Version:      "2.3.7",
+		Doc:          "Whether to enable authentication",
+		Export:       true,
+	}
+	p.EtcdEnableAuth.Init(base.mgr)
+
+	if p.UseEmbedEtcd.GetAsBool() && p.EtcdEnableAuth.GetAsBool() {
+		panic("embedded etcd can not enable auth")
+	}
+
+	p.EtcdAuthUserName = ParamItem{
+		Key:     "etcd.auth.userName",
+		Version: "2.3.7",
+		Doc:     "username for etcd authentication",
+		Export:  true,
+	}
+	p.EtcdAuthUserName.Init(base.mgr)
+
+	p.EtcdAuthPassword = ParamItem{
+		Key:     "etcd.auth.password",
+		Version: "2.3.7",
+		Doc:     "password for etcd authentication",
+		Export:  true,
+	}
+	p.EtcdAuthPassword.Init(base.mgr)
 }
 
 // /////////////////////////////////////////////////////////////////////////////