vault-jtf2016

D9b4364dacae526c391909272bbb91ed?s=47 kikumoto
July 28, 2016
750

 vault-jtf2016

D9b4364dacae526c391909272bbb91ed?s=128

kikumoto

July 28, 2016
Tweet

Transcript

  1. HashiCorp VaultͰ MySQLΞΧ΢ϯτ؅ཧ͸΋͏ා͘ͳ͍

  2. Agenda ࣗݾ঺հ ུ֓ 7BVMUͱ͸ 7BVMUͰͷ.Z42-ΞΧ΢ϯτ؅ཧ ͦͷ΄͔ ͪΐͬͱએ఻

  3. Agenda ࣗݾ঺հ ུ֓ 7BVMUͱ͸ 7BVMUͰͷ.Z42-ΞΧ΢ϯτ؅ཧ ͦͷ΄͔ ͪΐͬͱએ఻

  4. ࣗݾ঺հ ٠ຊོത UXJUUFS!UBLBLJLV ͸ͯͳϒϩά IUUQLJLVNPUPIBUFOBCMPHDPN ॴଐɿ)BNFFʢϋϛΟʣגࣜձࣾ ʮ΋ͬͱ&$ʯͰݕࡧʂʂ ͓࢓ࣄɿΠϯϑϥɾϛυϧΤϯδχΞ

  5. Agenda ࣗݾ঺հ ུ֓ 7BVMUͱ͸ 7BVMUͰͷ.Z42-ΞΧ΢ϯτ؅ཧ ͦͷ΄͔ ͪΐͬͱએ఻

  6. ࢲ͕ղܾ͔ͨͬͨ͜͠ͱ େྔͷαʔό͕͋ΓΞΧ΢ϯτɺΞΫηε੍ݶɺTVEPݖݶ͸-%"1 ʢਖ਼֬ʹ͸*1"4FSWFSʣͰ؅ཧ͍ͯͨ͠ɻ .Z42-͸ϩάΠϯΞΧ΢ϯτ͸-%"1ͱ࿈ܞͰ͖Δ͚ΕͲɺݖݶ ·ͰҰׅ؅ཧͰ͖ͳ͍ɻ ͜ͷ.Z42-ͷΞΧ΢ϯτɾݖݶΛͳΜͱָ͔ͯ͠ʹ؅ཧ͍ͨ͠ɻ ύεϫʔυ͕ແظݶ༗ޮʹͳΒͳ͍Α͏ʹ͍ͨ͠ɻ ΞΧ΢ϯτ؅ཧʹؔ͢ΔɺීஈͷΦϖϨʔγϣϯ͸*1"4FSWFSͰ ׬͓͖͍݁ͤͯͨ͞ɻ

  7. γεςϜશମΠϝʔδ Vault IPA Server MySQL ᶃೝূ ᶄϢʔβ࡞੒ ᶅΞΧ΢ϯτ ᶆΞΫηε ᶇϢʔβ࡟আ

  8. આ໌͠ͳ͍͜ͱ *1"4FSWFSʹ͍ͭͯ $POTVMʹ͍ͭͯ :"1$"TJB5PLZP $POTVMͱࣗ࡞044Λ׆༻ͨ͠୆ن໛ͷ8FCαʔϏεӡ༻ GVKJXBSB͞ΜͷࢿྉΛ͝ཡ͍ͩ͘͞ɻ 7BVMUͰͷಈ࡞ ʹܥ͔ΒܥʹόʔδϣϯΞοϓ ·ͩࢼ͍ͯ͠·ͤΜɻ

  9. Agenda ࣗݾ঺հ ུ֓ 7BVMUͱ͸ 7BVMUͰͷ.Z42-ΞΧ΢ϯτ؅ཧ ͦͷ΄͔ ͪΐͬͱએ఻

  10. VaultͬͯԿʁ )BTIJ$PSQ੡πʔϧͷҰͭ ϦϦʔε ػີ৘ใʢ4FDSFUTʣΛ؅ཧͯ͘͠Δ "1*Ωʔɺύεϫʔυɺূ໌ॻͳͲѻ͍Λݫ֨ʹ͍ͨ͠΋ͷ͢ ΂ͯ ػີ৘ใ΁ͷ౷Ұ͞ΕͨΠϯλʔϑΣʔε ݫ֨ͳΞΫηε੍ޚ ؂ࠪϩάͷه࿥

  11. ओͳػೳ 4FDVSF4FDSFU4UPSBHF ҉߸Խ͞Ε͔ͯΒɺετϨʔδʹอଘ͞ΕΔɻอଘઌ͸બ୒Մ sealed unsealed ෼ׂ͞ΕͨΩʔͷ͏ͪҰఆ਺Ҏ্ ͕ͳ͍ͱղআͰ͖ͳ͍ɻ

  12. ओͳػೳ %ZOBNJD4FDSFUT ಈతʹ4FDSFUΛੜ੒͢Δ͜ͱ΋Ͱ͖Δɻ"84*".ΞΧ΢ϯτ΍ 3%#.4ͷΞΧ΢ϯτͳͲɻ %BUB&ODSZQUJPO σʔλอଘ͸ͤͣʹɺσʔλͷ҉߸ɾ෮߸͚ͩʹ΋࢖͑Δɻ

  13. ओͳػೳ -FBTJOHBOE3FOFXBM 4FDSFUTʹ͸༗ޮظݶ͕͋Δɻ 3FWPDBUJPO 4FDSFUT͸ظݶ͕͖ͨΒഇࢭ͞ΕΔ͚ͩͰͳ͘ɺಛఆͷύλʔϯʹԠ ͯ͡·ͱΊͯഇࢭͰ͖Δɻ "VEJUJOH 7BVMU΁ͷ͢΂ͯͷΞΫηε͸ه࿥͞ΕΔɻTZTMPHPSpMF

  14. ओͳػೳ "DDFTTDPOUSPMQPMJDJFT ΞΫηεͰ͖Δ4FDSFUTɾ7BVMUͷػೳʹ͍ͭͯࡉ͔͍ݖݶ؅ཧ͕Ͱ ͖Δ .VMUJQMFBVUIFOUJDBUJPONFUIPET ෳ਺ͷೝূํ͕ࣜ࢖͑Δɻ-%"1 (JU)VC VTFSQBTTͳͲ

  15. Secret Backends 4FDSFUTΛอଘͨ͠Γੜ੒ͨ͠Γ͢Δίϯϙʔωϯτ อଘܕ (FOFSJD $VCCZIPMF ಈతੜ੒ܕ "84 $BTTBOESB $POTVM

    .442- .Z42- 1PTUHSF42- 1,*ʢ$FSUJpDBUFTʣ 44) 3BCCJU.2 ҉߸ɾ෮߸ 5SBOTJU ಠࣗͷ4FSFDU#BDLFOE͸ αϙʔτ͠ͳ͍
  16. ྫɿAWS Secret Backends $ vault read aws/creds/deploy Key Value lease_id

    aws/creds/deploy/7cb8df71-782f-3de1-79dd-251778e49f58 lease_duration 3600 access_key AKIAIOMYUTSLGJOGLHTQ secret_key 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 security_token <nil> ಛఆͷύεΛಡΈग़͢ͱ*".ΞΧ΢ϯτ͕ಈతʹ࡞ΒΕΔ
  17. Auth Backends ೝূ͓ΑͼϙϦγʔΛׂΓͯΔίϯϙʔωϯτ "QQ*% (JU)VC -%"1 .'" 5-4$FSUJpDBUFT 5PLFOT 6TFSOBNF1BTTXPSE

    "84&$"VUI
  18. ྫɿGitHub Auth Backends (JU)VCUPLFOΛ࢖ͬͯೝূ͢Δͱɺࣄલͷઃఆʹ ै͍ɺUPLFO͕ൃߦ͞ΕͯϙϦγʔׂ͕Γ౰ͯΒΕΔ $ vault auth -method=github \

    token=000000905b381e723b3d6a7d52f148a5d43c4b45 Successfully authenticated! The policies that are associated with this token are listed below: root WBVMUίϚϯυΛ࢖ͬͯೝূ͢ΔͱɺdWBVMUUPLFOʹUPLFO͕ อ࣋͞ΕΔ
  19. Access Control Policies "VUIPSJ[BUJPOΛ͔ͭ͞ͲΔ΋ͷ ύεʹରͯ͠Կ͕ڐՄ͞ΕΔ͔ఆٛ͢Δɻ ҉໧͸EFOZ ໌ࣔతͳEFOZ͕࠷༏ઌ ෳ਺Ϛον͢Ε͹ͦΕΒͷݖݶ͕଍͋͠Θ͞Δ EFOZ DSFBUF

    VQEBUF EFMFUF SFBE MJTU TVEP
  20. Access Control Policies path "sys/*" { capabilities = "deny" }

    path "secret/*" { capabilities = ["read", "list"] } path "secret/foo" { capabilities = ["create", “update", "delete", "sudo"] } path "secret/super-secret" { capabilities = ["deny"] }
  21. HAߏ੒ "DUJWF)PU4UBOECZߏ੒ 4UBOECZ΁ͷϦΫΤετ͸"DUJWFʹϦμΠϨΫτ εέʔϧ͸͠ͳ͍ ετϨʔδ෦෼͸4UPSBHF#BDLFOEʹ͓೚ͤ $POTVMਪ঑

  22. Agenda ࣗݾ঺հ ུ֓ 7BVMUͱ͸ 7BVMUͰͷ.Z42-ΞΧ΢ϯτ؅ཧ ͦͷ΄͔ ͪΐͬͱએ఻

  23. ࠶ܝ - ࢲ͕ղܾ͔ͨͬͨ͜͠ͱ େྔͷαʔό͕͋ΓΞΧ΢ϯτɺΞΫηε੍ݶɺTVEPݖݶ͸-%"1 ʢਖ਼֬ʹ͸*1"4FSWFSʣͰ؅ཧ͍ͯͨ͠ɻ .Z42-͸ϩάΠϯΞΧ΢ϯτ͸-%"1ͱ࿈ܞͰ͖Δ͚ΕͲɺݖݶ ·ͰҰׅ؅ཧͰ͖ͳ͍ɻ ͜ͷ.Z42-ͷΞΧ΢ϯτɾݖݶΛͳΜͱָ͔ͯ͠ʹ؅ཧ͍ͨ͠ɻ ύεϫʔυ͕ແظݶ༗ޮʹͳΒͳ͍Α͏ʹ͍ͨ͠ɻ ΞΧ΢ϯτ؅ཧʹؔ͢ΔɺීஈͷΦϖϨʔγϣϯ͸*1"4FSWFSͰ

    ׬͓͖͍݁ͤͯͨ͞ɻ 7BVMUͷ֤छػೳΛ࢖͑͹Ͱ͖ͦ͏ʂ
  24. ԿΛ࢖͏͔ .Z42-4FDSFU#BDLFOE %ZOBNJD4FDSFUTͷ̍ͭ 3PMFʹඥ෇͚Βͨ.Z42-ݖݶͰɺઃఆͨ͠.Z42-಺ʹ ϢʔβΛಈతʹੜ੒͢Δ ઃఆظݶ͕͘ΔͱϢʔβΛ࡟আ͢Δ -%"1"VUI#BDLFOE ೝূج൫ͱͯ͠-%"1Λ࢖͏ Ϣʔβͷॴଐάϧʔϓͷ৘ใΛ΋Β͏ ॴଐάϧʔϓ͔Βɺ7BVMUͷ1PMJDZΛׂ౰ͯΔ

  25. ࠓճઆ໌͢Δ࣮ߏ੒ʢຊ൪Քಈதʣ $POTVM4FSWFS WFS ̑୆ "$-ઃఆͳ͠ 7BVMU WFS ̏୆Ͱͷ)"ߏ੒ $POTVMΛ4UPSBHF#BDLFOEͱͯ͠࢖༻ *1"4FSWFS

    7&34*0/ "1*@7&34*0/ .Z42- 
  26. MySQL Secret Backend Ϛ΢ϯτ $ vault mount -path=mysql/db01 mysql ର৅ͷ%#͕ෳ਺͋ΔͳΒɺͦΕ͝ͱʹNPVOU͕ඞཁ

    Ϣʔβ৘ใ΋ϨϓϦέʔγϣϯ͍ͯ͠Ε͹ɺNBTUFSͷΈΛ ର৅ʹ͢ΔͷͰ΋Α͍ ͦͷ৔߹͸ɺϨϓϦέʔγϣϯάϧʔϓʹର໊ͯ͠લΛ͚ͭͯ QBUIʹࢦఆ͢ΔΠϝʔδ
  27. MySQL Secret Backend $ vault write mysql/db01/config/connection \ connection_url=“<username>:<password>@tcp(192.16 8.0.11:3306)/”

    ઀ଓઃఆͷొ࿥ ઀ଓϢʔβͷݖݶ͸ɺಈతʹੜ੒͞ΕΔϢʔβʹ༩͑ΔݖݶҎ্Λ ͍࣋ͬͯΔඞཁ ϨϓϦέʔγϣϯ͍ͯ͠ΔͳΒNBTUFSͷ7*1Λࢦఆɻ$POTVM ͰNBTUFSECTFSWJDFDPOTVMΈ͍ͨͳ΍Γํ΋͋Δ ͜ͷQBUI͸SFBEͰ͖·ͤΜɻ
  28. MySQL Secret Backend $ vault write mysql/db01/config/lease \ lease=30m lease_max=2h

    MFBTFઃఆ ੜ੒͞ΕͨΞΧ΢ϯτͷ༗ޮظݶͱͳΓ·͢ɻ
  29. MySQL Secret Backend $ vault write mysql/db01/roles/readonly \ sql="CREATE USER

    '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" SPMFͷొ࿥ ΞΧ΢ϯτΛൃߦ͢Δ࣌ʹɺ͜͜Ͱొ࿥͢ΔSPMF໊Λࢦఆ͠·͢ ͦͷSPMF໊ʹԠͨ͡42-͕࣮ߦ͞ΕΔͱ͍͏͜ͱɻ !b`Ͱͳ͍ͱ͍͚ͳ͍ɻ ΞΧ΢ϯτ࡟আ͕!b`ݻఆͳͷͰ
  30. Policy 1PMJDZΛ࢖ͬͯɺಡΈग़ͤΔQBUIΛఆٛ path "mysql/db01/creds/readonly" { capabilities = ["read"] } path

    "mysql/db11/creds/readonly" { capabilities = ["read"] } db-readonly.hcl $ vault policy-write db-readonly db-readonly.hcl Policy໊
  31. LDAP Auth Backend ༗ޮԽ $ vault auth-enable ldap -%"1ͱͷ઀ଓઃఆ $

    vault write auth/ldap/config \ url="ldap://ipa.service.consul" \ userattr=uid \ userdn="cn=users,cn=accounts,dc=example,dc=com" \ groupdn="cn=groups,cn=compat,dc=example,dc=com" \ upndomain="EXAMPLE.COM" \ insecure_tls=true \ starttls=true \ discoverdn=true
  32. Policyͱͷͻ΋෇͚ -%"1άϧʔϓͱ7BVMU1PMJDZΛͻ΋෇͚ $ vault write auth/ldap/groups/operator \ policies=db-readonly LDAPάϧʔϓ໊ QPMJDJFT͸ΧϯϚ۠੾ΓͰෳ਺ࢦఆՄೳ

    Ϣʔβ͕ෳ਺άϧʔϓʹॴଐ͢Ε͹ɺͦΕΒ͢΂ͯͷϙϦγʔ͕ ׂΓ౰ͯΒΕ·͢ɻ
  33. ΞΧ΢ϯτൃߦखॱ ೝূ $ vault auth -method=ldap \ username=kikumoto.takahiro Password (will

    be hidden):<LDAPೝূύεϫʔυ> Successfully authenticated! token: 86891e67-d8ec-2a62-218f-0b5d8353ec47 token_duration: 86400 token_policies: [db-poweruser, db-readonly, default] tokenʹׂΓ౰ͯΒΕͨPolicy
  34. ΞΧ΢ϯτൃߦखॱ %#ΞΧ΢ϯτऔಘ $ vault read mysql/db01/creds/readonly Key Value lease_id mysql/biz06db/creds/readonly/

    9af20968-4dc7-a290-14b8-37361fa77064 lease_duration 64800 lease_renewable true password e54fa005-9858-7a39-2218-38e82b4b07b2 username ldap-kikum-cc8b1 QBUI͔ΒಡΈग़͢ͱɺ༗ޮظݶ͋ΓͷΞΧ΢ϯτ৘ใ͕औಘͰ ͖·͢
  35. ΞΧ΢ϯτൃߦखॱ %#ʹ઀ଓ $ mysql -u ldap-kikum-cc8b1 -p -h db01 Enter

    password:<ൃߦ͞Εͨύεϫʔυ> mysql> show grants; +----------------------------------------------------------------------+ | Grants for ldap-kikum-cc8b1@% | +----------------------------------------------------------------------+ | GRANT SELECT ON *.* TO 'ldap-kikum-cc8b1'@'%' IDENTIFIED BY PASSWORD | | GRANT PROCESS ON *.* TO 'ldap-kikum-cc8b1'@'%' IDENTIFIED BY PASSWORD| +----------------------------------------------------------------------+ 1 row in set (0.00 sec)
  36. ಈ࡞ϑϩʔ؆қ൛ Vault IPA Server MySQL ᶃೝূ ᶅΞΧ΢ϯτ ᶆΞΫηε ᶄϢʔβ࡞੒ ᶇϢʔβ࡟আ

  37. ಈ࡞ϑϩʔৄࡉ൛ Vault IPA Server MySQL -%"1 "VUI #BDLFOE ᶃೝূཁٻ *1"4FSWFSͷϢʔβɾύεϫʔυΛར༻

    ᶄϢʔβɾύεϫʔυͰΞΫηε ᶅϢʔβ৘ใ ᶆHSPVQ͔Β QPMJDZܾఆͯ͠ɺ UPLFOൃߦ ᶇ7BVMU΁ͷ ΞΫηε5PLFO .Z42- 4FDSFU #BDLFOE ᶈ3PMFΛࢦఆͯ͠ %#ΞΫηε৘ใཁٻ ᶉQPMJDZ͔Β ࢦఆ1BUIΛॲཧ Մೳ͔DIFL ᶊ3PMFʹԠͨ͡ݖݶͰ Ϣʔβ࡞੒ ᶋ%#Ϣʔβ໊ɾύεϫʔυ MFBTFظݶ͕͘Δͱɺ ϢʔβΛࣗಈ࡟আ
  38. ؂ࠪϩά 7BVMU؂ࠪϩά "data": { "password": "hmac- sha256:e285e0f8ee8eeb7d20427c3be71e66669a29dd46d bc333322f168514bf2b0610", "username": "hmac-

    sha256:ed389620dfcc544d91f1649c2a062f3f1bd3a5229 1b79582e41aead38a73ba7f" } %#ͷΞΧ΢ϯτ৘ใΛൃߦͨ͠ͱ͖ͷ؂ࠪϩάൈਮ ൃߦͨ͠ΞΧ΢ϯτ৘ใͷIBTI஋͕ϩάʹͰ·͢ɻ
  39. ؂ࠪϩά %#ଆͷ؂ࠪϩάʢPSΫΤϦϩάʣʹग़ྗ͞ΕΔϢʔ β໊ͱಥ͖߹ΘͤΔʹ͸ɺͦͷϢʔβ໊ͷIBTI஋ Λऔಘ͢Δඞཁ͕͋Γ·͢ɻ $ curl -sk --tlsv1.2 -H "X-Vault-Token:

    ${TOKEN}" -X POST https://${VAULT_SERVER}/v1/sys/audit-hash/syslog -d "{\"input\": \"ldap-kikum-83e07\"} 7"6-5@4&37&3ʹ͸ݱࡏ"DUJWFʢ-FBEFSʣͰ͋ΔαʔόΛࢦఆɻ Ҏ߱ $POTVMͩͱɺBDUJWFWBVMUTFSWJDFDPOTVMʢະ֬ೝʣ "1*Λίʔϧ͠·͢ɻ
  40. ࠶ܝ - ࢲ͕ղܾ͔ͨͬͨ͜͠ͱ େྔͷαʔό͕͋ΓΞΧ΢ϯτɺΞΫηε੍ݶɺTVEPݖݶ͸-%"1 ʢਖ਼֬ʹ͸*1"4FSWFSʣͰ؅ཧ͍ͯͨ͠ɻ .Z42-͸ϩάΠϯΞΧ΢ϯτ͸-%"1ͱ࿈ܞͰ͖Δ͚ΕͲɺݖݶ ·ͰҰׅ؅ཧͰ͖ͳ͍ɻ ͜ͷ.Z42-ͷΞΧ΢ϯτɾݖݶΛͳΜͱָ͔ͯ͠ʹ؅ཧ͍ͨ͠ɻ ύεϫʔυ͕ແظݶ༗ޮʹͳΒͳ͍Α͏ʹ͍ͨ͠ɻ ΞΧ΢ϯτ؅ཧʹؔ͢ΔɺීஈͷΦϖϨʔγϣϯ͸*1"4FSWFSͰ

    ׬͓͖͍݁ͤͯͨ͞ɻ
  41. Agenda ࣗݾ঺հ ུ֓ 7BVMUͱ͸ 7BVMUͰͷ.Z42-ΞΧ΢ϯτ؅ཧ ͦͷ΄͔ ͪΐͬͱએ఻

  42. root policyΛׂΓͯΔͱແظݶ SPPUQPMJDZΛׂΓ౰ͯΒΕͨUPLFO͸໌ࣔతʹSFWPLF ͠ͳ͍ݶΓͣͬͱ࢖͑Δ WBVMUUPLFOʹॻ͔Εͯ·͏͠ ؅ཧ༻ʹBENJOQPMJDZΈ͍ͨͳͷΛఆٛ͢Δํ͕Α͍ path "*" { capabilities

    = [ "sudo", "create", "read", "update", "delete", "list" ] }
  43. policyͰ͸຤ඌʹˎ͕࢖͑Δ͚ͩ %#ͷ૿ݮ࣌ʹ͸దٓ1PMJDZΛϝϯς͢Δඞཁ͋Γ # ͜Ε͸OK path “mysql/*" { capabilities = ["read"]

    } # ͜Ε͸NG path “mysql/*/creds/readonly" { capabilities = ["read"] }
  44. MySQL5.1Ҏલ… SPMFʹొ࿥ͨ͠42-͸1SFQBSFE4UBUFNFOU ͱ࣮ͯ͠ߦ͞ΕΔɻ $3&"5&64&3ͱ͔͕1SFQBSFE4UBUFNFOUͰ࢖͑ͳ͍Α͏ͳ ݹ͍.Z42-Ͱ͸࢖͑·ͤΜɻ .Z42-ΑΓલʁ $ vault write mysql/db01/roles/readonly

    \ sql="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';"
  45. Agenda ࣗݾ঺հ ུ֓ 7BVMUͱ͸ 7BVMUͰͷ.Z42-ΞΧ΢ϯτ؅ཧ ͦͷ΄͔ ͪΐͬͱએ఻

  46. એ఻ͦͷ̍ - We’re Hiring ઈࢍɺΤϯδχΞืूதʂ খాݪʹຊࣾʢ౦ژΦϑΟε΋͋Γʣ &$όοΫϠʔυϓϥοτϑΥʔϜ
 ʮωΫετΤϯδϯʯ ౦ূϚβʔζ্৔ ʮ߈Ίͷ̞̩ܦӦ໏ฑʯ


    ʹબఆ ʮ΋ͬͱ&$ʯͰݕࡧʂ ؖࠃࢧࣾͰ΋ืूத
  47. એ఻ͦͷ̎ - builderscon ୈ̍ճCVJMEFSTDPO ೔ఔɿ ։࠵Ͱ४උத ৔ॴɿ 3FE#VMM4UVEJPT5PLZP༧ఆ εϙϯαʔืूத ίΞελοϑืूத

    TMBDLʹ͝ࢀՃ͍ͩ͘͞ʢTFFIUUQCVJMEFSTDPOJPʣ
  48. None