堆栈内存溢出
  简体   繁体   English

Hashicorp保险柜-仅创建身份验证令牌,请勿读取机密

[英]Hashicorp Vault — Create Auth Tokens Only, Don't read secrets

 原文  2016-04-23 00:16:41       linux/ hashicorp-vault

问题描述

I'm using Hashicorp Vault: 我正在使用Hashicorp Vault:

https://www.vaultproject.io/ https://www.vaultproject.io/

I want a user that can create new users, but can't read their secrets. 我想要一个可以创建新用户但无法读取其机密的用户。

Would I just create a policy like: 我是否可以创建一个策略,例如: 

path "sys/auth/token/*" {
  policy = "write"
}

since all policies are set to deny? 既然所有政策都设置为拒绝?

1 个解决方案

解决方案1
 2 已采纳  2016-09-02 12:40:21

This was the incorrect way to use Vault. 这是使用保管箱的错误方法。 These were my errors: 这些是我的错误:

  • Trying to store user passwords. 尝试存储用户密码。 For me, it looks better to handle platform passwords, like the integrated temporary postgre credentials. 对我来说,处理平台密码看起来更好,例如集成的临时postgre凭证。
  • Trying to remove any trace of authentication keys on the server. 尝试删除服务器上所有身份验证密钥的痕迹。 If Vault users were going to be created automatically, Vault credentials will need to exist somewhere, either in a script or file with proper permissions. 如果要自动创建Vault用户,则必须在具有适当权限的脚本或文件中将Vault凭据存在于某个位置。
  • Trying to mitigate a rooted server. 尝试缓解根服务器。 If someone has root access, there are larger problems than that. 如果某人具有root用户访问权限,那么问题就不止于此。 Encryption can mitigate data leaks, like a database dump. 加密可以减轻数据泄漏,例如数据库转储。 Data leaks if root access has been compromised in my case must be accepted. 如果在我的情况下,如果root用户访问受到损害,则数据泄漏必须被接受。 It's best to focus on not getting rooted. 最好专注于不生根。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 我可以在 Hashicorp Vault 上创建一个策略以允许令牌所有者仅读取他们自己的秘密吗? - Can I create a policy on Hashicorp Vault to allow token owners to only read their own secrets? 为什么Vault by HashiCorp需要启用ipc_lock功能? - Why does Vault by HashiCorp require the ipc_lock capability to be enabled? 用户文件夹意外重定位,没有权限将其移回(只读文件系统) - User folder accidently relocated, don't have permissions to move it back (Read only file system) 创建线程,但不要立即在Linux中运行 - create threads but don't run it immediately in linux Linux绑定不创建套接字 - linux bind don't create socket 设置F_SEAL_WRITE后,为什么不能创建只读的共享映射? - Why can't I create read-only, shared mappings after setting F_SEAL_WRITE? .NET Arch Linux 上的 6:未读取用户机密 - .NET 6 on Arch Linux: User Secrets not being read 在yocto中创建一个只读文件 - Create a read-only file in yocto 用C语言创建只读文件夹 - Create read only folder in C language cp命令不在sh \\ bash脚本中创建目录,为什么? - cp command don't create directory in a sh\bash script, why?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM