开源KMS之vault part2
原创开源KMS之vault part2
原创
保持热爱奔赴山海
发布于 2024-06-02 21:15:27
发布于 2024-06-02 21:15:27
解封 Vault
此时查看vault的状态如下
$ vault status
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed true --- 此时 Vault 处于封印状态(Sealed 为 true)
Total Shares 5
Threshold 3
Unseal Progress 0/3
Unseal Nonce n/a
Version 1.15.4
Build Date 2023-12-04T17:45:28Z
Storage Type consul
HA Enabled true使用需要 vault operator unseal 命令来执行解封。至少需要 3 个秘钥来解封。
$ vault operator unseal
Unseal Key (will be hidden):
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed true
Total Shares 5
Threshold 3
Unseal Progress 1/3
Unseal Nonce a6e0067c-1989-4c97-c22c-857e562f464d
Version 1.15.4
Build Date 2023-12-04T17:45:28Z
Storage Type consul
HA Enabled true
$ vault operator unseal
Unseal Key (will be hidden):
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed true
Total Shares 5
Threshold 3
Unseal Progress 2/3
Unseal Nonce a6e0067c-1989-4c97-c22c-857e562f464d
Version 1.15.4
Build Date 2023-12-04T17:45:28Z
Storage Type consul
HA Enabled true
$ vault operator unseal
Unseal Key (will be hidden):
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 1.15.4
Build Date 2023-12-04T17:45:28Z
Storage Type consul
Cluster Name vault-cluster-9e7e5644
Cluster ID 5713b05b-c027-febb-9355-8b5c569959c3
HA Enabled true
HA Cluster n/a
HA Mode standby
Active Node Address <none>再次查看解封状态
$ vault status
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false --- 此时 Vault 处于解封状态(Sealed 为 false)
Total Shares 5
Threshold 3
Version 1.15.4
Build Date 2023-12-04T17:45:28Z
Storage Type consul
Cluster Name vault-cluster-9e7e5644
Cluster ID 5713b05b-c027-febb-9355-8b5c569959c3
HA Enabled true
HA Cluster https://192.168.31.181:8201
HA Mode active
Active Since 2024-05-31T13:37:19.968734049Z然后,可以开始写入测试数据
vault login # 输入上面步骤时候生成的token: hvs.HkpvksdC9ouTa7ZifpHViK4M
Token (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token hvs.HkpvksdC9ouTa7ZifpHViK4M
token_accessor H9MTXpKJZiepQBr03KPNLHEh
token_duration ∞
token_renewable false
token_policies ["root"]
identity_policies []
policies ["root"]
封印vault
https://developer.hashicorp.com/vault/docs/commands/operator/seal
该操作会将内存中的 Master Key 抛弃,然后必须再执行一次解封操作才能恢复它。封印操作只需要使用 Root 特权进行一次操作即可完成。
这样的话,如果检测到入侵的迹象,可以用最快的速度锁定 Vault 保存的机密来减少损失。如果没有办法恢复 Master Key 是无法访问 Vault 中的数据的。
执行下面命令即可完成vault的封印:
vault operator seal启用身份验证
说明:userpass 身份验证方法允许用户使用一组用户名密码登录 Vault。这组用户名密码直接通过 users/ 路径配置进该验证方法。本方法无法从外部数据源读取用户名密码,另外用户名不区分大小写。
启用:vault auth enable userpass
禁用:vault auth disable userpass创建一个账号,密码为secret
vault write auth/userpass/users/sethvargo password=secretvault web ui 看到如下:
TIPS:补充下,在创建账号的时候,也支持定义策略,例如这种写法:
vault write auth/userpass/users/sethvargo password=secret policies= secert2-readonly
# 请先确保policy已经创建好了vault web ui 看到如下:
使用上面的账号和密码登录
$ vault login -method=userpass username=sethvargo password=secret # 这种在命令行直接输入密码,会暴露密码
或者 vault login -method=userpass username=sethvargo 输入密码
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token hvs.CAESIHl30Q30Fa4qgFItwcWQqQU-qkwyST9WSTse0QpCSSeiGh4KHGh2cy5Rd3JFN2FoYk5XVDlVc0x1bDFTaGZnZ2c
token_accessor qCQQYPIbPN7A4DJ3GQJgVHK7
token_duration 768h
token_renewable true
token_policies ["default"]
identity_policies []
policies ["default"]
token_meta_username sethvargo列出已启用的身份验证方法(更详细的可以使用vault auth list -detailed命令查看)
$ vault auth list
Path Type Accessor Description Version
---- ---- -------- ----------- -------
token/ token auth_token_309a1e05 token based credentials n/a
userpass/ userpass auth_userpass_2c5d8cbb n/a n/atune命令, 调整指定路径上的身份验证方法的配置选项
$ vault read sys/auth/userpass/tune
Key Value
--- -----
default_lease_ttl 768h
description n/a
force_no_cache false
max_lease_ttl 768h
token_type default-service
# 调整下ttl时长
$ vault auth tune -default-lease-ttl=900h userpass
Success! Tuned the auth method at: userpass/
$ vault auth tune -max-lease-ttl=900h userpass
Success! Tuned the auth method at: userpass/
$ vault read sys/auth/userpass/tune
Key Value
--- -----
default_lease_ttl 900h
description n/a
force_no_cache false
max_lease_ttl 900h
token_type default-serviceTIPS: 对于token,也可以使用tune调整,操作方法如下:
$ vault read sys/auth/token/tune # 可以看到默认值是768h
Key Value
--- -----
default_lease_ttl 768h
description token based credentials
force_no_cache false
max_lease_ttl 768h
token_type default-service
# 调整token的ttl为1200h
$ vault auth tune -max-lease-ttl=1200h -default-lease-ttl=1200h token
Success! Tuned the auth method at: token/
# tune后,再创建一个token
$ vault token create
# 查看新的token的ttl时间,可以看到已经生效了(需要注意的是之前创建的token的ttl的时间还是保持之前的768h)
$ vault token lookup hvs.CAESINxMTgrMkGe9NWCIGE2qS3S3tSm5AnPceRaDWMU1QkhdGh4KHGh2cy5XYWNSeWwySkp5UmdaQTVWc0diOHhrazg
Key Value
--- -----
accessor AUPpIgvYN70UHKprVZBOeCtq
creation_time 1717332466
creation_ttl 1200h
display_name token
entity_id n/a
expire_time 2024-07-22T20:47:46.24519052+08:00
explicit_max_ttl 0s
id hvs.CAESINxMTgrMkGe9NWCIGE2qS3S3tSm5AnPceRaDWMU1QkhdGh4KHGh2cy5XYWNSeWwySkp5UmdaQTVWc0diOHhrazg
issue_time 2024-06-02T20:47:46.245198236+08:00
meta <nil>
num_uses 0
orphan false
path auth/token/create
policies [db_read_policy default]
renewable true
ttl 1199h59m53s
type servicedelete 命令从 Vault 中删除指定路径上的机密和配置。删除操作的具体实现是委托给具体路径上挂载的后端实现的。
vault write sys/auth/my-auth type=userpass
vault auth list
vault read sys/auth/my-auth
vault delete sys/auth/my-auth原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
评论
登录后参与评论
推荐阅读