概述
在深入了解Vault之前,让我们试着了解它试图解决的问题:机密信息管理。
大多数应用程序都需要存储一些机密信息,如数据库的账号密码,其他供应商的api秘钥等。之前我们一般将这些数据存储在配置文件中。但是这样并不安全,只要有服务器访问权限的人,都能随时查看并访问这些信息。这样会带来极大的安全风险。
而且随着项目的成长,复杂度不断上升,各种分布式及微服务的兴起,敏感信息会分布在各个机器上,同时不断在服务器之间传播,大大增加了安全隐患。
这时候就需要一个统一的机密信息管理服务,vault就在这样的背景下诞生了。
使用说明
安装
下载软件:https://www.vaultproject.io/downloads
解压后得到可执行文件,该文件是同时使服务器也是客户端。
启动
vault 使用HCL格式的配置文件。新建 config.hcl并填入以下内容:
# 开启web界面,http://127.0.0.1:8200/ui。不需要可以去掉
ui = true
# 使用文件存储
storage "file" {
path = "data"
}
# 此处不开启tls,正式环境下请配置证书
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = 1
}
更多配置请查看:https://www.vaultproject.io/docs/configuration
启动服务器
$ vault server -config=config.hcl
==> Vault server configuration:
Cgo: disabled
Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
Log Level: info
Mlock: supported: false, enabled: false
Recovery Mode: false
Storage: file
Version: Vault v1.4.2
==> Vault server started! Log data will stream in below:
如果出现以下提示:
Error initializing core: Failed to lock memory: cannot allocate memory
This usually means that the mlock syscall is not available.
Vault uses mlock to prevent memory from being swapped to
disk. This requires root privileges as well as a machine
that supports mlock. Please enable mlock on your system or
disable Vault from using it. To disable Vault from using it,
set the `disable_mlock` configuration option in your configuration
file.
可以根据提示内容,将 disable_mlock 设为true。线上环境建议使用支持mlock的系统
初始化
在第一次使用的时候,需要初始化vault。之后再启动将不需要进行该操作。
$ vault operator init
Unseal Key 1: 9t43suWPep3s7z1vOS0RmowPm22Iu2NQg7WilKdrCm6c
Unseal Key 2: R9uaDFGzIoBEAgd15MQAbAxXXz8PslPJNId6SU7urDL6
Unseal Key 3: u2i5zcldyFLxh4I3uZ64aIxKSO0nu/jv3xaIqtZj7k9C
Unseal Key 4: BQ0Zcvz1/HboAmAXEtLfCiiW+8UOimCL6PyP9a1WITLR
Unseal Key 5: ByBsXsY1He6xfFCrZYaFnSsBANqoiKdHcp0YITLbEGF0
Initial Root Token: s.QIysbqxb4We3k9QBZmXf2e4g
Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.
Vault does not store the generated master key. Without at least 3 key to
reconstruct the master key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.
上面最重要的数据是
Unseal Key
Initial Root Token
这些数据只会在第一次初始化的时候显示,之后再也不会显示了,如果丢失该数据,以后将无法使用系统,所以请妥善保管这些数据。
seal / unseal
当前服务为seal状态,也就是“密封”状态,无法进行任何操作。我们需要先进行unseal,然后才能进行后续操作。注意:服务重启后默认为seal状态。每次重启服务都需要unseal。
输入以下命令:
$ vault operator unseal
Unseal Key (will be hidden):
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed true
Total Shares 5
Threshold 3
Unseal Progress 1/3
Unseal Nonce c767af4b-6faa-893b-0a87-234113fba0af
Version 1.4.2
HA Enabled false
提示输入unseal key,输完之后,发现Sealed 还是true,其中Unseal Progress 1/3。
我们需要输入之前给的5个unseal key 中的3个不同的key才能解锁。继续输入之前的命令,直到输入第三次出现如下提示:
$ vault operator unseal
Unseal Key (will be hidden):
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 1.4.2
Cluster Name vault-cluster-02ad08de
Cluster ID 9224f28f-f454-93bf-db06-0d0f88a8da76
HA Enabled false
这时候系统已经解锁,可以进行后续操作
登录
使用之前init的时候得到的Initial Root Token进行登录
$ vault login s.QIysbqxb4We3k9QBZmXf2e4g
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token s.QIysbqxb4We3k9QBZmXf2e4g
token_accessor LQjYKYNbD9K6qffjaFQvDF9l
token_duration ∞
token_renewable false
token_policies ["root"]
identity_policies []
policies ["root"]
作为一个root user。我们可以重新seal服务,命令为:vault operator seal。该命令可以在紧急情况锁定整个系统,禁止其他人使用。
创建secrets
在vault中,我们具体的数据保存在secrets中,产看当前所拥有的secrets:
$ vault secrets list
Path Type Accessor Description
---- ---- -------- -----------
cubbyhole/ cubbyhole cubbyhole_607ffff0 per-token private secret storage
identity/ identity identity_c728700b identity store
sys/ system system_f9998969 system endpoints used for control, policy and debugging
创建我们需要的secrets:
$ vault secrets enable -path=my-secret kv
Success! Enabled the kv secrets engine at: my-secret/
上面的kv代表类型Secrets Engine。更多Engine类型查看:https://www.vaultproject.io/docs/secrets
添加policy并创建token
接下来会创建两个Policy,一个是admin,一个是reader。admin可以进行任何操作,用于管理数据。而reader则只能进行读操作。
首先创建文件admin.hcl:
# my-secret是之前创建的secrets
path "my-secret/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
接着创建文件reader.hcl:
# my-secret是之前创建的secrets
path "my-secret/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
然后再命令行执行:
$ vault policy write admin-policy admin.hcl
Success! Uploaded policy: admin-policy
$ vault policy write reader-policy reader.hcl
Success! Uploaded policy: reader-policy
creaete token
$ vault token create -policy=admin-policy
Key Value
--- -----
token s.aZUepwj4AL2vsC5bHIfkN15U
token_accessor pGg98pa7i9SnqaZg1Q3yjMu8
token_duration 768h
token_renewable true
token_policies ["admin-policy" "default"]
identity_policies []
policies ["admin-policy" "default"]
$ vault token create -policy=reader-policy
Key Value
--- -----
token s.5mTr03zVlAlrDim9jEwud5nF
token_accessor f4oYLlEVkkb5HL3PzH6yk3rF
token_duration 768h
token_renewable true
token_policies ["default" "reader-policy"]
identity_policies []
policies ["default" "reader-policy"]
请将上面创建的两个token妥善保存,后续读写操作都用这两个token来完成。
到目前为止,我们已经完成了初始工作,考虑到线上环境一般都是通过接口方式对数据进行读写,接下来会用http api的方式进行操作。
为了便于区分两个token,同时方便后续调用,将两个token写入环境变量:
# admin的token
$ export VAULT_TOKEN_ADMIN = s.aZUepwj4AL2vsC5bHIfkN15U
# reader的token
$ export VAULT_TOKEN_READER = s.5mTr03zVlAlrDim9jEwud5nF
写入
通过admin的token写入数据:
$ curl \
--header "X-Vault-Token: $VAULT_TOKEN_ADMIN" \
--request POST \
--data '{ "mysql": {"username":"myname","password": "my-long-password"} }' \
http://127.0.0.1:8200/v1/my-secret/data/creds
其中v1是前缀,my-secret 是之前创建的secrets,data/creds 是后面的path,可以任意创建。
这次试用reader的token来写入数据:
$ curl \
--header "X-Vault-Token: $VAULT_TOKEN_READER" \
--request POST \
--data '{ "mysql": {"username":"myname","password": "my-long-password"} }' \
http://127.0.0.1:8200/v1/my-secret/data/creds
提示无权限,表示之前创建的policy正式起效:
{
"errors": [
"1 error occurred:\n\t* permission denied\n\n"
]
}
这次试用reader token来获取数据:
$ curl \
--header "X-Vault-Token: $VAULT_TOKEN_READER" \
--request GET \
http://127.0.0.1:8200/v1/my-secret/data/creds
{
"request_id": "33dc39a8-b64d-14f7-2512-88a8806131bb",
"lease_id": "",
"renewable": false,
"lease_duration": 2764800,
"data": {
"mysql": {
"password": "my-long-password",
"username": "myname"
}
},
"wrap_info": null,
"warnings": null,
"auth": null
}
其中的data字段就是之前存入的数据。
到目前为止,vault的基本试用方式以及介绍完毕。想要了解更多可查看官方资料:
基本教程:https://www.vaultproject.io/docs
api教程:https://www.vaultproject.io/api-docs
