Hashicorp Vault - Curl失败,权限被拒绝-无法删除Secret -已创建具有删除功能的策略和使用策略的令牌

mi7gmzs6  于 2023-08-06  发布在  其他
关注(0)|答案(1)|浏览(100)

vault --版本:Vault v1.9.2

我创建了一个策略文件,但功能很少,特别是 *delete *:

# cat ~/.my_policy.hcl 
path "secret/*" {
  capabilities = ["create", "read", "update", "list", "delete"]
}

字符串
使用此文件创建了新策略,现在我可以在list操作中看到策略:

# vault policy write my-policy ~/.my_policy.hcl 
Success! Uploaded policy: my-policy

# vault policy list
default
my-policy
root

# vault policy read my-policy
path "secret/*" {
  capabilities = ["create", "read", "update", "list", "delete"]
}


使用上述策略创建了一个新令牌(因此我可以在CURL-X DELETE操作中使用它):

# vault token create -policy=my-policy; # using -no-default-policy didn't help with curl output
Key                  Value
---                  -----
token                s.27T3cNB4PrHll9byc6tppHw9
token_accessor       C6mu2crjudeHVy5jijcFkF4K
token_duration       768h
token_renewable      true
token_policies       ["default" "my-policy"]
identity_policies    []
policies             ["default" "my-policy"]


但是,当我查看策略文件中定义的文件夹路径处的令牌的功能时,它显示了不同的策略root并显示deny

# vault token lookup s.27T3cNB4PrHll9byc6tppHw9
Key                 Value
---                 -----
accessor            C6mu2crjudeHVy5jijcFkF4K
creation_time       1678469133
creation_ttl        768h
display_name        token
entity_id           n/a
expire_time         2023-04-11T17:25:33.405537533Z
explicit_max_ttl    0s
id                  s.27T3cNB4PrHll9byc6tppHw9
issue_time          2023-03-10T17:25:33.405548806Z
meta                <nil>
num_uses            0
orphan              false
path                auth/token/create
policies            [default my-policy]
renewable           true
ttl                 767h48m50s
type                service

# These should have shown my-policy than root
# This should have shown all policies having some capability at this path
# ----

# vault token capabilities s.27T3cNB4PrHll9byc6tppHw9
root
# vault token capabilities secrets/*
root
# vault token capabilities secrets
root

# This should not give me deny when this token has the necessary policy 'my-policy' with 'delete' capability
# ----
# vault token capabilities s.27T3cNB4PrHll9byc6tppHw9 secrets/*
deny
# vault token capabilities s.27T3cNB4PrHll9byc6tppHw9 secrets
deny

错误信息:

# curl -k -s -X GET -H 'X-Vault-Token: s.27T3cNB4PrHll9byc6tppHw9' https://vaultserver:8200/v1/secret/data/testA1/test
{"errors":["permission denied"]}

# curl -k -s -X DELETE -H 'X-Vault-Token: s.27T3cNB4PrHll9byc6tppHw9' https://vaultserver:8200/v1/secret/data/testA1/test
{"errors":["permission denied"]}


直接用cmd行查询vault时,看到secret/testA 1/testsecret时会吐出(**PS:**vault API调用需要/把 /data/ 放在secret路径中):

{
  "ttl": "90d",
  "username": "test",
  "value": "KneelB4Me!YaRight"
}


设置:在这些命令之前的以下命令无效。

VAULT_ADDR=https://vaultserver:8200
VAULT_NAMESPACE=admin


当使用-no-default-token创建token时,secret/* 处的token capabilities显示有效能力(而不是deny),curl命令仍然失败。

o0lyfsai

o0lyfsai1#

解决方案:必须传递header-H“X-Vault-Request:true”,否则,即使策略中有“删除”功能,附加到具有正确策略加功能的令牌,我们仍然会在CURL调用期间收到权限拒绝错误。

注意:传递Vault命名空间没有帮助,因为它的Vault OSS版本不是付费版本。命名空间目前在OSS中不起作用。

Gotchas

1.如果秘密路径为:secret/testA 1/test则,
1.它在Vault中API路径将自动变为secret/data/testA 1/test
1.其在Vault中元数据路径将自动变为secret/metadata/testA 1/test
创建了一个 Package 器shell脚本,从命令行传递secret(path)作为 secret/testA 1/test

deleteSecret() {
  local metadata_secret_path=${secret_path/secret\/data/secret\/metadata}

  # NOTE: Both metadata_secret_path or secret_path path variables will work; metadata is preferred as it'll delete all versions 
  # ----: Header "X-Vault-Request: true" is imporant for delete to work, or a user will get permission denied,
  #       even with valid 'delete' capability in vault-repl policy for secret/* path

  local result=$(curl -k -s -X DELETE -H "X-Vault-Request: true" -H "X-Vault-Token: $token" $VAULT_ADDR/v1/${metadata_secret_path})
  
  if [[ $result =~ "permission denied" ]] || [[ $result =~ "errors" ]]; then
    echo "$result"
    exit 2
  fi

  echo -e "\n-- Secret deleted (including metadata): ${main_secret_path} i.e. API path: ${secret_path} or it's Metadata path: ${metadata_secret_path}\n"
}

字符串
其中以下内容是从cmd行或 Package 器脚本中导出的。

export VAULT_ADDR=https://vaultserver:8200


并且使用以下各项生成令牌:

local result=$(curl -k -s --cert $cert --key $key $VAULT_ADDR/v1/auth/cert/login -X PUT)

  if [[ $result =~ "client_token" ]]; then
    token=$(echo "$result" | jq -r '.auth.client_token')
  fi

相关问题