说明 我正在使用 Hashicorp 的 Vault,版本 1.7.0,免费版。
我想允许用户可以分配/删除组的特定范围的策略。通过这种方式,他可以从 UI 向组中添加或删除实体用户。
我做了什么
波纹管被写入块整体策略文件。
{
capabilities = ["list"]
}
#To show the identity endpoint from the UI
path "/identity/*"{
capabilities = ["list" ]
}
#policies that I would like the user to have the ability to #assign to the group.
path "/sys/policies/acl/it_team_leader"{
capabilities = ["read", "update", "list"]
}
path "sys/policies/acl/it_user"{
capabilities = ["read", "update","list"]
}
path "sys/policies/acl/ui_settings"{
capabilities = ["read", "update", "list"]
}
path "sys/policies/acl/personal_storage"{
capabilities = ["read", "update","list"]
}
#Group id that the user have full access
path "/identity/group/id/2c97485a-754f-657a-5a8b-62b08a3ce8cb" {
capabilities = ["sudo","read","update","create","list"]
}
问题是什么 让我们假设我有一个超级特权策略,可以访问整个秘密引擎。
从 UI 中,我可以将超级特权策略分配给该组,并且基本上允许受限用户将此超级策略分配给整个组。
当我扩展政策时:
path "sys/policies/acl/**super-priveleged**" {
capabilities = ["deny"]
}
只是限制从 UI 读取的策略。
使用 allowed_parameters 附加组路径,例如我们:
capabilities = ["sudo","read","update","create","list"]
denied_parameters = {
"policies" = ["it_user","it_team_leader",etc]
}
我收到一个权限被拒绝错误 (403)。附加拒绝参数:
path "/identity/group/id/2c97485a-754f-657a-5a8b-62b08a3ce8cb" {
capabilities = ["sudo","read","update","create","list"]
denied_parameters = {
"policies" = ["super-policy"]
}
不起作用,我仍然可以分配超级策略。
我还尝试了具有相同结果的通配符。
是否甚至可以限制可以从 Vault UI 分配的一个/一系列策略?
如果你到目前为止做到了,请提前致谢。