概述
在深入了解Vault之前,讓我們試著了解它試圖解決的問題:機密信息管理。
大多數(shù)應(yīng)用程序都需要存儲一些機密信息八毯,如數(shù)據(jù)庫的賬號密碼,其他供應(yīng)商的api秘鑰等瞄桨。之前我們一般將這些數(shù)據(jù)存儲在配置文件中宪彩。但是這樣并不安全,只要有服務(wù)器訪問權(quán)限的人讲婚,都能隨時查看并訪問這些信息尿孔。這樣會帶來極大的安全風險。
而且隨著項目的成長,復(fù)雜度不斷上升活合,各種分布式及微服務(wù)的興起雏婶,敏感信息會分布在各個機器上,同時不斷在服務(wù)器之間傳播白指,大大增加了安全隱患留晚。
這時候就需要一個統(tǒng)一的機密信息管理服務(wù),vault就在這樣的背景下誕生了告嘲。
使用說明
安裝
下載軟件:https://www.vaultproject.io/downloads
解壓后得到可執(zhí)行文件错维,該文件是同時使服務(wù)器也是客戶端。
啟動
vault 使用HCL格式的配置文件橄唬。新建 config.hcl并填入以下內(nèi)容:
# 開啟web界面赋焕,http://127.0.0.1:8200/ui。不需要可以去掉
ui = true
# 使用文件存儲
storage "file" {
path = "data"
}
# 此處不開啟tls仰楚,正式環(huán)境下請配置證書
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = 1
}
更多配置請查看:https://www.vaultproject.io/docs/configuration
啟動服務(wù)器
$ vault server -config=config.hcl
==> Vault server configuration:
Cgo: disabled
Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
Log Level: info
Mlock: supported: false, enabled: false
Recovery Mode: false
Storage: file
Version: Vault v1.4.2
==> Vault server started! Log data will stream in below:
如果出現(xiàn)以下提示:
Error initializing core: Failed to lock memory: cannot allocate memory
This usually means that the mlock syscall is not available.
Vault uses mlock to prevent memory from being swapped to
disk. This requires root privileges as well as a machine
that supports mlock. Please enable mlock on your system or
disable Vault from using it. To disable Vault from using it,
set the `disable_mlock` configuration option in your configuration
file.
可以根據(jù)提示內(nèi)容隆判,將 disable_mlock 設(shè)為true。線上環(huán)境建議使用支持mlock的系統(tǒng)
初始化
在第一次使用的時候僧界,需要初始化vault侨嘀。之后再啟動將不需要進行該操作。
$ vault operator init
Unseal Key 1: 9t43suWPep3s7z1vOS0RmowPm22Iu2NQg7WilKdrCm6c
Unseal Key 2: R9uaDFGzIoBEAgd15MQAbAxXXz8PslPJNId6SU7urDL6
Unseal Key 3: u2i5zcldyFLxh4I3uZ64aIxKSO0nu/jv3xaIqtZj7k9C
Unseal Key 4: BQ0Zcvz1/HboAmAXEtLfCiiW+8UOimCL6PyP9a1WITLR
Unseal Key 5: ByBsXsY1He6xfFCrZYaFnSsBANqoiKdHcp0YITLbEGF0
Initial Root Token: s.QIysbqxb4We3k9QBZmXf2e4g
Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.
Vault does not store the generated master key. Without at least 3 key to
reconstruct the master key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.
上面最重要的數(shù)據(jù)是
Unseal Key
Initial Root Token
這些數(shù)據(jù)只會在第一次初始化的時候顯示捂襟,之后再也不會顯示了咬腕,如果丟失該數(shù)據(jù),以后將無法使用系統(tǒng)葬荷,所以請妥善保管這些數(shù)據(jù)郎汪。
seal / unseal
當前服務(wù)為seal狀態(tài),也就是“密封”狀態(tài)闯狱,無法進行任何操作煞赢。我們需要先進行unseal,然后才能進行后續(xù)操作哄孤。注意:服務(wù)重啟后默認為seal狀態(tài)照筑。每次重啟服務(wù)都需要unseal。
輸入以下命令:
$ vault operator unseal
Unseal Key (will be hidden):
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed true
Total Shares 5
Threshold 3
Unseal Progress 1/3
Unseal Nonce c767af4b-6faa-893b-0a87-234113fba0af
Version 1.4.2
HA Enabled false
提示輸入unseal key瘦陈,輸完之后凝危,發(fā)現(xiàn)Sealed 還是true,其中Unseal Progress 1/3晨逝。
我們需要輸入之前給的5個unseal key 中的3個不同的key才能解鎖蛾默。繼續(xù)輸入之前的命令,直到輸入第三次出現(xiàn)如下提示:
$ vault operator unseal
Unseal Key (will be hidden):
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 1.4.2
Cluster Name vault-cluster-02ad08de
Cluster ID 9224f28f-f454-93bf-db06-0d0f88a8da76
HA Enabled false
這時候系統(tǒng)已經(jīng)解鎖捉貌,可以進行后續(xù)操作
登錄
使用之前init的時候得到的Initial Root Token進行登錄
$ vault login s.QIysbqxb4We3k9QBZmXf2e4g
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token s.QIysbqxb4We3k9QBZmXf2e4g
token_accessor LQjYKYNbD9K6qffjaFQvDF9l
token_duration ∞
token_renewable false
token_policies ["root"]
identity_policies []
policies ["root"]
作為一個root user鼓择。我們可以重新seal服務(wù),命令為:vault operator seal支竹。該命令可以在緊急情況鎖定整個系統(tǒng),禁止其他人使用急前。
創(chuàng)建secrets
在vault中,我們具體的數(shù)據(jù)保存在secrets中瀑构,產(chǎn)看當前所擁有的secrets:
$ vault secrets list
Path Type Accessor Description
---- ---- -------- -----------
cubbyhole/ cubbyhole cubbyhole_607ffff0 per-token private secret storage
identity/ identity identity_c728700b identity store
sys/ system system_f9998969 system endpoints used for control, policy and debugging
創(chuàng)建我們需要的secrets:
$ vault secrets enable -path=my-secret kv
Success! Enabled the kv secrets engine at: my-secret/
上面的kv代表類型Secrets Engine裆针。更多Engine類型查看:https://www.vaultproject.io/docs/secrets
添加policy并創(chuàng)建token
接下來會創(chuàng)建兩個Policy,一個是admin寺晌,一個是reader世吨。admin可以進行任何操作,用于管理數(shù)據(jù)呻征。而reader則只能進行讀操作耘婚。
首先創(chuàng)建文件admin.hcl:
# my-secret是之前創(chuàng)建的secrets
path "my-secret/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
接著創(chuàng)建文件reader.hcl:
# my-secret是之前創(chuàng)建的secrets
path "my-secret/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
然后再命令行執(zhí)行:
$ vault policy write admin-policy admin.hcl
Success! Uploaded policy: admin-policy
$ vault policy write reader-policy reader.hcl
Success! Uploaded policy: reader-policy
creaete token
$ vault token create -policy=admin-policy
Key Value
--- -----
token s.aZUepwj4AL2vsC5bHIfkN15U
token_accessor pGg98pa7i9SnqaZg1Q3yjMu8
token_duration 768h
token_renewable true
token_policies ["admin-policy" "default"]
identity_policies []
policies ["admin-policy" "default"]
$ vault token create -policy=reader-policy
Key Value
--- -----
token s.5mTr03zVlAlrDim9jEwud5nF
token_accessor f4oYLlEVkkb5HL3PzH6yk3rF
token_duration 768h
token_renewable true
token_policies ["default" "reader-policy"]
identity_policies []
policies ["default" "reader-policy"]
請將上面創(chuàng)建的兩個token妥善保存,后續(xù)讀寫操作都用這兩個token來完成怕犁。
到目前為止,我們已經(jīng)完成了初始工作己莺,考慮到線上環(huán)境一般都是通過接口方式對數(shù)據(jù)進行讀寫奏甫,接下來會用http api的方式進行操作。
為了便于區(qū)分兩個token凌受,同時方便后續(xù)調(diào)用阵子,將兩個token寫入環(huán)境變量:
# admin的token
$ export VAULT_TOKEN_ADMIN = s.aZUepwj4AL2vsC5bHIfkN15U
# reader的token
$ export VAULT_TOKEN_READER = s.5mTr03zVlAlrDim9jEwud5nF
寫入
通過admin的token寫入數(shù)據(jù):
$ curl \
--header "X-Vault-Token: $VAULT_TOKEN_ADMIN" \
--request POST \
--data '{ "mysql": {"username":"myname","password": "my-long-password"} }' \
http://127.0.0.1:8200/v1/my-secret/data/creds
其中v1是前綴,my-secret 是之前創(chuàng)建的secrets胜蛉,data/creds 是后面的path挠进,可以任意創(chuàng)建。
這次試用reader的token來寫入數(shù)據(jù):
$ curl \
--header "X-Vault-Token: $VAULT_TOKEN_READER" \
--request POST \
--data '{ "mysql": {"username":"myname","password": "my-long-password"} }' \
http://127.0.0.1:8200/v1/my-secret/data/creds
提示無權(quán)限誊册,表示之前創(chuàng)建的policy正式起效:
{
"errors": [
"1 error occurred:\n\t* permission denied\n\n"
]
}
這次試用reader token來獲取數(shù)據(jù):
$ curl \
--header "X-Vault-Token: $VAULT_TOKEN_READER" \
--request GET \
http://127.0.0.1:8200/v1/my-secret/data/creds
{
"request_id": "33dc39a8-b64d-14f7-2512-88a8806131bb",
"lease_id": "",
"renewable": false,
"lease_duration": 2764800,
"data": {
"mysql": {
"password": "my-long-password",
"username": "myname"
}
},
"wrap_info": null,
"warnings": null,
"auth": null
}
其中的data字段就是之前存入的數(shù)據(jù)领突。
到目前為止,vault的基本試用方式以及介紹完畢案怯。想要了解更多可查看官方資料:
基本教程:https://www.vaultproject.io/docs
api教程:https://www.vaultproject.io/api-docs
