不允许 Vault Admin Policy 创建新策略
Vault Admin Policy not allowed to create new policies
我正在尝试遵循标准模式:root - admin - Hashicorp Vault 的用户。
基本上:根创建一个管理策略。然后我的管理员需要能够为新用户创建有限的策略。
但是,即使拥有对 /sys 的所有访问权限,我的管理员也被拒绝创建新策略。
这是我的管理政策:
path "pki/issue/admin" { capabilities = ["create", "update"]}
path "pki/roles/" {capabilities = ["create", "update"]}
path "pki/issue/" {capabilities = ["create", "update"]}
path "auth/token/*" {capabilities = ["create", "read", "update", "delete"]}
path "auth/token/lookup-self" {capabilities = ["read"]}
path "auth/token/renew-self" {capabilities = ["update"]}
path "auth/token/revoke-self" {capabilities = ["update"]}
path "auth/token/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "sys/auth/*" {
capabilities = ["create", "read", "update", "delete", "sudo"]
}
path "sys/policy" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "sys/policy/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
$ curl -H 'Authorization: Bearer admintoken' http://127.0.0.1:8200/v1/auth/token/lookup-self | jq .data.policies
[
"admin"
]
$ curl -H 'Authorization: Bearer adminsecret' http://127.0.0.1:8200/v1/sys/policy/agent01 -d '{"name": "test", "policy": "path \"auth/token/lookup-self\" { capabilities = [\"read\"]}"}'
{"errors":["permission denied"]}
我是不是漏掉了一些重要的东西?我宁愿避免将我的根令牌传播到我的后端服务器只是为了为新用户创建基本策略。
您使用的是哪个版本的保险库?
我试过这个简单的策略,它似乎有效:
$ vault policy read pol
path "sys/policy/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
curl -H "Authorization: Bearer $(vault token create -field token -policy pol)" http://127.0.0.1:8200/v1/sys/policy/agent01 -d '{"name": "test", "policy": "path \"auth/token/lookup-self\" { capabilities = [\"read\"]}"}' -vvv
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8200 (#0)
> POST /v1/sys/policy/agent01 HTTP/1.1
> Host: 127.0.0.1:8200
> User-Agent: curl/7.64.1
> Accept: */*
> Authorization: Bearer s.FJ7MVrAZMcUAh1xmYWEWfxyZ
> Content-Length: 90
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 90 out of 90 bytes
< HTTP/1.1 204 No Content
< Cache-Control: no-store
< Content-Type: application/json
< Date: Sun, 02 Feb 2020 12:02:19 GMT
<
* Connection #0 to host 127.0.0.1 left intact
* Closing connection 0
$ vault policy list
agent01
agent0111
default
pol
root
$ vault version
Vault v1.3.0
我正在尝试遵循标准模式:root - admin - Hashicorp Vault 的用户。
基本上:根创建一个管理策略。然后我的管理员需要能够为新用户创建有限的策略。
但是,即使拥有对 /sys 的所有访问权限,我的管理员也被拒绝创建新策略。
这是我的管理政策:
path "pki/issue/admin" { capabilities = ["create", "update"]}
path "pki/roles/" {capabilities = ["create", "update"]}
path "pki/issue/" {capabilities = ["create", "update"]}
path "auth/token/*" {capabilities = ["create", "read", "update", "delete"]}
path "auth/token/lookup-self" {capabilities = ["read"]}
path "auth/token/renew-self" {capabilities = ["update"]}
path "auth/token/revoke-self" {capabilities = ["update"]}
path "auth/token/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "sys/auth/*" {
capabilities = ["create", "read", "update", "delete", "sudo"]
}
path "sys/policy" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "sys/policy/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
$ curl -H 'Authorization: Bearer admintoken' http://127.0.0.1:8200/v1/auth/token/lookup-self | jq .data.policies
[
"admin"
]
$ curl -H 'Authorization: Bearer adminsecret' http://127.0.0.1:8200/v1/sys/policy/agent01 -d '{"name": "test", "policy": "path \"auth/token/lookup-self\" { capabilities = [\"read\"]}"}'
{"errors":["permission denied"]}
我是不是漏掉了一些重要的东西?我宁愿避免将我的根令牌传播到我的后端服务器只是为了为新用户创建基本策略。
您使用的是哪个版本的保险库?
我试过这个简单的策略,它似乎有效:
$ vault policy read pol
path "sys/policy/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
curl -H "Authorization: Bearer $(vault token create -field token -policy pol)" http://127.0.0.1:8200/v1/sys/policy/agent01 -d '{"name": "test", "policy": "path \"auth/token/lookup-self\" { capabilities = [\"read\"]}"}' -vvv
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8200 (#0)
> POST /v1/sys/policy/agent01 HTTP/1.1
> Host: 127.0.0.1:8200
> User-Agent: curl/7.64.1
> Accept: */*
> Authorization: Bearer s.FJ7MVrAZMcUAh1xmYWEWfxyZ
> Content-Length: 90
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 90 out of 90 bytes
< HTTP/1.1 204 No Content
< Cache-Control: no-store
< Content-Type: application/json
< Date: Sun, 02 Feb 2020 12:02:19 GMT
<
* Connection #0 to host 127.0.0.1 left intact
* Closing connection 0
$ vault policy list
agent01
agent0111
default
pol
root
$ vault version
Vault v1.3.0