0

说明 我正在使用 Hashicorp 的 Vault,版本 1.7.0,免费版。

我想允许用户可以分配/删除组的特定范围的策略。通过这种方式,他可以从 UI 向组中添加或删除实体用户。

我做了什么

波纹管被写入块整体策略文件。

{
capabilities = ["list"]
}

#To show the identity endpoint from the UI
path "/identity/*"{
 capabilities = ["list" ]
}

#policies that I would like the user to have the ability to #assign to the group.

path "/sys/policies/acl/it_team_leader"{
capabilities = ["read", "update", "list"]
}

path "sys/policies/acl/it_user"{
capabilities = ["read", "update","list"]
}

path "sys/policies/acl/ui_settings"{
capabilities = ["read", "update", "list"]
}

path "sys/policies/acl/personal_storage"{
capabilities = ["read", "update","list"]
}

#Group id that the user have full access

path "/identity/group/id/2c97485a-754f-657a-5a8b-62b08a3ce8cb" {

capabilities = ["sudo","read","update","create","list"]
}


问题是什么 让我们假设我有一个超级特权策略,可以访问整个秘密引擎。

从 UI 中,我可以将超级特权策略分配给该组,并且基本上允许受限用户将此超级策略分配给整个组。

当我扩展政策时:

path "sys/policies/acl/**super-priveleged**" {
capabilities = ["deny"]
}

只是限制从 UI 读取的策略。

使用 allowed_pa​​rameters 附加组路径,例如我们:


capabilities = ["sudo","read","update","create","list"]
denied_parameters = {
"policies" = ["it_user","it_team_leader",etc]

}

我收到一个权限被拒绝错误 (403)。附加拒绝参数:

path "/identity/group/id/2c97485a-754f-657a-5a8b-62b08a3ce8cb" {

capabilities = ["sudo","read","update","create","list"]
denied_parameters = {
"policies" = ["super-policy"]

}

不起作用,我仍然可以分配超级策略。

我还尝试了具有相同结果的通配符。

是否甚至可以限制可以从 Vault UI 分配的一个/一系列策略?

如果你到目前为止做到了,请提前致谢。

4

1 回答 1

0

找到了解决方案,为了限制用户更新某些策略,允许的参数字段应该封装一个列表并添加一个带有空列表的星号键。

注意:从 UI 分配的策略的顺序应符合 .hcl 文件中写入的顺序。

path "/identity/group/id/2c97485a-754f-657a-5a8b-62b08a3ce8cb"
{

capabilities = ["sudo","read","update","create","list"]
allowed_parameters = {
"policies" = [["policy1","policy2","policy3"]]
"*" = []
}
}
于 2021-08-18T12:50:19.073 回答