Can you keep a secret? (XP Days 2017)
-
Upload
valerii-moisieienko -
Category
Software
-
view
49 -
download
0
Transcript of Can you keep a secret? (XP Days 2017)
![Page 1: Can you keep a secret? (XP Days 2017)](https://reader030.fdocuments.in/reader030/viewer/2022020314/5a6690177f8b9ac5128b54af/html5/thumbnails/1.jpg)
Can you keep a secret?Moisieienko Valerii
XP Days 2017
![Page 2: Can you keep a secret? (XP Days 2017)](https://reader030.fdocuments.in/reader030/viewer/2022020314/5a6690177f8b9ac5128b54af/html5/thumbnails/2.jpg)
Who Is This Guy?
• Senior Application Engineer @ Oracle UGBU
• 8+ years in commercial software development
• Oracle Certified Professional
• MapR Certified HBase Developer
• Masters Degree in Information Security
![Page 3: Can you keep a secret? (XP Days 2017)](https://reader030.fdocuments.in/reader030/viewer/2022020314/5a6690177f8b9ac5128b54af/html5/thumbnails/3.jpg)
Notification
This presentation is based on my personal experience and does not represent official position of Oracle
company.
![Page 4: Can you keep a secret? (XP Days 2017)](https://reader030.fdocuments.in/reader030/viewer/2022020314/5a6690177f8b9ac5128b54af/html5/thumbnails/4.jpg)
Everybody Has A Secret
• Database credentials
• Third-party API keys
• License keys
• Sensitive environment variables
![Page 5: Can you keep a secret? (XP Days 2017)](https://reader030.fdocuments.in/reader030/viewer/2022020314/5a6690177f8b9ac5128b54af/html5/thumbnails/5.jpg)
And How Do We Usually Keep Them ?
database: connections: default: url: jdbc:mysql://my.db.server:3306/example_service user: service_user password: superStrongPassword
apiToken: 8d07b5e9-fbb2-4499-a3c4-053190a78827
![Page 6: Can you keep a secret? (XP Days 2017)](https://reader030.fdocuments.in/reader030/viewer/2022020314/5a6690177f8b9ac5128b54af/html5/thumbnails/6.jpg)
Private Code RepositoryAuthentification
![Page 7: Can you keep a secret? (XP Days 2017)](https://reader030.fdocuments.in/reader030/viewer/2022020314/5a6690177f8b9ac5128b54af/html5/thumbnails/7.jpg)
But No Authorisation
![Page 8: Can you keep a secret? (XP Days 2017)](https://reader030.fdocuments.in/reader030/viewer/2022020314/5a6690177f8b9ac5128b54af/html5/thumbnails/8.jpg)
The Task
• Reliable secret storage
• Data encryption support
• Flexible user authentication backend
• Authorization
• Convenient interaction for humans and applications
![Page 9: Can you keep a secret? (XP Days 2017)](https://reader030.fdocuments.in/reader030/viewer/2022020314/5a6690177f8b9ac5128b54af/html5/thumbnails/9.jpg)
Possible Solutions
• HSMs
• Amazon KMS
• Keywhiz
• Conjur
• HashiCorp Vault
![Page 10: Can you keep a secret? (XP Days 2017)](https://reader030.fdocuments.in/reader030/viewer/2022020314/5a6690177f8b9ac5128b54af/html5/thumbnails/10.jpg)
HashiCorp Vault
• Secure Secret Storage
• Data Encryption
• Access Control
• Pluggable Auth & Storage Backends
• Vault Client & HTTP API
![Page 11: Can you keep a secret? (XP Days 2017)](https://reader030.fdocuments.in/reader030/viewer/2022020314/5a6690177f8b9ac5128b54af/html5/thumbnails/11.jpg)
Getting Started
• Vault Server
• Secrets
• Policies
• Authentification
• Tokens
![Page 12: Can you keep a secret? (XP Days 2017)](https://reader030.fdocuments.in/reader030/viewer/2022020314/5a6690177f8b9ac5128b54af/html5/thumbnails/12.jpg)
Vault Server
vault server -dev
vault server -config= server_config.hcl
export VAULT_ADDR= 'http://127.0.0.1:8200'
storage "mysql" {
username = "vault"
password = "iamvault"
database = "vault"
}
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = 1
}
![Page 13: Can you keep a secret? (XP Days 2017)](https://reader030.fdocuments.in/reader030/viewer/2022020314/5a6690177f8b9ac5128b54af/html5/thumbnails/13.jpg)
Secrets
vault write secret/v1/my/secrets <key1>=<value1> <key2>=<value2> <key3>=<value3>
vault read secret/v1/my/secrets
vault delete secret/v1/my/secrets
vault path-help secret/
![Page 14: Can you keep a secret? (XP Days 2017)](https://reader030.fdocuments.in/reader030/viewer/2022020314/5a6690177f8b9ac5128b54af/html5/thumbnails/14.jpg)
Policies
vault policy-write myfirstpolicy policy.hcl
path "secret/*" {
capabilities = ["create"]
}
path "secret/read/only" {
capabilities = ["read"]
}
path "auth/token/lookup-self" {
capabilities = ["read"]
}
![Page 15: Can you keep a secret? (XP Days 2017)](https://reader030.fdocuments.in/reader030/viewer/2022020314/5a6690177f8b9ac5128b54af/html5/thumbnails/15.jpg)
Tokens
vault token-create -policy= <policy_name>
vault auth <token>
vault token-revoke <token>
token
d5da8c66-1b37-6916-85cc-3192a135f9a1
token_accessor
ae97c557-e416-8d98-b815-7394b0d7bcbb
token_duration 768h0m0s
token_renewable true
token_policies [default myfirstpolicy]
![Page 16: Can you keep a secret? (XP Days 2017)](https://reader030.fdocuments.in/reader030/viewer/2022020314/5a6690177f8b9ac5128b54af/html5/thumbnails/16.jpg)
Authentification
vault auth-enable github
vault write auth/github/config organization=<github_org>
vault write auth/github/map/teams/default value=default
vault auth -method=github token=<github_token>
vault auth-disable github
![Page 17: Can you keep a secret? (XP Days 2017)](https://reader030.fdocuments.in/reader030/viewer/2022020314/5a6690177f8b9ac5128b54af/html5/thumbnails/17.jpg)
Vault Integration• Define secrets
• Create application role
• Create policies
• Provide policy mapping
• Place secrets to Vault
• Adjust application
• Summon
![Page 18: Can you keep a secret? (XP Days 2017)](https://reader030.fdocuments.in/reader030/viewer/2022020314/5a6690177f8b9ac5128b54af/html5/thumbnails/18.jpg)
Application Role
vault write auth/token/roles/role.service.example-service allowed_policies="policy.service.example-service"
![Page 19: Can you keep a secret? (XP Days 2017)](https://reader030.fdocuments.in/reader030/viewer/2022020314/5a6690177f8b9ac5128b54af/html5/thumbnails/19.jpg)
Polices
• Admin policy • Application policy
![Page 20: Can you keep a secret? (XP Days 2017)](https://reader030.fdocuments.in/reader030/viewer/2022020314/5a6690177f8b9ac5128b54af/html5/thumbnails/20.jpg)
Admin Policyexample-service-admin.hcl
# Admins can read/write secrets for their servicepath "secret/service/example_service/v1/*" { capabilities = ["create", "read", "update", "delete", "list"] } # Admins can provision tokens for their servicepath "auth/token/create/role.service.example-service" { capabilities = ["create", "update"] }
![Page 21: Can you keep a secret? (XP Days 2017)](https://reader030.fdocuments.in/reader030/viewer/2022020314/5a6690177f8b9ac5128b54af/html5/thumbnails/21.jpg)
Application Policyexample-service.hcl
path "secret/service/example_service/v1/*" { capabilities = ["read", "list"] }
![Page 22: Can you keep a secret? (XP Days 2017)](https://reader030.fdocuments.in/reader030/viewer/2022020314/5a6690177f8b9ac5128b54af/html5/thumbnails/22.jpg)
Writing Policies
vault policy-write policy.service.example-service.admin example-service-admin.hcl
vault policy-write policy.service.example-service example-service.hcl
# Specific to particular auth backend vault write auth/github/map/teams/default value=policy.service.example-service.admin
![Page 23: Can you keep a secret? (XP Days 2017)](https://reader030.fdocuments.in/reader030/viewer/2022020314/5a6690177f8b9ac5128b54af/html5/thumbnails/23.jpg)
Secrets Go To Vault
vault write secret/service/example_service/v1/db_properties jdbc.url=<jdbc_url> jdbc.username=<username> jdbc.password=<password>
![Page 24: Can you keep a secret? (XP Days 2017)](https://reader030.fdocuments.in/reader030/viewer/2022020314/5a6690177f8b9ac5128b54af/html5/thumbnails/24.jpg)
Application Adjustment
![Page 25: Can you keep a secret? (XP Days 2017)](https://reader030.fdocuments.in/reader030/viewer/2022020314/5a6690177f8b9ac5128b54af/html5/thumbnails/25.jpg)
Application adjustmentsecrets file
DB_URL: !var secret/service/example_service/v1/db_properties:jdbc.url
DB_USERNAME: !var secret/service/example_service/v1/db_properties:jdbc.username
DB_PASSWORD: !var secret/service/example_service/v1/db_properties:jdbc.password
![Page 26: Can you keep a secret? (XP Days 2017)](https://reader030.fdocuments.in/reader030/viewer/2022020314/5a6690177f8b9ac5128b54af/html5/thumbnails/26.jpg)
Application adjustmentproperties file
database: jdbcUrl: ENV[DB_URL] user: ENV[DB_USERNAME] password: ENV[DB_PASSWORD]
![Page 27: Can you keep a secret? (XP Days 2017)](https://reader030.fdocuments.in/reader030/viewer/2022020314/5a6690177f8b9ac5128b54af/html5/thumbnails/27.jpg)
Application adjustmentEnvironment Variable Lookup
private static final Pattern SECRETS_PATTERN = Pattern.compile("ENV\\[(.*)\\]");public String resolvePropertyValue(String value) { Matcher matcher = SECRETS_PATTERN.matcher(value); if (matcher.find()) { return System.getenv(matcher.group(1)); } else { return value; }}
![Page 28: Can you keep a secret? (XP Days 2017)](https://reader030.fdocuments.in/reader030/viewer/2022020314/5a6690177f8b9ac5128b54af/html5/thumbnails/28.jpg)
Summon• Install
brew tap conjurinc/tools brew install summon
• Vault Provider
mv summon-vault /usr/local/lib/summon/ chmod 755 /usr/local/lib/summon/summon-vault
• Check
VAULT_TOKEN=<TOKEN> summon --provider summon-vault -f secrets.yml ruby -e 'puts ENV["DB_URL"]'
![Page 29: Can you keep a secret? (XP Days 2017)](https://reader030.fdocuments.in/reader030/viewer/2022020314/5a6690177f8b9ac5128b54af/html5/thumbnails/29.jpg)
Integration Demo
![Page 30: Can you keep a secret? (XP Days 2017)](https://reader030.fdocuments.in/reader030/viewer/2022020314/5a6690177f8b9ac5128b54af/html5/thumbnails/30.jpg)
Pros And Cons
+ Easy setup
+ Master key sharing
+ Pluggable storage and auth backends
+ Straight forward policy control
+ Provides client and HTTP API
- Application integration
- Token renewal mechanism
![Page 31: Can you keep a secret? (XP Days 2017)](https://reader030.fdocuments.in/reader030/viewer/2022020314/5a6690177f8b9ac5128b54af/html5/thumbnails/31.jpg)
Thank you!
You are welcome to write me at [email protected]
GitHub https://github.com/moisieienko-valerii/vault-dropwizard