vault 是 hashicorp stack 中管理敏感信息非常重要的一款产品，它囊括了私密信息，登陆密码、SSH Key、数据库登录信息、API 认证信息等。

下面简单体验下 vault 的部署及使用。

1、consul 配置及启动

既然 vault 用来存储敏感信息，那么它的数据当然需要有地方存储，在 vault 里这样的存储引擎叫做 secret engine，secret engine 类似文件系统，敏感信息像文件系统中的目录一样存放，支持读(read)、写(write)和删除(delete)操作。

我们用 consul 作为它的存储引擎来做示范。

如下是 consul 的配置文件，我们为其启用了 ACL，它能让我们安全地访问 consul 的 ui api 等。

agent.hcl

acl = {

enabled = true,

default_policy = "deny",

enable_token_persistence = true

}

运行 consul：

consul agent -dev -ui -data-dir=consul-data -config-file=agent.hcl

对 consul 进行 bootstrap：

$ consul acl bootstrap

AccessorID: b5b09120-1745-3ede-d92b-168b91acde96

SecretID: a28ab319-a93d-d8e0-243e-a18ac9ca4671

Description: Bootstrap Token (Global Management)

Local: false

Create Time: 2019-06-20 00:16:33.135192 +0800 CST

Policies:

00000000-0000-0000-0000-000000000001 - global-management

此时可以进入 consul ui 查看信息。在 ACL 中输入以上 SecretID 即可通过认证。

2、vault 配置及启动

首先定义配置文件，注意配置文件里的 token 需要为 bootstrap 之后的 SecretID，path 会在 consul ui 的 Key/Value 里新建名为 vault 的 key：

vault.hcl

ui = true

storage "consul" {

address = "127.0.0.1:8500"

token = "a28ab319-a93d-d8e0-243e-a18ac9ca4671"

path = "vault"

}

listener "tcp" {

address = "127.0.0.1:8200"

tls_disable = 1

}

启动 vault：

vault server -config=vault.hcl

用 vault operator 初始化 vault：

export VAULT_ADDR='http://127.0.0.1:8200'

vault operator init

记录输出的五个 unseal key 和 root token。

Unseal Key 1: U/TriU7LJK2dFMLp8gDfWBBBKBvtqapdv0rDYxp4WciF

Unseal Key 2: IMhwMQK2XWal0euctG753VvwA/ibTErccdatXN1pb5UR

Unseal Key 3: Fk0FVKKOXV50eYLAaSXj20NUBFgzlA4aKI6cnajtNW2a

Unseal Key 4: +yH4EbIRvfUZ8h6zroVLb5tHT26VKQz0kJqkVQsq6rVu

Unseal Key 5: E6qb5ve6NAhhDUZ32XIFSzAzZHV+tO36VXzWZ9x3b+pC

Initial Root Token: s.izQ1g3AQuMS7zC1DplitAzKN

Vault initialized with 5 key shares and a key threshold of 3. Please securely

distribute the key shares printed above. When the Vault is re-sealed,

restarted, or stopped, you must supply at least 3 of these keys to unseal it

before it can start servicing requests.

Vault does not store the generated master key. Without at least 3 key to

reconstruct the master key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of

existing unseal keys shares. See "vault operator rekey" for more information.

当然，我们还可以在配置文件里为 vault agent 之间的 rpc 通信配置 TLS，以及配置 gossip 协议的加密来加强安全性，这个比较简单，留作以后再讲。

为 unseal 解封：

vault operator unseal

一次键入上述五个 unseal key 中的三个即可。

简单看下用 consul 作为 storage 的 secrets 情况：

vault secrets list

# Path Type Accessor Description

# ---- ---- -------- -----------

# cubbyhole/ cubbyhole cubbyhole_bc40c80c per-token private secret storage

# identity/ identity identity_c4b25bc1 identity store

# sys/ system system_723c7052 system endpoints used for control, policy and debugging

由于开启了 ui，我们也可以直接进入 vault ui 的地址：http://127.0.0.1:8200/ui 输入 vault operator init 之后的 root token 即可登录。

3、kv secret engine

查看 secrets:

$ ./vault secrets list

Path Type Accessor Description

---- ---- -------- -----------

cubbyhole/ cubbyhole cubbyhole_b5689de6 per-token private secret storage

database/ database database_1be200b6 n/a

identity/ identity identity_f6bbb598 identity store

sys/ system system_08e857d4 system endpoints used for control, policy and debugging

写入数据：

vault kv put secret/hello foo=world

不同于 dev 模式，采用 consul 作为 secret engine 需要自己创建 path 为 secret 的 kv secret engine，否则无法向 secret/ 写入数据。

$ ./vault secrets enable -path=secret -version=2 kv

Success! Enabled the kv secrets engine at: secret/

敏感信息先进行加密，然后写入后端存储(consul)，敏感信息的路径以 secret/ 为前缀。

创建 policy：

cat >groupa-policy.hcl <

# Normal servers have version 1 of KV mounted by default, so will need these

# paths:

path "secret/data/groupa/" {

capabilities = ["create", "update", "delete", "list", "read"]

}

# # Dev servers have version 2 of KV mounted by default, so will need these

# # paths:

path "secret/data/groupa/*" {

capabilities = ["create", "update", "delete", "list", "read"]

}

EOF

vault policy write groupa-policy groupa-policy.hcl

注意 version=2 版本的 acl 需要在 policy 多加一个 data。

创建基于 groupa-policy 的 token：

$ vault token create -policy groupa-policy

Key Value

--- -----

token s.pix8j63L7L27QcF6YunURPNJ

token_accessor B95EtUP00lL42fpSPJB9r6ok

token_duration 768h

token_renewable true

token_policies ["default" "groupa-policy"]

identity_policies []

policies ["default" "groupa-policy"]

利用新创建的 token 写入数据:

$ VAULT_TOKEN=s.pix8j63L7L27QcF6YunURPNJ ./vault kv put secret/groupa/ccc value=bar

Key Value

--- -----

created_time 2019-06-19T07:30:40.020199Z

deletion_time n/a

destroyed false

version 1

此时可以看到，在 policy 设置了对 secret/groupa/ 的权限，写入数据成功。

让我们看下如果向 policy 之外的目录比如 secret/groupb/ 写入数据会怎样：

$ VAULT_TOKEN=s.pix8j63L7L27QcF6YunURPNJ ./vault kv put secret/groupb/ccc value=bar

Error writing data to secret/data/groupb/ccc: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/secret/data/groupb/ccc

Code: 403. Errors:

* 1 error occurred:

* permission denied

可以看到 api 返回 403 错误，表示无权写入数据。

在工程上，我们可以为每个项目分配自己的目录并设置 policy，然后为各自的生成 token，可以很方便地对不同项目进行隔离。

4、enable mysql database dynamic credentials

采用动态认证的方式首先要开启 database secrets engine：

$ export VAULT_TOKEN=s.Ys2ylvoGd3twbQj5ETrb3QaQ

$ ./vault secrets enable database

Success! Enabled the database secrets engine at: database/

首先创建数据库及用户，也可以用 root 用户的用户名和密码：

CREATE DATABASE million_dollar_application;

CREATE USER 'million-dollar-application-admin'@'%' IDENTIFIED BY '123456';

-- GRANT ALL ON million_dollar_application.* TO 'million-dollar-application-admin'@'%' WITH GRANT OPTION;

GRANT ALL ON *.* TO 'million-dollar-application-admin'@'%' WITH GRANT OPTION;

FLUSH PRIVILEGES;

-- DELTE FROM USER WHERE user="million-dollar-application-admin";

因为写入 secret 需要 vault 连接 mysql server，在向 vault 写入 secret 之前，必须保证对 mysql host 能否访问。

为 vault database secret engine 配置 mysql plugin：

vault write database/config/mysql-million-dollar-application \

plugin_name=mysql-database-plugin \

connection_url="{{username}}:{{password}}@tcp(localhost:3306)/" \

allowed_roles="mysql-million-dollar-application-role" \

username="million-dollar-application-admin" \

password="123456"

在 vault 创建一个 role，它的作用是在 mysql 中创建临时用户和密码：

vault write database/roles/mysql-million-dollar-application-role \

db_name=mysql-million-dollar-application \

creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" \

default_ttl="1h" \

max_ttl="24h"

Success! Data written to: database/roles/mysql-million-dollar-application-role

生成一份临时凭证：

$ ./vault read database/creds/mysql-million-dollar-application-role

Key Value

--- -----

lease_id database/creds/mysql-million-dollar-application-role/BLV5mZRHGBx36m6bG01rus8J

lease_duration 1h

lease_renewable true

password A1a-5cXijTiMqzRsu1nd

username v-root-mysql-mill-Pf4xCJ3gCL9hO8

我们可以通过读取 database/creds/mysql-million-dollar-application-role 返回多个临时凭证。

用临时的 credentials 登陆：

$ mysql -uv-root-mysql-mill-Pf4xCJ3gCL9hO8 -pA1a-5cXijTiMqzRsu1nd

mysql: [Warning] Using a password on the command line interface can be insecure.

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 38

Server version: 8.0.16 Homebrew

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

在创建 role 的时候通过 GRANT SELECT ON 配置了只读权限，所以生成的凭据只有 SELECT 权限，其他权限如 CREATE 和 INSERT 等操作会失败。

mysql> use million_dollar_application;

Database changed

mysql> show tables;

+--------------------------------------+

| Tables_in_million_dollar_application |

+--------------------------------------+

| user |

+--------------------------------------+

mysql> select * from user;

+------+

| name |

+------+

| test |

+------+

1 row in set (0.00 sec)

mysql> create table t(id int);

ERROR 1142 (42000): CREATE command denied to user 'v-root-my-role-H6jerljDFjHEh2vUU'@'localhost' for table 't'

mysql> insert into user values ('noname');

ERROR 1142 (42000): INSERT command denied to user 'v-root-my-role-H6jerljDFjHEh2vUU'@'localhost' for table 'user'

临时凭证一小时后失效。

5、一些思考

目前云服务是大势所趋，我们可以通过 vault operator 将 vault 部署在 kubernetes 之上来将运维管理的工作交给 operator 去做，关于 operator 相关的内容后续会讲到。