Created
February 23, 2021 19:38
-
-
Save WhatsARanjit/617790e354c7963a2f5b7d0d96a30332 to your computer and use it in GitHub Desktop.
Cross-NS entity Vault test
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Setup namespaces | |
$ export VAULT_ADDR=http://127.0.0.1:8200 | |
$ vault namespace create foo | |
Key Value | |
--- ----- | |
id zI8gb | |
path foo/ | |
$ vault namespace create bar | |
Key Value | |
--- ----- | |
id izkrE | |
path bar/ | |
# Setup auth | |
$ vault auth enable -namespace=foo userpass | |
Success! Enabled userpass auth method at: userpass/ | |
$ vault auth enable -namespace=bar userpass | |
Success! Enabled userpass auth method at: userpass/ | |
# Setup users in each namespace | |
$ vault write \ | |
-namespace=foo \ | |
auth/userpass/users/foo_user \ | |
password=Password1! \ | |
policies=foo | |
Success! Data written to: auth/userpass/users/foo_user | |
$ vault write \ | |
-namespace=bar \ | |
auth/userpass/users/bar_user \ | |
password=Password1! \ | |
policies=bar | |
Success! Data written to: auth/userpass/users/bar_user | |
# Create secrets in each namespace | |
$ vault secrets enable -namespace=foo kv | |
Success! Enabled the kv secrets engine at: kv/ | |
$ vault kv put -namespace=foo kv/test value=foo | |
Success! Data written to: kv/test | |
$ vault secrets enable -namespace=bar kv | |
Success! Enabled the kv secrets engine at: kv/ | |
$ vault kv put -namespace=bar kv/test value=bar | |
Success! Data written to: kv/test | |
# Create KV policy in each | |
$ vault policy write -namespace=foo foo - << EOF | |
path "kv/test" { | |
capabilities = ["read", "update", "list"] | |
} | |
EOF | |
Success! Uploaded policy: foo | |
$ vault policy write -namespace=bar bar - << EOF | |
path "kv/test" { | |
capabilities = ["read", "update", "list"] | |
} | |
EOF | |
Success! Uploaded policy: bar | |
# Client count baseline | |
$ vault-auditor parse /tmp/audit | |
Distinct Entities: 0 | |
Non-Entity Tokens: 1 | |
Total Clients: 1 | |
Total files processed: 1 | |
Date range: 2021-02-23T18:10:23Z - 2021-02-23T18:25:12Z | |
# Log into foo namespace and get KV | |
$ vault login \ | |
-namespace=foo \ | |
-method=userpass \ | |
username=foo_user \ | |
password=Password1! | |
Success! You are now authenticated. The token information displayed below | |
is already stored in the token helper. You do NOT need to run "vault login" | |
again. Future Vault requests will automatically use this token. | |
Key Value | |
--- ----- | |
token s.rvOhQ41PV5yhLe05WhqYge3g.zI8gb | |
token_accessor bMzrT645hR8nnzBNzkXpJjXN.zI8gb | |
token_duration 768h | |
token_renewable true | |
token_policies ["default" "foo"] | |
identity_policies [] | |
policies ["default" "foo"] | |
token_meta_username foo_user | |
$ VAULT_TOKEN=s.rvOhQ41PV5yhLe05WhqYge3g.zI8gb \ | |
vault kv get \ | |
-namespace=foo \ | |
kv/test | |
==== Data ==== | |
Key Value | |
--- ----- | |
value foo | |
# Client check-in | |
$ vault-auditor parse /tmp/audit | |
Distinct Entities: 1 | |
Non-Entity Tokens: 1 | |
Total Clients: 2 | |
Total files processed: 1 | |
Date range: 2021-02-23T18:10:23Z - 2021-02-23T18:30:25Z | |
###-> 1 new entity | |
# Log into bar namespace and get KV | |
$ vault login \ | |
-namespace=bar \ | |
-method=userpass \ | |
username=bar_user \ | |
password=Password1! | |
Success! You are now authenticated. The token information displayed below | |
is already stored in the token helper. You do NOT need to run "vault login" | |
again. Future Vault requests will automatically use this token. | |
Key Value | |
--- ----- | |
token s.NWr83zTjiHDiBvwiyTajnrYW.izkrE | |
token_accessor NjpLEKlu7lRgZEsqr0zz2OcI.izkrE | |
token_duration 768h | |
token_renewable true | |
token_policies ["bar" "default"] | |
identity_policies [] | |
policies ["bar" "default"] | |
token_meta_username bar_user | |
$ VAULT_TOKEN=s.NWr83zTjiHDiBvwiyTajnrYW.izkrE \ | |
vault kv get \ | |
-namespace=bar \ | |
kv/test | |
==== Data ==== | |
Key Value | |
--- ----- | |
value bar | |
###-> 1 new entity | |
## Attempt to use bar token in foo namespace | |
$ VAULT_TOKEN=s.NWr83zTjiHDiBvwiyTajnrYW.izkrE \ | |
vault kv get \ | |
-namespace=foo \ | |
kv/test | |
Error making API request. | |
URL: GET http://127.0.0.1:8200/v1/sys/internal/ui/mounts/kv/test | |
Code: 403. Errors: | |
* preflight capability check returned 403, please ensure client's policies grant access to path "kv/test/" | |
## Lookup entity IDs for foo_user and bar_user | |
$ export FOO_ID=$(curl -s \ | |
-H "X-Vault-Token: root" \ | |
-H "X-Vault-Namespace: foo" \ | |
-X LIST \ | |
http://127.0.0.1:8200/v1/identity/entity/id \ | |
| jq -r '.data.keys[0]') | |
$ echo $FOO_ID | |
0d562dbf-c57f-2d55-ccfd-3dfb52b0fc64 | |
$ export BAR_ID=$(curl -s \ | |
-H "X-Vault-Token: root" \ | |
-H "X-Vault-Namespace: bar" \ | |
-X LIST \ | |
http://127.0.0.1:8200/v1/identity/entity/id \ | |
| jq -r '.data.keys[0]') | |
echo $BAR_ID | |
17bd8cd1-9c07-84e0-03f9-027635663e79 | |
# Merge foo_user entity into bar_user entity | |
$ curl -s \ | |
-H "X-Vault-Token: root" \ | |
-H "X-Vault-Namespace: bar" \ | |
-X POST \ | |
-d "{\"to_entity_id\": \"$BAR_ID\", \"from_entity_ids\": \"$FOO_ID\"}" \ | |
http://127.0.0.1:8200/v1/identity/entity/merge | |
{"errors":["entity id to merge from does not belong to this namespace"]} | |
##-> FAIL: Can't do it! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment