【发布时间】:2022-04-24 13:54:01
【问题描述】:
我正在尝试创建一个策略,允许用户根据他们的用户名访问秘密层次结构的一部分。我不想为每个用户制定不同的策略,而是希望有一个模板化策略。我认为这应该可行,但我不断收到权限被拒绝错误。如果我删除模板并仅在策略路径中硬编码用户名,则秘密检索工作正常,因此它看起来不像是策略定义的任何其他部分。
这是 Vault 1.3.1 的全部内容,针对开发服务器,但问题首先出现在非开发服务器上,具有 GCP/GCE 身份验证和数据库机密,所以它似乎并不特定于任何那些东西,要么。
启用用户名/密码身份验证,并创建指向新策略的用户(稍后定义)。
$ vault auth enable userpass
Success! Enabled userpass auth method at: userpass/
$ vault write auth/userpass/users/duvall policies=default,p2 password=duvall
Success! Data written to: auth/userpass/users/duvall
以该用户身份登录并查看令牌元数据。
$ vault login -method userpass username=duvall password=duvall
$ vault token lookup
Key Value
--- -----
accessor 9ga3alRqZ6E3aSCEBNFWJY1X
creation_time 1581468214
creation_ttl 768h
display_name userpass-duvall
entity_id 7513dc68-785b-d151-0efb-71315fc026dc
expire_time 2020-03-15T00:43:34.707416501Z
explicit_max_ttl 0s
id s.YZRQ3uclh2rg2H7gh3qH84P3
issue_time 2020-02-12T00:43:34.707423899Z
meta map[username:duvall]
num_uses 0
orphan true
path auth/userpass/login/duvall
policies [default p2]
renewable true
ttl 767h50m35s
type service
使用基于元数据键 username 模板化的路径创建上述策略。
$ export VAULT_TOKEN=root
$ echo 'path "secret/data/role-secrets/{{identity.entity.metadata.username}}/*" {capabilities = ["read"]}' | vault policy write p2 -
Success! Uploaded policy: p2
创建与策略中的路径匹配的密钥。
$ vault kv put secret/role-secrets/duvall/s1 foo=bar
Key Value
--- -----
created_time 2020-02-12T00:44:36.509412834Z
deletion_time n/a
destroyed false
version 1
作为用户,读取密钥会导致失败。
$ export VAULT_TOKEN=s.YZRQ3uclh2rg2H7gh3qH84P3
$ vault kv get secret/role-secrets/duvall/s1
Error making API request.
URL: GET http://127.0.0.1:8200/v1/sys/internal/ui/mounts/secret/role-secrets/duvall/s1
Code: 403. Errors:
* preflight capability check returned 403, please ensure client's policies grant access to path "secret/role-secrets/duvall/s1/"
重写策略以删除模板。
$ export VAULT_TOKEN=root
$ echo 'path "secret/data/role-secrets/duvall/*" {capabilities = ["read"]}' | vault policy write p2 -
Success! Uploaded policy: p2
这一次,读取秘籍成功。
$ export VAULT_TOKEN=s.YZRQ3uclh2rg2H7gh3qH84P3
$ vault kv get secret/role-secrets/duvall/s1
====== Metadata ======
Key Value
--- -----
created_time 2020-02-12T00:44:36.509412834Z
deletion_time n/a
destroyed false
version 1
=== Data ===
Key Value
--- -----
foo bar
我不确定这有多相关,但是...向策略添加元数据列表功能会将读取错误从“预检功能检查”更改为更正常的“权限被拒绝”。
$ echo 'path "secret/metadata/*" {capabilities = ["list"]}\npath "secret/data/role-secrets/{{identity.entity.metadata.username}}/*" {capabilities = ["read"]}' | VAULT_TOKEN=root vault policy write p2 -
Success! Uploaded policy: p2
$ vault kv get secret/role-secrets/duvall/s1
Error reading secret/data/role-secrets/duvall/s1: Error making API request.
URL: GET http://127.0.0.1:8200/v1/secret/data/role-secrets/duvall/s1
Code: 403. Errors:
* 1 error occurred:
* permission denied
【问题讨论】:
-
我也遇到了同样的问题,你找到解决办法了吗?
标签: hashicorp-vault