vault --版本:Vault v1.9.2
我创建了一个策略文件,但功能很少,特别是 *delete *:
# cat ~/.my_policy.hcl
path "secret/*" {
capabilities = ["create", "read", "update", "list", "delete"]
}
字符串
使用此文件创建了新策略,现在我可以在list操作中看到策略:
# vault policy write my-policy ~/.my_policy.hcl
Success! Uploaded policy: my-policy
# vault policy list
default
my-policy
root
# vault policy read my-policy
path "secret/*" {
capabilities = ["create", "read", "update", "list", "delete"]
}
型
使用上述策略创建了一个新令牌(因此我可以在CURL-X DELETE操作中使用它):
# vault token create -policy=my-policy; # using -no-default-policy didn't help with curl output
Key Value
--- -----
token s.27T3cNB4PrHll9byc6tppHw9
token_accessor C6mu2crjudeHVy5jijcFkF4K
token_duration 768h
token_renewable true
token_policies ["default" "my-policy"]
identity_policies []
policies ["default" "my-policy"]
型
但是,当我查看策略文件中定义的文件夹路径处的令牌的功能时,它显示了不同的策略root并显示deny
# vault token lookup s.27T3cNB4PrHll9byc6tppHw9
Key Value
--- -----
accessor C6mu2crjudeHVy5jijcFkF4K
creation_time 1678469133
creation_ttl 768h
display_name token
entity_id n/a
expire_time 2023-04-11T17:25:33.405537533Z
explicit_max_ttl 0s
id s.27T3cNB4PrHll9byc6tppHw9
issue_time 2023-03-10T17:25:33.405548806Z
meta <nil>
num_uses 0
orphan false
path auth/token/create
policies [default my-policy]
renewable true
ttl 767h48m50s
type service
# These should have shown my-policy than root
# This should have shown all policies having some capability at this path
# ----
# vault token capabilities s.27T3cNB4PrHll9byc6tppHw9
root
# vault token capabilities secrets/*
root
# vault token capabilities secrets
root
# This should not give me deny when this token has the necessary policy 'my-policy' with 'delete' capability
# ----
# vault token capabilities s.27T3cNB4PrHll9byc6tppHw9 secrets/*
deny
# vault token capabilities s.27T3cNB4PrHll9byc6tppHw9 secrets
deny
型
错误信息:
# curl -k -s -X GET -H 'X-Vault-Token: s.27T3cNB4PrHll9byc6tppHw9' https://vaultserver:8200/v1/secret/data/testA1/test
{"errors":["permission denied"]}
# curl -k -s -X DELETE -H 'X-Vault-Token: s.27T3cNB4PrHll9byc6tppHw9' https://vaultserver:8200/v1/secret/data/testA1/test
{"errors":["permission denied"]}
型
直接用cmd行查询vault时,看到secret/testA 1/testsecret时会吐出(**PS:**vault API调用需要/把 /data/ 放在secret路径中):
{
"ttl": "90d",
"username": "test",
"value": "KneelB4Me!YaRight"
}
型
设置:在这些命令之前的以下命令无效。
VAULT_ADDR=https://vaultserver:8200
VAULT_NAMESPACE=admin
型
当使用-no-default-token创建token时,secret/* 处的token capabilities显示有效能力(而不是deny),curl命令仍然失败。
1条答案
按热度按时间o0lyfsai1#
解决方案:必须传递header-H“X-Vault-Request:true”,否则,即使策略中有“删除”功能,附加到具有正确策略加功能的令牌,我们仍然会在CURL调用期间收到权限拒绝错误。
注意:传递Vault命名空间没有帮助,因为它的Vault OSS版本不是付费版本。命名空间目前在OSS中不起作用。
Gotchas
1.如果秘密路径为:secret/testA 1/test则,
1.它在Vault中API路径将自动变为secret/data/testA 1/test,
1.其在Vault中元数据路径将自动变为secret/metadata/testA 1/test
创建了一个 Package 器shell脚本,从命令行传递secret(path)作为 secret/testA 1/test
字符串
其中以下内容是从cmd行或 Package 器脚本中导出的。
型
并且使用以下各项生成令牌:
型