Upgrade to Pro — share decks privately, control downloads, hide ads and more …

vault-jtf2016

kikumoto
July 28, 2016
920

 vault-jtf2016

kikumoto

July 28, 2016
Tweet

Transcript

  1. Secret Backends 4FDSFUTΛอଘͨ͠Γੜ੒ͨ͠Γ͢Δίϯϙʔωϯτ อଘܕ (FOFSJD $VCCZIPMF ಈతੜ੒ܕ "84 $BTTBOESB $POTVM

    .442- .Z42- 1PTUHSF42- 1,*ʢ$FSUJpDBUFTʣ 44) 3BCCJU.2 ҉߸ɾ෮߸ 5SBOTJU ಠࣗͷ4FSFDU#BDLFOE͸ αϙʔτ͠ͳ͍
  2. ྫɿAWS Secret Backends $ vault read aws/creds/deploy Key Value lease_id

    aws/creds/deploy/7cb8df71-782f-3de1-79dd-251778e49f58 lease_duration 3600 access_key AKIAIOMYUTSLGJOGLHTQ secret_key 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 security_token <nil> ಛఆͷύεΛಡΈग़͢ͱ*".ΞΧ΢ϯτ͕ಈతʹ࡞ΒΕΔ
  3. ྫɿGitHub Auth Backends (JU)VCUPLFOΛ࢖ͬͯೝূ͢Δͱɺࣄલͷઃఆʹ ै͍ɺUPLFO͕ൃߦ͞ΕͯϙϦγʔׂ͕Γ౰ͯΒΕΔ $ vault auth -method=github \

    token=000000905b381e723b3d6a7d52f148a5d43c4b45 Successfully authenticated! The policies that are associated with this token are listed below: root WBVMUίϚϯυΛ࢖ͬͯೝূ͢ΔͱɺdWBVMUUPLFOʹUPLFO͕ อ࣋͞ΕΔ
  4. Access Control Policies path "sys/*" { capabilities = "deny" }

    path "secret/*" { capabilities = ["read", "list"] } path "secret/foo" { capabilities = ["create", “update", "delete", "sudo"] } path "secret/super-secret" { capabilities = ["deny"] }
  5. MySQL Secret Backend Ϛ΢ϯτ $ vault mount -path=mysql/db01 mysql ର৅ͷ%#͕ෳ਺͋ΔͳΒɺͦΕ͝ͱʹNPVOU͕ඞཁ

    Ϣʔβ৘ใ΋ϨϓϦέʔγϣϯ͍ͯ͠Ε͹ɺNBTUFSͷΈΛ ର৅ʹ͢ΔͷͰ΋Α͍ ͦͷ৔߹͸ɺϨϓϦέʔγϣϯάϧʔϓʹର໊ͯ͠લΛ͚ͭͯ QBUIʹࢦఆ͢ΔΠϝʔδ
  6. MySQL Secret Backend $ vault write mysql/db01/config/connection \ connection_url=“<username>:<password>@tcp(192.16 8.0.11:3306)/”

    ઀ଓઃఆͷొ࿥ ઀ଓϢʔβͷݖݶ͸ɺಈతʹੜ੒͞ΕΔϢʔβʹ༩͑ΔݖݶҎ্Λ ͍࣋ͬͯΔඞཁ ϨϓϦέʔγϣϯ͍ͯ͠ΔͳΒNBTUFSͷ7*1Λࢦఆɻ$POTVM ͰNBTUFSECTFSWJDFDPOTVMΈ͍ͨͳ΍Γํ΋͋Δ ͜ͷQBUI͸SFBEͰ͖·ͤΜɻ
  7. MySQL Secret Backend $ vault write mysql/db01/config/lease \ lease=30m lease_max=2h

    MFBTFઃఆ ੜ੒͞ΕͨΞΧ΢ϯτͷ༗ޮظݶͱͳΓ·͢ɻ
  8. MySQL Secret Backend $ vault write mysql/db01/roles/readonly \ sql="CREATE USER

    '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" SPMFͷొ࿥ ΞΧ΢ϯτΛൃߦ͢Δ࣌ʹɺ͜͜Ͱొ࿥͢ΔSPMF໊Λࢦఆ͠·͢ ͦͷSPMF໊ʹԠͨ͡42-͕࣮ߦ͞ΕΔͱ͍͏͜ͱɻ !b`Ͱͳ͍ͱ͍͚ͳ͍ɻ ΞΧ΢ϯτ࡟আ͕!b`ݻఆͳͷͰ
  9. Policy 1PMJDZΛ࢖ͬͯɺಡΈग़ͤΔQBUIΛఆٛ path "mysql/db01/creds/readonly" { capabilities = ["read"] } path

    "mysql/db11/creds/readonly" { capabilities = ["read"] } db-readonly.hcl $ vault policy-write db-readonly db-readonly.hcl Policy໊
  10. LDAP Auth Backend ༗ޮԽ $ vault auth-enable ldap -%"1ͱͷ઀ଓઃఆ $

    vault write auth/ldap/config \ url="ldap://ipa.service.consul" \ userattr=uid \ userdn="cn=users,cn=accounts,dc=example,dc=com" \ groupdn="cn=groups,cn=compat,dc=example,dc=com" \ upndomain="EXAMPLE.COM" \ insecure_tls=true \ starttls=true \ discoverdn=true
  11. ΞΧ΢ϯτൃߦखॱ ೝূ $ vault auth -method=ldap \ username=kikumoto.takahiro Password (will

    be hidden):<LDAPೝূύεϫʔυ> Successfully authenticated! token: 86891e67-d8ec-2a62-218f-0b5d8353ec47 token_duration: 86400 token_policies: [db-poweruser, db-readonly, default] tokenʹׂΓ౰ͯΒΕͨPolicy
  12. ΞΧ΢ϯτൃߦखॱ %#ΞΧ΢ϯτऔಘ $ vault read mysql/db01/creds/readonly Key Value lease_id mysql/biz06db/creds/readonly/

    9af20968-4dc7-a290-14b8-37361fa77064 lease_duration 64800 lease_renewable true password e54fa005-9858-7a39-2218-38e82b4b07b2 username ldap-kikum-cc8b1 QBUI͔ΒಡΈग़͢ͱɺ༗ޮظݶ͋ΓͷΞΧ΢ϯτ৘ใ͕औಘͰ ͖·͢
  13. ΞΧ΢ϯτൃߦखॱ %#ʹ઀ଓ $ mysql -u ldap-kikum-cc8b1 -p -h db01 Enter

    password:<ൃߦ͞Εͨύεϫʔυ> mysql> show grants; +----------------------------------------------------------------------+ | Grants for ldap-kikum-cc8b1@% | +----------------------------------------------------------------------+ | GRANT SELECT ON *.* TO 'ldap-kikum-cc8b1'@'%' IDENTIFIED BY PASSWORD | | GRANT PROCESS ON *.* TO 'ldap-kikum-cc8b1'@'%' IDENTIFIED BY PASSWORD| +----------------------------------------------------------------------+ 1 row in set (0.00 sec)
  14. ಈ࡞ϑϩʔৄࡉ൛ Vault IPA Server MySQL -%"1 "VUI #BDLFOE ᶃೝূཁٻ *1"4FSWFSͷϢʔβɾύεϫʔυΛར༻

    ᶄϢʔβɾύεϫʔυͰΞΫηε ᶅϢʔβ৘ใ ᶆHSPVQ͔Β QPMJDZܾఆͯ͠ɺ UPLFOൃߦ ᶇ7BVMU΁ͷ ΞΫηε5PLFO .Z42- 4FDSFU #BDLFOE ᶈ3PMFΛࢦఆͯ͠ %#ΞΫηε৘ใཁٻ ᶉQPMJDZ͔Β ࢦఆ1BUIΛॲཧ Մೳ͔DIFL ᶊ3PMFʹԠͨ͡ݖݶͰ Ϣʔβ࡞੒ ᶋ%#Ϣʔβ໊ɾύεϫʔυ MFBTFظݶ͕͘Δͱɺ ϢʔβΛࣗಈ࡟আ
  15. ؂ࠪϩά 7BVMU؂ࠪϩά "data": { "password": "hmac- sha256:e285e0f8ee8eeb7d20427c3be71e66669a29dd46d bc333322f168514bf2b0610", "username": "hmac-

    sha256:ed389620dfcc544d91f1649c2a062f3f1bd3a5229 1b79582e41aead38a73ba7f" } %#ͷΞΧ΢ϯτ৘ใΛൃߦͨ͠ͱ͖ͷ؂ࠪϩάൈਮ ൃߦͨ͠ΞΧ΢ϯτ৘ใͷIBTI஋͕ϩάʹͰ·͢ɻ
  16. ؂ࠪϩά %#ଆͷ؂ࠪϩάʢPSΫΤϦϩάʣʹग़ྗ͞ΕΔϢʔ β໊ͱಥ͖߹ΘͤΔʹ͸ɺͦͷϢʔβ໊ͷIBTI஋ Λऔಘ͢Δඞཁ͕͋Γ·͢ɻ $ curl -sk --tlsv1.2 -H "X-Vault-Token:

    ${TOKEN}" -X POST https://${VAULT_SERVER}/v1/sys/audit-hash/syslog -d "{\"input\": \"ldap-kikum-83e07\"} 7"6-5@4&37&3ʹ͸ݱࡏ"DUJWFʢ-FBEFSʣͰ͋ΔαʔόΛࢦఆɻ Ҏ߱ $POTVMͩͱɺBDUJWFWBVMUTFSWJDFDPOTVMʢະ֬ೝʣ "1*Λίʔϧ͠·͢ɻ