vault学习笔记
1 vault開啟
vault server -dev(開發(fā)者模式)
vault server -config=config.hcl(生產(chǎn)環(huán)境啟動方式)
其中config.hcl內(nèi)容如下,本地安裝配置mysql數(shù)據(jù)庫,ui=true可以訪問ui界面
disable_mlock = true
ui=true
storage "mysql" {
address = "127.0.0.1:3306"
username = "root"
password = "123456"
database = "vault"
table = "vault"
}
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = 1
}
2 vault_addr設(shè)置
另外啟動一個控制臺界面
windows環(huán)境:set VAULT_ADDR=http://127.0.0.1:8200
linux環(huán)境:exportVAULT_ADDR=http://127.0.0.1:8200
3 vault初始化
vault operator init或者vault operator init -key-shares=5 -key-threshold=3
說明:
-key-shares:指定秘鑰的總股數(shù),
-key-threshold:指定需要幾股可解鎖
以上參數(shù)為默認(rèn),可不設(shè)置。
得到五個key(key1到key5),后續(xù)解封用
vault operator unseal key1
vault operator unseal key2
vault operator unseal key3
vault status查看狀態(tài),sealed為false表示解封了
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 1.2.3
Cluster Name vault-cluster-181def04
Cluster ID 32b31c01-4c2e-bfcf-e44c-0abc862d6156
HA Enabled false
4 用產(chǎn)生的token登陸
vault login XXX
5 數(shù)據(jù)庫使用
vault secrets enable database
6 transit使用(在path=encryption)啟動transit,不寫-path=encryption則默認(rèn)在transit路徑下
vault secrets enable -path=encryption transit
7 寫入數(shù)據(jù)庫連接配置
vault write database/config/my-mysql-database
plugin_name=mysql-database-plugin
connection_url="{{username}}:{{password}}@tcp(127.0.0.1:3306)/"
allowed_roles="my-role"
username="root"
password="123456"
8 設(shè)置動態(tài)密鑰策略
vault write database/roles/my-role
db_name=my-mysql-database
creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT,INSERT,UPDATE ON *.* TO '{{name}}'@'%';"
default_ttl="1h"
max_ttl="24h"
9 配置文件,直接編寫vault policy write my-policy my-policy.hcl沒有成功,通過以下命令實現(xiàn)
vault policy write my-policy -<<EOF
# Normal servers have version 1 of KV mounted by default, so will need these
# paths:
path "secret/*" {
capabilities = ["create"]
}
path "secret/foo" {
capabilities = ["read"]
}
# Dev servers have version 2 of KV mounted by default, so will need these
# paths:
path "secret/data/*" {
capabilities = ["create"]
}
path "secret/data/foo" {
capabilities = ["read"]
}
EOF
vault 設(shè)置靜態(tài)role
0 在mysql中建立一個角色vault-edu
1 設(shè)置運行連接數(shù)據(jù)庫 vault secrets enable database
2 設(shè)置數(shù)據(jù)庫連接
vault write database/config/my-mysql-database plugin_name=mysql-database-plugin connection_url="{{username}}:{{password}}@tcp(30.16.104.43:3306)/" allowed_roles="*" username="root" password="123456"
3建立靜態(tài)角色education
vault write database/static-roles/education db_name=my-mysql-database rotation_statements=@rotation.sql username="vault-edu" rotation_period=86400
rotation.sql具體內(nèi)容如下:
ALTER USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';
4 讀取education信息
vault read database/static-roles/education
5 新建一個策略app,并且寫入vault策略中,分配對應(yīng)的token
vault policy write app app.hcl
vault token create -policy="app"
6 用分配的token登錄,查看對應(yīng)的角色信息
VAULT_TOKEN=s.NN5Izfj9ok3VuZiaP9N9QJ1V vault read database/static-creds/education
設(shè)置vault角色
vault write database/roles/my-role
db_name=my-mysql-database
creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT,INSERT,UPDATE ON *.* TO '{{name}}'@'%';"
default_ttl="1h"
max_ttl="24h“
vault生產(chǎn)環(huán)境配置
https://learn.hashicorp.com/tutorials/vault/configure-vault
激活vault加密輪轉(zhuǎn)密鑰參考https://learn.hashicorp.com/tutorials/vault/eaas-transit
To rotate the encryption key, invoke thetransit/keys/<key_ring_name>/rotateendpoint.
例如:vault write -f transit/keys/order/rotate
# List available auth method path "sys/auth" { capabilities = [ "read" ] } # Read default token configuration path "sys/auth/token/tune" { capabilities = [ "read", "sudo" ] } # Create and manage tokens (renew, lookup, revoke, etc.) path "auth/token/*" { capabilities = [ "create", "read", "update", "delete", "list", "sudo" ] } # For Advanced Features - list available secrets engines path "sys/mounts" { capabilities = [ "read" ] } # For Advanced Features - tune the database secrets engine TTL path "sys/mounts/database/tune" { capabilities = [ "update" ] }
總結(jié)
- 上一篇: Discuz的安装与使用
- 下一篇: 商品(产品)的卖点与利益点的区别及作用