Hashicorp Vault权限无响应

huangapple go评论53阅读模式
英文:

Hashicorp Vault permission with no response

问题

我已创建一个kv(版本2)保密引擎,挂载在/secret上:

/ $  vault secrets list
Path          Type         Accessor              Description
----          ----         --------              -----------
secret/       kv           kv_dba4200e           n/a

我创建了一个策略,应该允许管理员访问dev/team-1中的所有内容:

/ $ vault policy read dev
path "secret/data/dev/team-1/*" {
  capabilities = ["create", "update", "read","list"]
}

path "secret/metadata/dev/team-1/*" {
  capabilities = ["list","read"]
}

我创建了一个秘密:

/ $ vault kv get secret/dev/team-1
===== Secret Path =====
secret/data/dev/team-1

======= Metadata =======
Key                Value
---                -----
created_time       2023-05-13T00:09:15.416686671Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

=== Data ===
Key    Value
---    -----
key    teste

而且我还创建了一个用户,并分配了给定的策略:

/ $  vault token lookup
Key                 Value
---                 -----
accessor            UYB46guPahXROwvvFpRJ3in7
creation_time       1683931479
creation_ttl        768h
display_name        token
entity_id           n/a
expire_time         2023-06-13T22:44:39.062580257Z
explicit_max_ttl    0s
id                  hvs.CAESIDoYx7LfFWXh9p3KJ_CqyDQSQgQvPONeXpU4jcek-bt5Gh4KHGh2cy4zTjZUbGRKeUY3MkpweW52aDVWV0RvS3A
issue_time          2023-05-12T22:44:39.062596882Z
meta                <nil>
num_uses            0
orphan              false
path                auth/token/create
policies            [default dev]
renewable           true
ttl                 766h11m17s
type                service

然而,当我尝试使用附加到dev策略的这个新用户访问任何内容(列表、获取)时,我得到了以下信息:

/ $ vault kv list secret/dev/team-1
No value found at secret/metadata/dev/team-1

/ $ vault kv get secret/dev/team-1/key
No value found at secret/data/dev/team-1/key

如果有任何指导,我将非常感激。我已经花了几天的时间尝试找出我做错了什么。

英文:

I have created a kv (version 2) secrets engine, mounted on /secret:

/ $  vault secrets list
Path          Type         Accessor              Description
----          ----         --------              -----------
secret/       kv           kv_dba4200e           n/a

I have created a policy that should give admin access to everything in dev/team-1

/ $ vault policy read dev
path "secret/data/dev/team-1/*" {
  capabilities = ["create", "update", "read","list"]
}

path "secret/metadata/dev/team-1/*" {
  capabilities = ["list","read"]
}

I have created a secret

/ $ vault kv get secret/dev/team-1
===== Secret Path =====
secret/data/dev/team-1

======= Metadata =======
Key                Value
---                -----
created_time       2023-05-13T00:09:15.416686671Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

=== Data ===
Key    Value
---    -----
key    teste

and also I have created a user that has been assigned the given policy:

/ $  vault token lookup
Key                 Value
---                 -----
accessor            UYB46guPahXROwvvFpRJ3in7
creation_time       1683931479
creation_ttl        768h
display_name        token
entity_id           n/a
expire_time         2023-06-13T22:44:39.062580257Z
explicit_max_ttl    0s
id                  hvs.CAESIDoYx7LfFWXh9p3KJ_CqyDQSQgQvPONeXpU4jcek-bt5Gh4KHGh2cy4zTjZUbGRKeUY3MkpweW52aDVWV0RvS3A
issue_time          2023-05-12T22:44:39.062596882Z
meta                <nil>
num_uses            0
orphan              false
path                auth/token/create
policies            [default dev]
renewable           true
ttl                 766h11m17s
type                service

However when I try to access anything with this new user attached to the dev policy (list,get), I get this:

/ $ vault kv list secret/dev/team-1
No value found at secret/metadata/dev/team-1

/ $ vault kv get secret/dev/team-1/key
No value found at secret/data/dev/team-1/key

I would really appreciate if anyone could help with any guidance, I have spent a couple of days trying to figure out what I'm doing wrong

答案1

得分: 1

Your KVv2 engine secret is located at path secret/dev/team-1, but the policy grants permissions to secrets at a nested path. The permissions need to be for the desired path, and not a nested path:

path "secret/data/dev/team-1" {
  capabilities = ["create", "update", "read","list"]
}

path "secret/metadata/dev/team-1" {
  capabilities = ["list","read"]
}

Also note this policy would not really grant admin access as it is missing other permissions such as sudo, but the only one really necessary here would be read.

英文:

Your KVv2 engine secret is located at path secret/dev/team-1, but the policy grants permissions to secrets at a nested path. The permissions need to be for the desired path, and not a nested path:

path "secret/data/dev/team-1" {
  capabilities = ["create", "update", "read","list"]
}

path "secret/metadata/dev/team-1" {
  capabilities = ["list","read"]
}

Also note this policy would not really grant admin access as it is missing other permissions such as sudo, but the only one really necessary here would be read.

huangapple
  • 本文由 发表于 2023年5月13日 08:43:17
  • 转载请务必保留本文链接:https://go.coder-hub.com/76240620.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定