Fatal编程技术网
  • hashicorp-vault/
  • Hashicorp vault 不允许Vault管理策略创建新策略

Hashicorp vault 不允许Vault管理策略创建新策略

Hashicorp vault 不允许Vault管理策略创建新策略,hashicorp-vault,Hashicorp Vault,我正在尝试遵循标准模式:root-admin-user for Hashicorp Vault 基本上:root创建一个管理策略。然后我的管理员需要能够为新用户创建有限的策略 但是,即使对/sys具有所有访问权限,我的管理员在创建新策略时也会被拒绝 这是我的管理政策: path "pki/issue/admin" { capabilities = ["create", "update"]} path "pki/roles/" {capabilities = ["create", "update"

我正在尝试遵循标准模式:root-admin-user for Hashicorp Vault

基本上:root创建一个管理策略。然后我的管理员需要能够为新用户创建有限的策略

但是,即使对
/sys
具有所有访问权限,我的管理员在创建新策略时也会被拒绝

这是我的管理政策:

path "pki/issue/admin" { capabilities = ["create", "update"]}
path "pki/roles/" {capabilities = ["create", "update"]}
path "pki/issue/" {capabilities = ["create", "update"]}
path "auth/token/*" {capabilities = ["create", "read", "update", "delete"]}
path "auth/token/lookup-self" {capabilities = ["read"]}
path "auth/token/renew-self" {capabilities = ["update"]}
path "auth/token/revoke-self" {capabilities = ["update"]}
path "auth/token/*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "sys/auth/*" {
  capabilities = ["create", "read", "update", "delete", "sudo"]
}
path "sys/policy" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "sys/policy/*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
我是不是错过了一些重要的东西?我宁愿避免将我的根令牌传播到后端服务器,而只是为了向新用户创建基本策略。

您使用的是什么版本的vault

我尝试过这个简单的策略,它似乎有效:

$ vault policy read pol
path "sys/policy/*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
您使用的vault版本是什么

我尝试过这个简单的策略,它似乎有效:

$ vault policy read pol
path "sys/policy/*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
谢谢,有时候问题出在椅子和键盘之间。。。我用错代币了。谢谢,有时候问题出在椅子和键盘之间。。。我用错了代币。 
$ vault policy read pol
path "sys/policy/*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

curl -H "Authorization: Bearer $(vault token create -field token -policy pol)" http://127.0.0.1:8200/v1/sys/policy/agent01 -d '{"name": "test", "policy": "path \"auth/token/lookup-self\" { capabilities = [\"read\"]}"}' -vvv
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8200 (#0)
> POST /v1/sys/policy/agent01 HTTP/1.1
> Host: 127.0.0.1:8200
> User-Agent: curl/7.64.1
> Accept: */*
> Authorization: Bearer s.FJ7MVrAZMcUAh1xmYWEWfxyZ
> Content-Length: 90
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 90 out of 90 bytes
< HTTP/1.1 204 No Content
< Cache-Control: no-store
< Content-Type: application/json
< Date: Sun, 02 Feb 2020 12:02:19 GMT
<
* Connection #0 to host 127.0.0.1 left intact
* Closing connection 0

$ vault policy list
agent01
agent0111
default
pol
root

$ vault version
Vault v1.3.0