Tujuan dari postingan ini adalah untuk memberikan kredensial database dinamis/sementara tanpa harus membuat dan mengelola semuanya secara manual.
Saya hanya akan memulai ini dengan mengatakan bahwa ini hanyalah bukti konsep dan praktik terbaik tidak diikuti sama sekali. (terutama yang keamanan). Semua prosedur dari titik ini hanyalah pengujian sederhana dengan fokus pada pelonggaran semua tugas sampingan hanya untuk melihat seluruh proses bekerja.
Menguji Wadah
Kami akan menggunakan wadah MariaDB dan Vault, (cepat) diluncurkan seperti yang ditentukan di kedua halaman resmi DockerHub proyek.
- Vault
docker run --rm \
--name vault \
--cap-add=IPC_LOCK \
-e 'VAULT_LOCAL_CONFIG={"backend": {"file": {"path": "/vault/file"}}, "default_lease_ttl": "168h", "max_lease_ttl": "720h"}' \
-p 8200:8200 \
-d vault
Ketika vault selesai dimulai, kita dapat melihat dari log kontainer sebagai berikut:
Anda mungkin perlu menyetel variabel lingkungan berikut:
$ export VAULT_ADDR='http://0.0.0.0:8200
Kunci pembuka segel dan token root ditampilkan di bawah jika>Anda ingin
segel/buka segel Vault atau autentikasi ulang.Buka segel Kunci:kSUgoPDPyBrCGWc4s93CIlMUnDLZGcxdu4doYCkWSPs=
Token Root:s.I6TnqhrgYh8uET91FUsNvIwVMode pengembangan TIDAK boleh digunakan dalam produksi>instalasi!
Jadi, kami memiliki alamat vault kami, dan token root.
- MariaDB
docker run --rm \
--name mariadb \
-p 3306:3306 \
-e MYSQL_ROOT_PASSWORD=mysecretpw \
-d mariadb:latest
Dan di sini kami memiliki pengguna root dan kata sandi untuk MariaDB.
Karena pengguna root tidak boleh digunakan untuk apa pun, kami akan membuat pengguna khusus untuk interaksi vault.
Masuk ke database menggunakan mysql -h 127.0.0.1 -u root -p
dan buat pengguna vault
grant CREATE USER, SELECT, INSERT, UPDATE ON *.* TO 'vault'@'%' identified by 'myvaultsecretpw' WITH GRANT OPTION;
Terraform
Dengan semua layanan yang berjalan dan dikonfigurasi, saatnya untuk mengurus bagian terraform.
Sekali lagi, ini hanya POC. Semua kata sandi yang di-hardcode dan lemah dimaksudkan untuk tujuan pengujian.
provider "vault" {
address = "http://localhost:8200"
#Token provided from vault container log
token = "s.I6TnqhrgYh8uET91FUsNvIwV"
}
resource "vault_auth_backend" "userpass" {
type = "userpass"
}
# USERS
resource "vault_generic_endpoint" "user_userro" {
depends_on = [vault_auth_backend.userpass]
path = "auth/userpass/users/userro"
ignore_absent_fields = true
data_json = <<EOT
{
"policies": ["db-ro"],
"password": "userro"
}
EOT
}
resource "vault_generic_endpoint" "user_userrw" {
depends_on = [vault_auth_backend.userpass]
path = "auth/userpass/users/userrw"
ignore_absent_fields = true
data_json = <<EOT
{
"policies": ["db-all", "db-ro"],
"password": "userrw"
}
EOT
}
# POLICIES
# Read-Only access policy
resource "vault_policy" "dbro" {
name = "db-ro"
policy = file("policies/dbro.hcl")
}
# All permissions access policy
resource "vault_policy" "dball" {
name = "db-all"
policy = file("policies/dball.hcl")
}
# DB
resource "vault_mount" "mariadb" {
path = "mariadb"
type = "database"
}
resource "vault_database_secret_backend_connection" "mariadb_connection" {
backend = vault_mount.mariadb.path
name = "mariadb"
allowed_roles = ["db-ro", "db-all"]
verify_connection = true
mysql{
connection_url = "{{username}}:{{password}}@tcp(192.168.11.71:3306)/"
}
# note that I have my database address hardcoded and I'm using my lan IP, since I'm running the mysql client directly from my host and vault/mariadb are running inside containers with their ports exposed.
data = {
username = "vault"
password = "myvaultsecretpw"
}
}
resource "vault_database_secret_backend_role" "role" {
backend = vault_mount.mariadb.path
name = "db-ro"
db_name = vault_database_secret_backend_connection.mariadb_connection.name
creation_statements = ["GRANT SELECT ON *.* TO '{{name}}'@'%' IDENTIFIED BY '{{password}}';"]
}
resource "vault_database_secret_backend_role" "role-all" {
backend = vault_mount.mariadb.path
name = "db-all"
db_name = vault_database_secret_backend_connection.mariadb_connection.name
creation_statements = ["GRANT ALL ON *.* TO '{{name}}'@'%' IDENTIFIED BY '{{password}}';"]
}
File kebijakan yang digunakan dalam daftar kode sebelumnya:
- policies/dball.hcl
path "mariadb/creds/db-all" {
policy = "read"
capabilities = ["list"]
}
- policies/dbro.hcl
path "mariadb/creds/db-ro" {
policy = "read"
capabilities = ["list"]
}
Setelah ini, proses yang biasa:
terraform init
terraform apply
Dan kami telah menyiapkan segalanya untuk beberapa pengujian.
Pengujian
Menguji pengguna RO
Masuk ke brankas
$ vault login -method userpass username=userro
Password (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
(...)
meminta kredensial DB
$ vault read mariadb/creds/db-ro
Key Value
--- -----
lease_id mariadb/creds/db-ro/uGldyp0BAa2GhUlFyrEwuIbs
lease_duration 168h
lease_renewable true
password 8vykdcZNHp-I0pajVtoN
username v_userpass-d_db-ro_75wxnJaL69FW4
Masuk ke DB
(INGAT:cmd berikutnya adalah PRAKTEK yang benar-benar BURUK!!!)
$ mysql -h 127.0.0.1 -u v_userpass-d_db-ro_75wxnJaL69FW4 -p'8vykdcZNHp-I0pajVtoN'
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 101
Server version: 10.3.13-MariaDB-1:10.3.13+maria~bionic mariadb.org binary distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
... mencoba melakukan sesuatu
MariaDB [(none)]> create database my_database;
ERROR 1044 (42000): Access denied for user 'v_userpass-d_db-ro_75wxnJaL69FW4'@'%' to database 'my_database'
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| my_db |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.00 sec)
MariaDB [(none)]> use my_db;
Database changed
MariaDB [my_db]> show tables;
+-----------------+
| Tables_in_my_db |
+-----------------+
| my_table |
+-----------------+
1 row in set (0.00 sec)
MariaDB [my_db]> select * from my_table;
Empty set (0.00 sec)
MariaDB [my_db]>
Menguji pengguna RW
Masuk ke brankas
$ vault login -method userpass username=userrw
Password (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
(...)
meminta kredensial DB
$ vault read mariadb/creds/db-all
Key Value
--- -----
lease_id mariadb/creds/db-all/GHRHvpuqa2ITP9tX54YHEePl
lease_duration 168h
lease_renewable true
password L--8mPBoprFZcaItINKI
username v_userpass-j_db-all_DMwlhs9nGxA8
Masuk ke DB
(INGAT LAGI:cmd berikutnya adalah PRAKTEK yang benar-benar BURUK!!!)
$ mysql -h 127.0.0.1 -u v_userpass-j_db-all_DMwlhs9nGxA8 -p'L--8mPBoprFZcaItINKI'
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 109
Server version: 10.3.13-MariaDB-1:10.3.13+maria~bionic mariadb.org binary distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
... mencoba melakukan sesuatu
MariaDB [(none)]> create database my_database;
Query OK, 1 row affected (0.01 sec)
MariaDB [(none)]> use my_db;
Database changed
MariaDB [my_db]> create table the_table (i integer);
Query OK, 0 rows affected (0.03 sec)
MariaDB [my_db]> show tables;
+-----------------+
| Tables_in_my_db |
+-----------------+
| my_table |
| the_table |
+-----------------+
2 rows in set (0.00 sec)
Dan itu saja. Kami sekarang memiliki basis untuk pengguna dinamis/sementara MariaDB kami.
