Vault Policy

发表于 上层目录 阅读次数:

策略使用 HCL 或是 JSON 语法编写,描述了一个人类用户或是应用程序允许访问 Vault 中哪些路径。[1]

策略管理

创建策略

命令格式

$ vault policy write policy-name policy-file.hcl

以下示例创建一个只读策略

$ cat readonly_policy.hcl 
path "kv/*" {
    capabilities = ["read"]
}

$ vault policy write readonly_policy readonly_policy.hcl


更新策略使用和创建策略一样的命令,使用的是已有的策略名

查看策略

$ vault policy list
default
readonly_policy
root

读取策略内容

$ vault policy read readonly_policy
path "kv/*" {
    capabilities = ["read"]
}

关联策略

创建 token 时关联策略

使用以下命令在创建 token 时附加策略,否则创建的 token 默认关联当前身份(如 token)的策略

$ vault token create -policy=readonly_policy -policy=logs

Key                  Value
---                  -----
token                hvs.CAESICUghHrXAe3mFG9YEnEq8IXdtGPN-63VRRxqPOEzidpvGh4KHGh2cy5RMUhkbmU1M2FFdk52a3lFRTNiMmR6Um8
token_accessor       iRixdShkSeHNTgS5JBLWW2Ta
token_duration       768h
token_renewable      true
token_policies       ["default" "logs" "readonly_policy"]
identity_policies    []
policies             ["default" "logs" "readonly_policy"]

关联策略时,如果关联的策略不存在,创建 token 只会给出相关策略不存在的 warnning,创建 token 不会失败

使用新建的 token 登陆并尝试更新相关键

$ vault login
Token (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                hvs.CAESICUghHrXAe3mFG9YEnEq8IXdtGPN-63VRRxqPOEzidpvGh4KHGh2cy5RMUhkbmU1M2FFdk52a3lFRTNiMmR6Um8
token_accessor       iRixdShkSeHNTgS5JBLWW2Ta
token_duration       767h55m32s
token_renewable      true
token_policies       ["default" "logs" "readonly_policy"]
identity_policies    []
policies             ["default" "logs" "readonly_policy"]

读取键,可以看到只能读取键值,无法写入

$ vault kv list
Not enough arguments (expected 1, got 0)
~/vault_policy $ vault kv list kv
Error listing kv: Error making API request.

URL: GET http://127.0.0.1:8200/v1/kv?list=true
Code: 403. Errors:

* 1 error occurred:
	* permission denied


$ vault kv get kv/ms/fm/qzx/qzapp/api/config
===== Data =====
Key        Value
---        -----
db_host    127.0.0.1
db_type    mysql
db_user    password
tk         test key


$ vault kv put kv/ms/fm/qzx/qzapp/api/config key=value
Error writing data to kv/ms/fm/qzx/qzapp/api/config: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/kv/ms/fm/qzx/qzapp/api/config
Code: 403. Errors:

* 1 error occurred:
	* permission denied

参考链接

Vault 中文参考

脚注