Vault Admin Policy 不允许创建新策略

【问题标题】:Vault Admin Policy not allowed to create new policiesVault Admin Policy 不允许创建新策略
【发布时间】:2020-05-18 07:45:45
【问题描述】:

我正在尝试遵循标准模式:root - admin - Hashicorp Vault 的用户。

基本上:root 创建一个管理策略。然后我的管理员需要能够为新用户创建有限的策略。

但是,即使拥有对 /sys 的所有访问权限,我的管理员也获得了创建新策略的权限被拒绝。

这是我的管理政策:

path "pki/issue/admin" { capabilities = ["create", "update"]}
path "pki/roles/" {capabilities = ["create", "update"]}
path "pki/issue/" {capabilities = ["create", "update"]}
path "auth/token/*" {capabilities = ["create", "read", "update", "delete"]}
path "auth/token/lookup-self" {capabilities = ["read"]}
path "auth/token/renew-self" {capabilities = ["update"]}
path "auth/token/revoke-self" {capabilities = ["update"]}
path "auth/token/*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "sys/auth/*" {
  capabilities = ["create", "read", "update", "delete", "sudo"]
}
path "sys/policy" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "sys/policy/*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}


$ curl -H 'Authorization: Bearer admintoken' http://127.0.0.1:8200/v1/auth/token/lookup-self | jq .data.policies
[
  "admin"
]

$ curl -H 'Authorization: Bearer adminsecret' http://127.0.0.1:8200/v1/sys/policy/agent01 -d '{"name": "test", "policy": "path \"auth/token/lookup-self\" { capabilities = [\"read\"]}"}'
{"errors":["permission denied"]}

我在这里遗漏了一些重要的东西吗?我宁愿避免将我的根令牌传播到我的后端服务器,只是为了为新用户创建基本策略。

【问题讨论】:

    标签: hashicorp-vault


    【解决方案1】:

    您使用的是什么版本的保管库?

    我已经尝试过这个简单的策略,它似乎有效:

    $ vault policy read pol
path "sys/policy/*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

    curl -H "Authorization: Bearer $(vault token create -field token -policy pol)" http://127.0.0.1:8200/v1/sys/policy/agent01 -d '{"name": "test", "policy": "path \"auth/token/lookup-self\" { capabilities = [\"read\"]}"}' -vvv
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8200 (#0)
> POST /v1/sys/policy/agent01 HTTP/1.1
> Host: 127.0.0.1:8200
> User-Agent: curl/7.64.1
> Accept: */*
> Authorization: Bearer s.FJ7MVrAZMcUAh1xmYWEWfxyZ
> Content-Length: 90
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 90 out of 90 bytes
< HTTP/1.1 204 No Content
< Cache-Control: no-store
< Content-Type: application/json
< Date: Sun, 02 Feb 2020 12:02:19 GMT
<
* Connection #0 to host 127.0.0.1 left intact
* Closing connection 0

    $ vault policy list
agent01
agent0111
default
pol
root

    $ vault version
Vault v1.3.0

    【讨论】:

    • 谢谢,有时问题出在椅子和键盘之间……我使用了错误的令牌。
    猜你喜欢
    • 2019-10-30
    • 2021-10-19
    • 1970-01-01
    • 2019-09-07
    • 2022-12-21
    • 2022-07-07
    • 2021-12-18
    • 2020-10-02
    • 2020-08-11
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode