|
本文介绍在Ubuntu 18.04/Debian 9/CentOS 7/Fedora上安装Vault服务器(Hashicorp Vault Server)、配置Vault systemd服务、初始化Vault、配置Vault角色和策略及写下并获得Secrets。
简介 Hashicorp Vault是一款免费的开源工具,专为安全存储和访问机密而设计,Secrets可以是密码,API密钥,证书等,Vault Server的工作是为任何存储的Secret提供统一的接口,同时提供严格的访问控制并记录详细的审计日志。 Vault具有Web用户界面,你可以使用该界面与Vault进行交互,通过UI可以轻松创建,更新,读取和删除Secrets,进行身份验证,开封等操作。 附:Vault的功能 以下是Vault的主要功能: Secure Secret Storage:默认情况下,Vault会在将Secrets写入持久存储之前对其进行加密。 Support for Dynamic Secrets:Vault可以按需生成Secrets,并在租约到期后撤销它们。 Leasing and Renewal:Vault中的所有Secrets都有与之相关的租约,该secret在租约结束时自动撤销,可以通过内置续订API进行续订。 Secrets Revocation:保险柜不仅可以撤销单个Secrets,还可以撤销Secrets树,例如特定用户读取的所有Secrets,或特定类型的所有Secrets。
在Ubuntu/Debian/CentOS/Fedora上安装Vault Vault是用Go编写的,二进制包可用于主要的Unix和Linux发行版,预编译的Vault二进制文件位于https://releases.hashicorp.com/vault/页面,下面下载及使用1.0.3版本: curl -sO https://releases.hashicorp.com/vault/1.0.3/vault_1.0.3_linux_amd64.zip 提取下载的文件: unzip vault_1.0.3_linux_amd64.zip sudo mv vault /usr/local/bin/ 对版本的检查应与下载的版本匹配: $ vault --version Vault v1.0.3 ('85909e3373aa743c34a6a0ab59131f61fd9e8e43') 启用命令自动完成: vault -autocomplete-install complete -C /usr/local/bin/vault vault
配置Vault systemd服务 安装Vault后,让我们配置systemd服务来管理其服务,首先创建一个独特的非特权系统用户来运行Vault。 创建Vault数据目录: sudo mkdir /etc/vault sudo mkdir -p /var/lib/vault/data 然后创建名为vault的用户: sudo useradd --system --home /etc/vault --shell /bin/false vault sudo chown -R vault:vault /etc/vault /var/lib/vault/ 在/etc/systemd/system/vault.service上创建Vault服务文件: cat <<EOF | sudo tee /etc/systemd/system/vault.service [Unit] Description="HashiCorp Vault - A tool for managing secrets" Documentation=https://www.vaultproject.io/docs/ Requires=network-online.target After=network-online.target ConditionFileNotEmpty=/etc/vault/config.hcl [Service] User=vault Group=vault ProtectSystem=full ProtectHome=read-only PrivateTmp=yes PrivateDevices=yes SecureBits=keep-caps AmbientCapabilities=CAP_IPC_LOCK NoNewPrivileges=yes ExecStart=/usr/local/bin/vault server -config=/etc/vault/config.hcl ExecReload=/bin/kill --signal HUP KillMode=process KillSignal=SIGINT Restart=on-failure RestartSec=5 TimeoutStopSec=30 StartLimitBurst=3 LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF 创建Vault /etc/vault/config.hcl文件: touch /etc/vault/config.hcl 将Vault的基本配置设置添加到/etc/vault/config.hcl文件: cat <<EOF | sudo tee /etc/vault/config.hcl disable_cache = true disable_mlock = true ui = true listener "tcp" { address = "0.0.0.0:8200" tls_disable = 1 } storage "file" { path = "/var/lib/vault/data" } api_addr = "http://0.0.0.0:8200" max_lease_ttl = "10h" default_lease_ttl = "10h" cluster_name = "vault" raw_storage_endpoint = true disable_sealwrap = true disable_printable_check = true EOF 你也可以使用Consul Storage后端,但首先你需要安装Consul,参考在Ubuntu 18.04/16.04系统上设置Consul Cluster的方法。 Consul后端的配置类似于以下内容: storage "consul" { address = "127.0.0.1:8500" path = "vault" } 启动并启用Vault服务以在系统引导时启动: sudo systemctl daemon-reload sudo systemctl enable --now vault 检查服务状态,运行systemctl status vault命令,它应显示运行状态:
初始化Vault服务器 在初始化Vault服务器之前导出VAULT_ADDR环境变量: export VAULT_ADDR=http://127.0.0.1:8200 echo "export VAULT_ADDR=http://127.0.0.1:8200" >> ~/.bashrc 将127.0.0.1替换为Vault服务器IP地址。 通过运行以下命令,使用默认选项开始初始化: sudo rm -rf /var/lib/vault/data/* vault operator init > /etc/vault/init.file 访问地址如http://serverip:8200/ui中的Vault UI:
将“Unseal Keys”逐个粘贴到Unseal Vault,你可以在/etc/vault/init.file上获取密钥: $ cat /etc/vault/init.file Unseal Key 1: bNxZRU3azPZtzXjeS0pfGHLoif3Scs64fFk9j/FFtUN7 Unseal Key 2: kChe6UJ5+BnkU6UjSzalvjIuh01dLX8v/OMabz+uPtly Unseal Key 3: MIRYhY1zQXZyod05tWtbgAnc14qBXM7hPHrqyEVQ7tCi Unseal Key 4: KBVhzztVDUJRqNi2LDYfRFHThQe/iDbNdEaOFkAztMDN Unseal Key 5: GJplvpcPVu6IQeJ3lqa5xvPfXTDA3ftgcZJT6xhrAUUL Initial Root Token: s.RcW0LuNIyCoTLWxrDPtUDkCw Vault initialized with 5 key shares and a key threshold of 3. Please securely distribute the key shares printed above. When the Vault is re-sealed, restarted, or stopped, you must supply at least 3 of these keys to unseal it before it can start servicing requests. Vault does not store the generated master key. Without at least 3 key to reconstruct the master key, Vault will remain permanently sealed! It is possible to generate new unseal keys, provided you have a quorum of existing unseal keys shares. See "vault operator rekey" for more information. 解封Vault后,使用“初始根令牌”登录Vault:
你应该会在下一页中看到Vault Web管理面板:
你还可以从CLI查看Vault状态,运行vault status命令:
使用curl测试HTTP API端点以检查初始化状态: $ curl http://127.0.0.1:8200/v1/sys/init {"initialized":true}
配置Vault角色和策略 导出Vault根令牌: export VAULT_TOKEN="s.RcW0LuNIyCoTLWxrDPtUDkCw" 将“s.BOKlKvEAxyn5OS0LvfhzvBur”替换为存储在/etc/vault/init.file文件中的初始根令牌。 然后启用approle auth方法,该方法允许计算机或应用程序使用Vault定义的角色进行身份验证: $ vault auth enable approle Success! Enabled approle auth method at: approle/ 相同的命令可以用于其他身份验证方法,例如: # vault auth enable kubernetes Success! Enabled kubernetes auth method at: kubernetes/ # vault auth enable userpass Success! Enabled userpass auth method at: userpass/ # vault auth enable ldap Success! Enabled ldap auth method at: ldap/ 使用vault auth list命令列出所有身份验证方法:
也可以从Web界面启用其他身份验证方法:
可以从Web控制台“策略(Policies)”部分管理ACL策略:
写下并获得Secrets 现在我们已经安装并配置了我们的Vault服务器,让我们在Vault中编写和检索Secrets,我们使用vault kv来写Secrets。 获取Secrets引擎路径,运行vault secrets list命令:
给你的kv secret引擎写一个secret: $ vault kv put secret/databases/db1 username=DBAdmin Success! Data written to: secret/databases/db1 $ vault kv put secret/databases/db1 password=StrongPassword Success! Data written to: secret/databases/db1 你甚至可以使用单行命令来写入多个数据: $ vault kv put secret/databases/db1 username=DBAdmin password=StrongPassword Success! Data written to: secret/databases/db1 要获得Secret,请使用vault get命令(vault kv get secret/databases/db1):
以json格式获取数据: $ vault kv get -format=json secret/databases/db1 { "request_id": "f99170b5-ac38-84ce-8668-1f280b0981c1", "lease_id": "", "lease_duration": 36000, "renewable": false, "data": { "password": "StrongPassword", "username": "DBAdmin" }, "warnings": null } 要仅打印给定字段的值,请使用: $ vault kv get -field=username secret/databases/db1 DBAdmin 要删除Secret,请使用: $ vault kv delete secret/databases/db1 Success! Data deleted (if it existed) at: secret/databases/db1 $ vault kv get secret/databases/db1 No value found at secret/databases/db1
相关主题 |
