vault --version: Vault v1.9.2
我创建了一个策略文件,功能很少,尤其是delete:
# cat ~/.my_policy.hcl
path "secret/*" {
capabilities = ["create", "read", "update", "list", "delete"]
}
使用此文件创建新策略,我现在可以在 list 操作中看到该策略:
# vault policy write my-policy ~/.my_policy.hcl
Success! Uploaded policy: my-policy
# vault policy list
default
my-policy
root
# vault policy read my-policy
path "secret/*" {
capabilities = ["create", "read", "update", "list", "delete"]
}
使用上述策略创建了一个新令牌(因此我可以在 CURL -X DELETE 操作中使用它):
# vault token create -policy=my-policy
Key Value
--- -----
token s.27T3cNB4PrHll9byc6tppHw9
token_accessor C6mu2crjudeHVy5jijcFkF4K
token_duration 768h
token_renewable true
token_policies ["default" "my-policy"]
identity_policies []
policies ["default" "my-policy"]
但是,当我在我的策略文件中定义的文件夹路径中查看令牌的功能时,它显示了不同的策略root并显示deny
# vault token lookup s.27T3cNB4PrHll9byc6tppHw9
Key Value
--- -----
accessor C6mu2crjudeHVy5jijcFkF4K
creation_time 1678469133
creation_ttl 768h
display_name token
entity_id n/a
expire_time 2023-04-11T17:25:33.405537533Z
explicit_max_ttl 0s
id s.27T3cNB4PrHll9byc6tppHw9
issue_time 2023-03-10T17:25:33.405548806Z
meta <nil>
num_uses 0
orphan false
path auth/token/create
policies [default my-policy]
renewable true
ttl 767h48m50s
type service
# These should have shown my-policy than root
# This should have shown all policies having some capability at this path
# ----
# vault token capabilities s.27T3cNB4PrHll9byc6tppHw9
root
# vault token capabilities secrets/*
root
# vault token capabilities secrets
root
# This should not give me deny when this token has the necessary policy 'my-policy' with 'delete' capability
# ----
# vault token capabilities s.27T3cNB4PrHll9byc6tppHw9 secrets/*
deny
# vault token capabilities s.27T3cNB4PrHll9byc6tppHw9 secrets
deny
错误信息:
# curl -k -s -X GET -H 'X-Vault-Token: s.27T3cNB4PrHll9byc6tppHw9' https://vaultserver:8200/v1/secret/data/testA1/test
{"errors":["permission denied"]}
# curl -k -s -X DELETE -H 'X-Vault-Token: s.27T3cNB4PrHll9byc6tppHw9' https://vaultserver:8200/v1/secret/data/testA1/test
{"errors":["permission denied"]}
当直接使用 cmd 行查询 vault 时,看到 secret/testA1/test secret,它吐出:
{
"ttl": "90d",
"username": "test",
"value": "KneelB4Me!YaRight"
}