Tweet
Tweet

Slide 1

Slide 1 text

HashiCorp VaultͰ MySQLΞΧ΢ϯτΛ؅ཧ͠Α͏

Slide 2

Slide 2 text

Agenda ࣗݾ঺հ ུ֓ 7BVMUͱ͸ 7BVMUͰͷ.Z42-ΞΧ΢ϯτ؅ཧ ͦͷ΄͔ ͪΐͬͱએ఻

Slide 3

Slide 3 text

Agenda ࣗݾ঺հ ུ֓ 7BVMUͱ͸ 7BVMUͰͷ.Z42-ΞΧ΢ϯτ؅ཧ ͦͷ΄͔ ͪΐͬͱએ఻

Slide 4

Slide 4 text

ࣗݾ঺հ ٠ຊོത UXJUUFS!UBLBLJLV ͸ͯͳϒϩά IUUQLJLVNPUPIBUFOBCMPHDPN ॴଐɿ)BNFFʢϋϛΟʣגࣜձࣾ ΠϯϑϥɾϛυϧΤϯδχΞ ࠓճ͸ελοϑʢड෇ʣ΋ͯ͠·͢ʂ

Slide 5

Slide 5 text

Agenda ࣗݾ঺հ ུ֓ 7BVMUͱ͸ 7BVMUͰͷ.Z42-ΞΧ΢ϯτ؅ཧ ӡ༻ͯ͠Έͨॴײ ͪΐͬͱએ఻

Slide 6

Slide 6 text

ࢲ͕ղܾ͔ͨͬͨ͜͠ͱ େྔͷαʔό͕͋ΓΞΧ΢ϯτɺΞΫηε੍ݶɺTVEPݖݶ͸-%"1 ʢਖ਼֬ʹ͸*1"4FSWFSʣͰ؅ཧ͍ͯͨ͠ɻ .Z42-͸ϩάΠϯΞΧ΢ϯτ͸-%"1ͱ࿈ܞͰ͖Δ͚ΕͲɺݖݶ ·ͰҰׅ؅ཧͰ͖ͳ͍ɻ ͜ͷ.Z42-ͷΞΧ΢ϯτɾݖݶΛͳΜͱָ͔ͯ͠ʹ؅ཧ͍ͨ͠ɻ ύεϫʔυ͕ແظݶ༗ޮʹͳΒͳ͍Α͏ʹ͍ͨ͠ɻ ΞΧ΢ϯτ؅ཧʹؔ͢ΔɺීஈͷΦϖϨʔγϣϯ͸*1"4FSWFSͰ ׬͓͖͍݁ͤͯͨ͞ɻ

Slide 7

Slide 7 text

γεςϜશମΠϝʔδ Vault IPA Server MySQL ᶃೝূ ᶄϢʔβ࡞੒ ᶅΞΧ΢ϯτ ᶆΞΫηε ᶇϢʔβ࡟আ

Slide 8

Slide 8 text

આ໌͠ͳ͍͜ͱ *1"4FSWFSʹ͍ͭͯ $POTVMʹ͍ͭͯ :"1$"TJB5PLZP $POTVMͱࣗ࡞044Λ׆༻ͨ͠୆ن໛ͷ8FCαʔϏεӡ༻ GVKJXBSB͞ΜͷࢿྉΛ͝ཡ͍ͩ͘͞ɻ 7BVMUͰͷಈ࡞ ʹܥ͔ΒܥʹόʔδϣϯΞοϓ ·ͩࢼ͍ͯ͠·ͤΜɻ

Slide 9

Slide 9 text

Agenda ࣗݾ঺հ ུ֓ 7BVMUͱ͸ 7BVMUͰͷ.Z42-ΞΧ΢ϯτ؅ཧ ͦͷ΄͔ ͪΐͬͱએ఻

Slide 10

Slide 10 text

VaultͬͯԿʁ )BTIJ$PSQ੡πʔϧͷҰͭ ϦϦʔε ػີ৘ใʢ4FDSFUTʣΛ؅ཧͯ͘͠Δ "1*Ωʔɺύεϫʔυɺূ໌ॻͳͲѻ͍Λݫ֨ʹ͍ͨ͠΋ͷ͢ ΂ͯ ػີ৘ใ΁ͷ౷Ұ͞ΕͨΠϯλʔϑΣʔε ݫ֨ͳΞΫηε੍ޚ ؂ࠪϩάͷه࿥

Slide 11

Slide 11 text

ओͳػೳ 4FDVSF4FDSFU4UPSBHF ҉߸Խ͞Ε͔ͯΒɺετϨʔδʹอଘ͞ΕΔɻอଘઌ͸બ୒Մ %ZOBNJD4FDSFUT ಈతʹ4FDSFUΛੜ੒͢Δ͜ͱ΋Ͱ͖Δɻ"84*".ΞΧ΢ϯτ΍ 3%#.4ͷΞΧ΢ϯτͳͲɻ %BUB&ODSZQUJPO σʔλอଘ͸ͤͣʹɺσʔλͷ҉߸ɾ෮߸͚ͩʹ΋࢖͑Δɻ

Slide 12

Slide 12 text

ओͳػೳ -FBTJOHBOE3FOFXBM 4FDSFUTʹ͸༗ޮظݶ͕͋Δɻ 3FWPDBUJPO 4FDSFUT͸ظݶ͕͖ͨΒഇࢭ͞ΕΔ͚ͩͰͳ͘ɺಛఆͷύλʔϯʹԠ ͯ͡·ͱΊͯഇࢭͰ͖Δɻ "VEJUJOH 7BVMU΁ͷ͢΂ͯͷΞΫηε͸ه࿥͞ΕΔɻTZTMPHPSpMF

Slide 13

Slide 13 text

ओͳػೳ "DDFTTDPOUSPMQPMJDJFT ΞΫηεͰ͖Δ4FDSFUTɾ7BVMUͷػೳʹ͍ͭͯࡉ͔͍ݖݶ؅ཧ͕Ͱ ͖Δ .VMUJQMFBVUIFOUJDBUJPONFUIPET ෳ਺ͷೝূํ͕ࣜ࢖͑Δɻ-%"1 (JU)VC VTFSQBTTͳͲ

Slide 14

Slide 14 text

Secret Backends 4FDSFUTΛอଘͨ͠Γੜ੒ͨ͠Γ͢Δίϯϙʔωϯτ อଘܕ (FOFSJD $VCCZIPMF ಈతੜ੒ܕ "84 $BTTBOESB $POTVM .442- .Z42- 1PTUHSF42- 1,*ʢ$FSUJpDBUFTʣ 44) 3BCCJU.2 ҉߸ɾ෮߸ 5SBOTJU ಠࣗͷ4FSFDU#BDLFOE͸ αϙʔτ͠ͳ͍

Slide 15

Slide 15 text

ྫɿAWS Secret Backends $ vault read aws/creds/deploy Key Value lease_id aws/creds/deploy/7cb8df71-782f-3de1-79dd-251778e49f58 lease_duration 3600 access_key AKIAIOMYUTSLGJOGLHTQ secret_key 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 security_token ಛఆͷύεΛಡΈग़͢ͱ*".ΞΧ΢ϯτ͕ಈతʹ࡞ΒΕΔ

Slide 16

Slide 16 text

Auth Backends ೝূ͓ΑͼϙϦγʔΛׂΓͯΔίϯϙʔωϯτ "QQ*% (JU)VC -%"1 .'" 5-4$FSUJpDBUFT 5PLFOT 6TFSOBNF1BTTXPSE "84&$"VUI

Slide 17

Slide 17 text

ྫɿGitHub Auth Backends (JU)VCUPLFOΛ࢖ͬͯೝূ͢Δͱɺࣄલͷઃఆʹ ै͍ɺUPLFO͕ൃߦ͞ΕͯϙϦγʔׂ͕Γ౰ͯΒΕΔ $ vault auth -method=github \ token=000000905b381e723b3d6a7d52f148a5d43c4b45 Successfully authenticated! The policies that are associated with this token are listed below: root WBVMUίϚϯυΛ࢖ͬͯೝূ͢ΔͱɺdWBVMUUPLFOʹUPLFO͕ อ࣋͞ΕΔ

Slide 18

Slide 18 text

Access Control Policies "VUIPSJ[BUJPOΛ͔ͭ͞ͲΔ΋ͷ ύεʹରͯ͠Կ͕ڐՄ͞ΕΔ͔ఆٛ͢Δɻ ҉໧͸EFOZ ໌ࣔతͳEFOZ͕࠷༏ઌ ෳ਺Ϛον͢Ε͹ͦΕΒͷݖݶ͕଍͋͠Θ͞Δ EFOZ DSFBUF VQEBUF EFMFUF SFBE MJTU TVEP

Slide 19

Slide 19 text

Access Control Policies path "sys/*" { capabilities = "deny" } path "secret/*" { capabilities = ["read", "list"] } path "secret/foo" { capabilities = ["create", “update", "delete", "sudo"] } path "secret/super-secret" { capabilities = ["deny"] }

Slide 20

Slide 20 text

HAߏ੒ "DUJWF)PU4UBOECZߏ੒ 4UBOECZ΁ͷϦΫΤετ͸"DUJWFʹϦμΠϨΫτ εέʔϧ͸͠ͳ͍ ετϨʔδ෦෼͸4UPSBHF#BDLFOEʹ͓೚ͤ $POTVMਪ঑

Slide 21

Slide 21 text

Agenda ࣗݾ঺հ ུ֓ 7BVMUͱ͸ 7BVMUͰͷ.Z42-ΞΧ΢ϯτ؅ཧ ͦͷ΄͔ ͪΐͬͱએ఻

Slide 22

Slide 22 text

࠶ܝ - ࢲ͕ղܾ͔ͨͬͨ͜͠ͱ େྔͷαʔό͕͋ΓΞΧ΢ϯτɺΞΫηε੍ݶɺTVEPݖݶ͸-%"1 ʢਖ਼֬ʹ͸*1"4FSWFSʣͰ؅ཧ͍ͯͨ͠ɻ .Z42-͸ϩάΠϯΞΧ΢ϯτ͸-%"1ͱ࿈ܞͰ͖Δ͚ΕͲɺݖݶ ·ͰҰׅ؅ཧͰ͖ͳ͍ɻ ͜ͷ.Z42-ͷΞΧ΢ϯτɾݖݶΛͳΜͱָ͔ͯ͠ʹ؅ཧ͍ͨ͠ɻ ύεϫʔυ͕ແظݶ༗ޮʹͳΒͳ͍Α͏ʹ͍ͨ͠ɻ ΞΧ΢ϯτ؅ཧʹؔ͢ΔɺීஈͷΦϖϨʔγϣϯ͸*1"4FSWFSͰ ׬͓͖͍݁ͤͯͨ͞ɻ 7BVMUͷ֤छػೳΛ࢖͑͹Ͱ͖ͦ͏ʂ

Slide 23

Slide 23 text

ԿΛ࢖͏͔ .Z42-4FDSFU#BDLFOE %ZOBNJD4FDSFUTͷ̍ͭ 3PMFʹඥ෇͚Βͨ.Z42-ݖݶͰɺઃఆͨ͠.Z42-಺ʹ ϢʔβΛಈతʹੜ੒͢Δ ઃఆظݶ͕͘ΔͱϢʔβΛ࡟আ͢Δ -%"1"VUI#BDLFOE ೝূج൫ͱͯ͠-%"1Λ࢖͏ Ϣʔβͷॴଐάϧʔϓͷ৘ใΛ΋Β͏ ॴଐάϧʔϓ͔Βɺ7BVMUͷ1PMJDZΛׂ౰ͯΔ

Slide 24

Slide 24 text

ࠓճઆ໌͢Δ࣮ߏ੒ $POTVM4FSWFS WFS ̑୆ 7BVMU WFS ̏୆Ͱͷ)"ߏ੒ $POTVMΛ4UPSBHF#BDLFOEͱͯ͠࢖༻ *1"4FSWFS 7&34*0/ "1*@7&34*0/ .Z42- 

Slide 25

Slide 25 text

MySQL Secret Backend Ϛ΢ϯτ $ vault mount -path=mysql/db01 mysql ର৅ͷ%#͕ෳ਺͋ΔͳΒɺͦΕ͝ͱʹNPVOU͕ඞཁ Ϣʔβ৘ใ΋ϨϓϦέʔγϣϯ͍ͯ͠Ε͹ɺNBTUFSͷΈΛ ର৅ʹ͢ΔͷͰ΋Α͍ ͦͷ৔߹͸ɺϨϓϦέʔγϣϯάϧʔϓʹର໊ͯ͠લΛ͚ͭͯ QBUIʹࢦఆ͢ΔΠϝʔδ

Slide 26

Slide 26 text

MySQL Secret Backend $ vault write mysql/db01/config/connection \ connection_url=“:@tcp(192.16 8.0.11:3306)/” ઀ଓઃఆͷొ࿥ ઀ଓϢʔβͷݖݶ͸ɺಈతʹੜ੒͞ΕΔϢʔβʹ༩͑ΔݖݶҎ্Λ ͍࣋ͬͯΔඞཁ ϨϓϦέʔγϣϯ͍ͯ͠ΔͳΒNBTUFSͷ7*1Λࢦఆɻ$POTVM ͰNBTUFSECTFSWJDFDPOTVMΈ͍ͨͳ΍Γํ΋͋Δ ͜ͷQBUI͸SFBEͰ͖·ͤΜɻ

Slide 27

Slide 27 text

MySQL Secret Backend $ vault write mysql/db01/config/lease \ lease=30m lease_max=2h MFBTFઃఆ ੜ੒͞ΕͨΞΧ΢ϯτͷ༗ޮظݶͱͳΓ·͢ɻ

Slide 28

Slide 28 text

MySQL Secret Backend $ vault write mysql/db01/roles/readonly \ sql="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" SPMFͷొ࿥ ΞΧ΢ϯτΛൃߦ͢Δ࣌ʹɺ͜͜Ͱొ࿥͢ΔSPMF໊Λࢦఆ͠·͢ ͦͷSPMF໊ʹԠͨ͡42-͕࣮ߦ͞ΕΔͱ͍͏͜ͱɻ !b`Ͱͳ͍ͱ͍͚ͳ͍ɻ ΞΧ΢ϯτ࡟আ͕!b`ݻఆͳͷͰ

Slide 29

Slide 29 text

Policy 1PMJDZΛ࢖ͬͯɺಡΈग़ͤΔQBUIΛఆٛ path "mysql/db01/creds/readonly" { capabilities = ["read"] } path "mysql/db11/creds/readonly" { capabilities = ["read"] } db-readonly.hcl $ vault policy-write db-readonly db-readonly.hcl Policy໊

Slide 30

Slide 30 text

LDAP Auth Backend ༗ޮԽ $ vault auth-enable ldap -%"1ͱͷ઀ଓઃఆ $ vault write auth/ldap/config \ url="ldap://ipa.service.consul" \ userattr=uid \ userdn="cn=users,cn=accounts,dc=example,dc=com" \ groupdn="cn=groups,cn=compat,dc=example,dc=com" \ upndomain="EXAMPLE.COM" \ insecure_tls=true \ starttls=true \ discoverdn=true

Slide 31

Slide 31 text

Policyͱͷͻ΋෇͚ -%"1άϧʔϓͱ7BVMU1PMJDZΛͻ΋෇͚ $ vault write auth/ldap/groups/operator \ policies=db-readonly LDAPάϧʔϓ໊ QPMJDJFT͸ΧϯϚ۠੾ΓͰෳ਺ࢦఆՄೳ Ϣʔβ͕ෳ਺άϧʔϓʹॴଐ͢Ε͹ɺͦΕΒ͢΂ͯͷϙϦγʔ͕ ׂΓ౰ͯΒΕ·͢ɻ

Slide 32

Slide 32 text

ΞΧ΢ϯτൃߦखॱ ೝূ $ vault auth -method=ldap \ username=kikumoto.takahiro Password (will be hidden): Successfully authenticated! token: 86891e67-d8ec-2a62-218f-0b5d8353ec47 token_duration: 86400 token_policies: [db-poweruser, db-readonly, default] tokenʹׂΓ౰ͯΒΕͨPolicy

Slide 33

Slide 33 text

ΞΧ΢ϯτൃߦखॱ %#ΞΧ΢ϯτऔಘ $ vault read mysql/db01/creds/readonly Key Value lease_id mysql/biz06db/creds/readonly/ 9af20968-4dc7-a290-14b8-37361fa77064 lease_duration 64800 lease_renewable true password e54fa005-9858-7a39-2218-38e82b4b07b2 username ldap-kikum-cc8b1 QBUI͔ΒಡΈग़͢ͱɺ༗ޮظݶ͋ΓͷΞΧ΢ϯτ৘ใ͕औಘͰ ͖·͢

Slide 34

Slide 34 text

ΞΧ΢ϯτൃߦखॱ %#ʹ઀ଓ $ mysql -u ldap-kikum-cc8b1 -p -h db01 Enter password:<ൃߦ͞Εͨύεϫʔυ> mysql> show grants; +----------------------------------------------------------------------+ | Grants for ldap-kikum-cc8b1@% | +----------------------------------------------------------------------+ | GRANT SELECT ON *.* TO 'ldap-kikum-cc8b1'@'%' IDENTIFIED BY PASSWORD | +----------------------------------------------------------------------+ 1 row in set (0.00 sec)

Slide 35

Slide 35 text

ಈ࡞ϑϩʔ؆қ൛ Vault IPA Server MySQL ᶃೝূ ᶅΞΧ΢ϯτ ᶆΞΫηε ᶄϢʔβ࡞੒ ᶇϢʔβ࡟আ

Slide 36

Slide 36 text

ಈ࡞ϑϩʔৄࡉ൛ Vault IPA Server MySQL -%"1 "VUI #BDLFOE ᶃೝূཁٻ *1"4FSWFSͷϢʔβɾύεϫʔυΛར༻ ᶄϢʔβɾύεϫʔυͰΞΫηε ᶅϢʔβ৘ใ ᶆHSPVQ͔Β QPMJDZܾఆͯ͠ɺ UPLFOൃߦ ᶇ7BVMU΁ͷ ΞΫηε5PLFO .Z42- 4FDSFU #BDLFOE ᶈ3PMFΛࢦఆͯ͠ %#ΞΫηε৘ใཁٻ ᶉQPMJDZ͔Β ࢦఆ1BUIΛॲཧ Մೳ͔DIFL ᶊ3PMFʹԠͨ͡ݖݶͰ Ϣʔβ࡞੒ ᶋ%#Ϣʔβ໊ɾύεϫʔυ MFBTFظݶ͕͘Δͱɺ ϢʔβΛࣗಈ࡟আ

Slide 37

Slide 37 text

؂ࠪϩά 7BVMU؂ࠪϩά "data": { "password": "hmac- sha256:e285e0f8ee8eeb7d20427c3be71e66669a29dd46d bc333322f168514bf2b0610", "username": "hmac- sha256:ed389620dfcc544d91f1649c2a062f3f1bd3a5229 1b79582e41aead38a73ba7f" } %#ͷΞΧ΢ϯτ৘ใΛൃߦͨ͠ͱ͖ͷ؂ࠪϩάൈਮ ൃߦͨ͠ΞΧ΢ϯτ৘ใͷIBTI஋͕ϩάʹͰ·͢ɻ

Slide 38

Slide 38 text

؂ࠪϩά %#ଆͷ؂ࠪϩάʢPSΫΤϦϩάʣʹग़ྗ͞ΕΔϢʔ β໊ͱಥ͖߹ΘͤΔʹ͸ɺͦͷϢʔβ໊ͷIBTI஋ Λऔಘ͢Δඞཁ͕͋Γ·͢ɻ $ curl -sk --tlsv1.2 -H "X-Vault-Token: ${TOKEN}" -X POST https://${VAULT_SERVER}/v1/sys/audit-hash/syslog -d "{\"input\": \"ldap-kikum-83e07\"} 7"6-5@4&37&3ʹ͸ݱࡏ"DUJWFʢ-FBEFSʣͰ͋ΔαʔόΛࢦఆɻ Ҏ߱ $POTVMͩͱɺBDUJWFWBVMUTFSWJDFDPOTVMʢະ֬ೝʣ "1*Λίʔϧ͠·͢ɻ

Slide 39

Slide 39 text

࠶ܝ - ࢲ͕ղܾ͔ͨͬͨ͜͠ͱ େྔͷαʔό͕͋ΓΞΧ΢ϯτɺΞΫηε੍ݶɺTVEPݖݶ͸-%"1 ʢਖ਼֬ʹ͸*1"4FSWFSʣͰ؅ཧ͍ͯͨ͠ɻ .Z42-͸ϩάΠϯΞΧ΢ϯτ͸-%"1ͱ࿈ܞͰ͖Δ͚ΕͲɺݖݶ ·ͰҰׅ؅ཧͰ͖ͳ͍ɻ ͜ͷ.Z42-ͷΞΧ΢ϯτɾݖݶΛͳΜͱָ͔ͯ͠ʹ؅ཧ͍ͨ͠ɻ ύεϫʔυ͕ແظݶ༗ޮʹͳΒͳ͍Α͏ʹ͍ͨ͠ɻ ΞΧ΢ϯτ؅ཧʹؔ͢ΔɺීஈͷΦϖϨʔγϣϯ͸*1"4FSWFSͰ ׬͓͖͍݁ͤͯͨ͞ɻ

Slide 40

Slide 40 text

Agenda ࣗݾ঺հ ུ֓ 7BVMUͱ͸ 7BVMUͰͷ.Z42-ΞΧ΢ϯτ؅ཧ ͦͷ΄͔ ͪΐͬͱએ఻

Slide 41

Slide 41 text

root policyΛׂΓͯΔͱແظݶ SPPUQPMJDZΛׂΓ౰ͯΒΕͨUPLFO͸໌ࣔతʹSFWPLF ͠ͳ͍ݶΓͣͬͱ࢖͑Δ WBVMUUPLFOʹॻ͔Εͯ·͏͠ ؅ཧ༻ʹBENJOQPMJDZΈ͍ͨͳͷΛఆٛ͢Δํ͕Α͍ path "*" { capabilities = [ "sudo", "create", "read", "update", "delete", "list" ] }

Slide 42

Slide 42 text

policyͰ͸຤ඌʹˎ͕࢖͑Δ͚ͩ %#ͷ૿ݮ࣌ʹ͸దٓ1PMJDZΛϝϯς͢Δඞཁ͋Γ # ͜Ε͸OK path “mysql/*" { capabilities = ["read"] } # ͜Ε͸NG path “mysql/*/creds/readonly" { capabilities = ["read"] }

Slide 43

Slide 43 text

MySQL5.1Ҏલ… SPMFʹొ࿥ͨ͠42-͸1SFQBSFE4UBUFNFOU ͱ࣮ͯ͠ߦ͞ΕΔɻ $3&"5&64&3ͱ͔͕1SFQBSFE4UBUFNFOUͰ࢖͑ͳ͍Α͏ͳ ݹ͍.Z42-Ͱ͸࢖͑·ͤΜɻ .Z42-ΑΓલʁ $ vault write mysql/db01/roles/readonly \ sql="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';"

Slide 44

Slide 44 text

Agenda ࣗݾ঺հ ུ֓ 7BVMUͱ͸ 7BVMUͰͷ.Z42-ΞΧ΢ϯτ؅ཧ ͦͷ΄͔ ͪΐͬͱએ఻

Slide 45

Slide 45 text

એ఻ͦͷ̍ - We’re Hiring ઈࢍɺΤϯδχΞืूதʂ খాݪʹຊࣾʢ౦ژΦϑΟε΋͋Γʣ &$όοΫϠʔυϓϥοτϑΥʔϜ
 ʮωΫετΤϯδϯʯ ౦ূϚβʔζ্৔ ʮ߈Ίͷ̞̩ܦӦ໏ฑʯ
 ʹબఆ ʮ΋ͬͱ&$ʯͰݕࡧʂ ؖࠃࢧࣾͰ΋ืूத

Slide 46

Slide 46 text

એ఻ͦͷ̎ - builderscon ୈ̍ճCVJMEFSTDPO ೔ఔɿ ։࠵Ͱ४උத ৔ॴɿ 3FE#VMM4UVEJPT5PLZP༧ఆ εϙϯαʔืूத ίΞελοϑืूத TMBDLʹ͝ࢀՃ͍ͩ͘͞ʢTFFIUUQCVJMEFSTDPOJPʣ

Slide 47

Slide 47 text

No content