我正在尝试遵循标准模式:根 - 管理员 - Hashicorp Vault 的用户。
基本上:root创建一个管理策略。然后,我的管理员需要能够为新用户创建有限的策略。
但是,即使具有对/sys的所有访问权限,我的管理员在创建新策略时也会被拒绝。
这是我的管理政策:
path "pki/issue/admin" { capabilities = ["create", "update"]}
path "pki/roles/" {capabilities = ["create", "update"]}
path "pki/issue/" {capabilities = ["create", "update"]}
path "auth/token/*" {capabilities = ["create", "read", "update", "delete"]}
path "auth/token/lookup-self" {capabilities = ["read"]}
path "auth/token/renew-self" {capabilities = ["update"]}
path "auth/token/revoke-self" {capabilities = ["update"]}
path "auth/token/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "sys/auth/*" {
capabilities = ["create", "read", "update", "delete", "sudo"]
}
path "sys/policy" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "sys/policy/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
$ curl -H 'Authorization: Bearer admintoken' http://127.0.0.1:8200/v1/auth/token/lookup-self | jq .data.policies
[
"admin"
]
$ curl -H 'Authorization: Bearer adminsecret' http://127.0.0.1:8200/v1/sys/policy/agent01 -d '{"name": "test", "policy": "path "auth/token/lookup-self" { capabilities = ["read"]}"}'
{"errors":["permission denied"]}
我在这里错过了一些重要的东西吗?我宁愿避免将根令牌传播到后端服务器,只是为了为新用户创建基本策略。
您使用的是什么版本的保险库?
我已经尝试了这个简单的策略,它似乎有效:
$ vault policy read pol
path "sys/policy/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
curl -H "Authorization: Bearer $(vault token create -field token -policy pol)" http://127.0.0.1:8200/v1/sys/policy/agent01 -d '{"name": "test", "policy": "path "auth/token/lookup-self" { capabilities = ["read"]}"}' -vvv
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8200 (#0)
> POST /v1/sys/policy/agent01 HTTP/1.1
> Host: 127.0.0.1:8200
> User-Agent: curl/7.64.1
> Accept: */*
> Authorization: Bearer s.FJ7MVrAZMcUAh1xmYWEWfxyZ
> Content-Length: 90
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 90 out of 90 bytes
< HTTP/1.1 204 No Content
< Cache-Control: no-store
< Content-Type: application/json
< Date: Sun, 02 Feb 2020 12:02:19 GMT
<
* Connection #0 to host 127.0.0.1 left intact
* Closing connection 0
$ vault policy list
agent01
agent0111
default
pol
root
$ vault version
Vault v1.3.0