sql >> Database teknologi >  >> RDS >> MariaDB

Provisionering af MySQL/MariaDB Vault Database Secrets Engine med Terraform

Målet med dette indlæg er at give dynamiske/midlertidige databaselegitimationsoplysninger uden at skulle oprette og administrere dem alle manuelt.

Jeg vil bare starte dette med at sige, at dette kun er et proof of concept, og bedste praksis blev slet ikke fulgt. (hovedsageligt sikkerhedsstillelser). Alle procedurerne fra dette tidspunkt er blot simple tests med fokus på at lette alle sideopgaverne bare for at se hele processen fungere.

Test af containere

Vi vil bruge MariaDB- og Vault-containere, (hurtigt) lanceret som angivet på begge projekters officielle DockerHub-sider.

  • Vault
docker run --rm \
    --name vault \
    --cap-add=IPC_LOCK \
    -e 'VAULT_LOCAL_CONFIG={"backend": {"file": {"path": "/vault/file"}}, "default_lease_ttl": "168h", "max_lease_ttl": "720h"}' \
    -p 8200:8200 \
    -d vault

Når vault er færdig med at starte op, kan vi se følgende fra containerlogfilerne:

Du skal muligvis indstille følgende miljøvariabel:

$ eksport VAULT_ADDR='http://0.0.0.0:8200

Unseal-nøglen og rodtokenet vises nedenfor, hvis>du ønsker det
forsegle/ophæve forseglingen af ​​Vault eller genautentificere.

Unseal Key:kSUgoPDPyBrCGWc4s93CIlMUnDLZGcxdu4doYCkWSPs=
Rodtoken:s.I6TnqhrgYh8uET91FUsNvIwV

Udviklingstilstand bør IKKE bruges i produktions>installationer!

Så vi har vores vault-adresse og rod-tokenet.

  • MariaDB
docker run --rm \
    --name mariadb \
    -p 3306:3306 \
    -e MYSQL_ROOT_PASSWORD=mysecretpw \
    -d mariadb:latest

Og her har vi vores root-bruger og adgangskode til MariaDB.

Fordi root-brugeren ikke skal bruges til noget, vil vi oprette en dedikeret bruger til vault-interaktioner.

Log ind på databasen ved hjælp af mysql -h 127.0.0.1 -u root -p

og opret vault-brugeren

grant CREATE USER, SELECT, INSERT, UPDATE ON *.* TO 'vault'@'%' identified by 'myvaultsecretpw' WITH GRANT OPTION;

Terraform

Med alle tjenesterne kørende og konfigurerede, er det tid til at tage sig af terraform-delen.

Endnu en gang er dette kun en POC. Alle de hårdkodede og svage adgangskoder er beregnet til testformål.

provider "vault" {
    address = "http://localhost:8200"
        #Token provided from vault container log
    token = "s.I6TnqhrgYh8uET91FUsNvIwV" 
}

resource "vault_auth_backend" "userpass" {
  type = "userpass"
}

# USERS
resource "vault_generic_endpoint" "user_userro" {
  depends_on           = [vault_auth_backend.userpass]
  path                 = "auth/userpass/users/userro"
  ignore_absent_fields = true

  data_json = <<EOT
{
  "policies": ["db-ro"],
  "password": "userro"
}
EOT
}

resource "vault_generic_endpoint" "user_userrw" {
  depends_on           = [vault_auth_backend.userpass]
  path                 = "auth/userpass/users/userrw"
  ignore_absent_fields = true

  data_json = <<EOT
{
  "policies": ["db-all", "db-ro"],
  "password": "userrw"
}
EOT
}

# POLICIES
# Read-Only access policy
resource "vault_policy" "dbro" {
  name   = "db-ro"
  policy = file("policies/dbro.hcl")
}

# All permissions access policy
resource "vault_policy" "dball" {
  name   = "db-all"
  policy = file("policies/dball.hcl")
}


# DB
resource "vault_mount" "mariadb" {
  path = "mariadb"
  type = "database"
}

resource "vault_database_secret_backend_connection" "mariadb_connection" {
  backend       = vault_mount.mariadb.path
  name          = "mariadb"
  allowed_roles = ["db-ro", "db-all"]
  verify_connection = true

  mysql{
    connection_url = "{{username}}:{{password}}@tcp(192.168.11.71:3306)/"
  }

# note that I have my database address hardcoded and I'm using my lan IP, since I'm running the mysql client directly from my host and vault/mariadb are running inside containers with their ports exposed.

  data = {
    username = "vault"
    password = "myvaultsecretpw"
  } 

}

resource "vault_database_secret_backend_role" "role" {
  backend             = vault_mount.mariadb.path
  name                = "db-ro"
  db_name             = vault_database_secret_backend_connection.mariadb_connection.name
  creation_statements = ["GRANT SELECT ON *.* TO '{{name}}'@'%' IDENTIFIED BY '{{password}}';"]
}

resource "vault_database_secret_backend_role" "role-all" {
  backend             = vault_mount.mariadb.path
  name                = "db-all"
  db_name             = vault_database_secret_backend_connection.mariadb_connection.name
  creation_statements = ["GRANT ALL ON *.* TO '{{name}}'@'%' IDENTIFIED BY '{{password}}';"]
}

Politikfiler brugt i tidligere kodeliste:

  • policies/dball.hcl
path "mariadb/creds/db-all" {
  policy = "read"
  capabilities = ["list"]
}

  • policies/dbro.hcl
path "mariadb/creds/db-ro" {
  policy = "read"
  capabilities = ["list"]
}

Efter dette, den sædvanlige proces:
terraform init
terraform apply

Og vi har alt klar til nogle test.

Test

Test af RO-brugeren

Log ind på vault

$ vault login -method userpass username=userro
Password (will be hidden): 
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
(...)

anmode om DB-legitimationsoplysninger

$ vault read mariadb/creds/db-ro
Key                Value
---                -----
lease_id           mariadb/creds/db-ro/uGldyp0BAa2GhUlFyrEwuIbs
lease_duration     168h
lease_renewable    true
password           8vykdcZNHp-I0pajVtoN
username           v_userpass-d_db-ro_75wxnJaL69FW4

Log ind på DB
(HUSK:Den næste cmd er en virkelig DÅRLIG PRAKSIS!!!)

$ mysql -h 127.0.0.1 -u v_userpass-d_db-ro_75wxnJaL69FW4 -p'8vykdcZNHp-I0pajVtoN'

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 101
Server version: 10.3.13-MariaDB-1:10.3.13+maria~bionic mariadb.org binary distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> 

... prøv at gøre ting

MariaDB [(none)]> create database my_database;
ERROR 1044 (42000): Access denied for user 'v_userpass-d_db-ro_75wxnJaL69FW4'@'%' to database 'my_database'

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| my_db              |
| mysql              |
| performance_schema |
+--------------------+
4 rows in set (0.00 sec)

MariaDB [(none)]> use my_db;

Database changed
MariaDB [my_db]> show tables;
+-----------------+
| Tables_in_my_db |
+-----------------+
| my_table        |
+-----------------+
1 row in set (0.00 sec)

MariaDB [my_db]> select * from my_table;
Empty set (0.00 sec)

MariaDB [my_db]> 

Test af RW-brugeren

Log ind på vault

$ vault login -method userpass username=userrw
Password (will be hidden): 
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
(...)

anmode om DB-legitimationsoplysninger

$ vault read mariadb/creds/db-all
Key                Value
---                -----
lease_id           mariadb/creds/db-all/GHRHvpuqa2ITP9tX54YHEePl
lease_duration     168h
lease_renewable    true
password           L--8mPBoprFZcaItINKI
username           v_userpass-j_db-all_DMwlhs9nGxA8

Log ind på DB
(HUSK IGEN:Den næste cmd er en virkelig DÅRLIG PRAKSIS!!!)

$ mysql -h 127.0.0.1 -u v_userpass-j_db-all_DMwlhs9nGxA8 -p'L--8mPBoprFZcaItINKI'
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 109
Server version: 10.3.13-MariaDB-1:10.3.13+maria~bionic mariadb.org binary distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>  

... prøv at gøre ting

MariaDB [(none)]> create database my_database;
Query OK, 1 row affected (0.01 sec)

MariaDB [(none)]> use my_db;
Database changed

MariaDB [my_db]> create table the_table (i integer);
Query OK, 0 rows affected (0.03 sec)

MariaDB [my_db]> show tables;
+-----------------+
| Tables_in_my_db |
+-----------------+
| my_table        |
| the_table       |
+-----------------+
2 rows in set (0.00 sec)

Og det er det. Vi har nu basen for vores MariaDB dynamiske/midlertidige brugere.


  1. Rails Console finder brugere efter række id'er

  2. Forskellen mellem inline og out-of-line begrænsninger

  3. Sådan genererer du tilføje kolonneerklæring for alle tabellerne i en database i SQL Server - SQL Server / T-SQL selvstudium del 49

  4. Sekventielle gennemløbshastigheder og feeds