[英]Can I create a policy on Hashicorp Vault to allow token owners to only read their own secrets?
I'm using Vault from it's official Docker (latest) image and KVv2 as the secrets engine.我正在使用官方 Docker (最新)图像中的 Vault 和 KVv2 作为机密引擎。
I want to prevent token holders from reading secrets that are not owned by themselves.我想防止代币持有者阅读不属于他们自己的秘密。
Firstly, I've created a templating policy called "acl-caging-policy" to control requests under /secret/data/[username] .首先,我创建了一个名为“acl-caging-policy”的模板策略来控制/secret/data/[username]下的请求。 Tried both with and without the trailing /*.
尝试使用和不使用尾随 /*。
$ http http://127.0.0.1:8200/v1/sys/policy/acl-caging-policy policy:='"path \"secret/data/{{identity.entity.metadata.user}}\" {capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\"]}"' X-VAULT-TOKEN:"[ROOT_TOKEN]"
Vault is successfully showing it for me:保险柜成功地为我展示了它:
$ docker exec -it vault-app vault policy read acl-caging-policy
path "secret/data/{{identity.entity.metadata.user}}" { capabilities = ["create", "read", "update", "delete", "list"]}
Then, I created a token for an user:然后,我为用户创建了一个令牌:
$ http http://127.0.0.1:8200/v1/auth/token/create policies:='["acl-caging-policy"]' meta:='{"user": "oystr"}' ttl="999999h" renewable:=false X-VAULT-TOKEN:"[ROOT_TOKEN]"
Which Vault creates successfully:哪个 Vault 创建成功:
$ docker exec -it vault-app vault token lookup [USER_TOKEN]
Key Value
--- -----
accessor [USER_ACCESSOR]
creation_time 1585935126
creation_ttl 999999h
display_name token
entity_id n/a
expire_time 2134-05-03T08:32:06.496766579Z
explicit_max_ttl 0s
id [USER_TOKEN]
issue_time 2020-04-03T17:32:06.496771065Z
meta map[user:oystr]
num_uses 0
orphan false
path auth/token/create
policies [acl-caging-policy default]
renewable false
ttl 999997h53m46s
type service
But whenever I try to store any information:但是每当我尝试存储任何信息时:
$ http http://127.0.0.1:8200/v1/secret/data/oystr data:='{"username": "oystr", "password": "[PASSWORD]"}' X-VAULT-TOKEN:"[USER_TOKEN]"
HTTP/1.1 403 Forbidden
Cache-Control: no-store
Content-Length: 60
Content-Type: application/json
Date: Fri, 03 Apr 2020 18:23:25 GMT
{
"errors": [
"1 error occurred:\n\t* permission denied\n\n"
]
}
Is it possible or am I missing something here?有可能还是我在这里遗漏了什么?
The problem is that you need an Entity for templating to work.问题是您需要一个实体来进行模板工作。 When you just create a token, there is no Entity associated with it.
当您只是创建一个令牌时,没有与之关联的实体。 Instead, create an Entity for each of your users, which can have an Alias set up for whatever authentication method you use (or will use), and then when a user logs in, their token will be associated with their Entity.
相反,为您的每个用户创建一个实体,它可以为您使用(或将使用)的任何身份验证方法设置一个别名,然后当用户登录时,他们的令牌将与他们的实体相关联。 At this point the templating should work, though you probably want to change it to use something like
{{identity.entity.name}}
instead of metadata
.此时模板应该可以工作,尽管您可能希望将其更改为使用
{{identity.entity.name}}
之类的东西而不是metadata
。 If you want to use metadata
, you'll need to set up that metadata on the Entities that you create.如果您想使用
metadata
,您需要在您创建的实体上设置该元数据。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.