์ด์ „์˜ ๋‘ ํฌ์ŠคํŠธ์—์„œ ๋ณผํŠธ๋ฅผ ์„ค์น˜-์„ค์ •ํ•˜๊ณ  ํŽธ๋ฆฌํ•˜๊ฒŒ ์‚ฌ์šฉํ•˜๊ธฐ ์œ„ํ•œ UI๊นŒ์ง€ ํ™œ์„ฑํ™” ํ–ˆ๋‹ค. ์ด๋ฒˆ ํฌ์ŠคํŠธ์—์„œ๋Š” ๋ณผํŠธ์˜ ์ ‘๊ทผ ๊ถŒํ•œ์„ ์ œ์–ดํ•˜๋Š” ์ •์ฑ… ์„ค์ •์— ๋Œ€ํ•ด ์•Œ์•„๋ณผ ์ฐจ๋ก€๋‹ค.

๋‹ค์‹œ ๋งํ•˜์ง€๋งŒ ๋ณผํŠธ๋Š” ๋ชจ๋“  ์ค‘์š”ํ•œ ์ •๋ณด๋ฅผ ๋‹ด๊ณ  ์žˆ๋Š” ์•„์ฃผ ์ค‘์š”ํ•œ ์„œ๋น„์Šค์ด๋‹ค. ๋‹น์—ฐํžˆ ๋ชจ๋“  ์‚ฌ๋žŒ์ด ๋ฃจํŠธ ๊ถŒํ•œ์„ ๊ฐ€์ง€๊ณ  ๋ชจ๋“  ์ •๋ณด์— ์—‘์„ธ์Šคํ•˜๊ณ , ๋ณ€๊ฒฝํ•˜๋Š” ๊ฒƒ์€ ์•„์ฃผ ์œ„ํ—˜ํ•˜๋‹ค. ๋”ฐ๋ผ์„œ ๋ณผํŠธ๋Š” ์ด๋Ÿฌํ•œ ์ ‘๊ทผ ๊ถŒํ•œ(ACL Policy) ์„ค์ • ๊ธฐ๋Šฅ์„ ์ œ๊ณตํ•œ๋‹ค.

Policy๋Š” GUI๋กœ ์ƒ์„ฑํ•˜๋Š”๊ฒŒ ๋” ํŽธํ•œ๊ฒƒ๊ฐ™์•„์„œ ์—ฌ๊ธฐ์„œ๋Š” GUI๋ฅผ ์‚ฌ์šฉํ•˜๊ฒ ๋‹ค.

์ฒซ๋ฒˆ์งธ ์ •์ฑ…์„ ๋งŒ๋“ค์–ด๋ณด์ž

์ •์ฑ…์„ ๋งŒ๋“ค๊ธฐ์— ์•ž์„œ ๋จผ์ € ์‹œํฌ๋ฆฟ ๋ฐฑ์•ค๋“œ ์ค‘ secret์— my-first-secret ์ด๋ผ๋Š” secret์„ ๋งŒ๋“ค๊ณ  hello: world๋ผ๋Š” ๋‚ด์šฉ์„ ์ฑ„์›Œ๋ณด์ž.

๋˜๋Š” ๋‹ค์Œ์˜ ๋ช…๋ น์–ด๋ฅผ ์‚ฌ์šฉํ•˜์ž

$ vault write secret/my-first-secret hello=world

image.png

๋ฃจํŠธ ๊ถŒํ•œ์„ ๊ฐ€์ง€๊ณ  ๋กœ๊ทธ์ธ ํ•œ ํ›„ ์ •์ฑ…์„ ํŽธ์ง‘ํ•˜๊ธฐ ์œ„ํ•ด์„  Policies ํƒญ์— ๋“ค์–ด๊ฐ€์ž.

๊ธฐ๋ณธ์ ์œผ๋กœ๋Š” root์™€ default๊ฐ€ ์กด์žฌํ•  ๊ฒƒ์ด๋‹ค.

์šฐ๋ฆฌ๊ฐ€ ๋งŒ๋“ค ์ •์ฑ…์€ ํ•ด๋‹น ์ •๋ณด๊ฐ€ ์žˆ๋Š” ๊ฒฝ๋กœ์— ์ ‘๊ทผํ•˜์—ฌ ์ฝ๊ธฐ๋งŒ ๊ฐ€๋Šฅํ•˜๊ฒŒ ๋งŒ๋“ค๊ฒƒ์ด๋‹ค.

๋จผ์ € ๋งˆ์šดํŠธ๋œ ์‹œํฌ๋ฆฟ ๋ฐฑ์•ค๋“œ์™€ ์‹œํฌ๋ฆฟ ๋ฆฌ์ŠคํŠธ๋ฅผ ๋ณผ ์ˆ˜ ์žˆ๊ฒŒ ํ•˜๊ธฐ ์œ„ํ•ด default ์ •์ฑ…์— ๋‹ค์Œ์˜ ๋‚ด์šฉ์„ ์ถ”๊ฐ€ํ•˜์ž.

path "sys/mounts" = {
  capabilities = ["read"]
}

path "sys/auth" = {
  capabilities = ["read"]
}

path "secret/" = {
  capabilities = ["list", "read"]
}

create ACL policy ๋ฒ„ํŠผ์„ ๋ˆŒ๋Ÿฌ ์ •์ฑ…์„ ์ถ”๊ฐ€ ํ•  ์ˆ˜ ์žˆ๋‹ค.

์ด๋ฆ„์„ hello-world-read-only๋กœ ์ง€์ •ํ•˜๊ณ 

๋‹ค์Œ์˜ HCL ์ฝ”๋“œ๋ฅผ ์‚ฌ์šฉํ•ด ์ •์ฑ…์„ ์ง€์ •ํ•˜์ž. ๋˜๋Š” ๊ฐ™์€ ์˜๋ฏธ์˜ JSON์„ ์‚ฌ์šฉํ•  ์ˆ˜๋„ ์žˆ๋‹ค.

path "secret/my-first-secret" {
    capabilities = ["read"]
}

image.png

์ด์ œ ์šฐ๋ฆฌ์˜ ์ฒซ๋ฒˆ์งธ ์ •์ฑ…์ด ๋งŒ๋“ค์–ด ์กŒ๋‹ค.

Policy Syntax

๊ฐ„๋‹จํ•œ ์ฒซ๋ฒˆ์งธ ์ •์ฑ…์„ ๋งŒ๋“ค์–ด ๋ณด์•˜์œผ๋‹ˆ ์ข€๋” ์ƒ์„ธํ•œ ์ •์ฑ…์„ ๊ตฌ์„ฑํ•˜๊ธฐ ์œ„ํ•œ ์ •์ฑ… ๋ฌธ๋ฒ•์— ๋Œ€ํ•ด ์•Œ์•„๋ณด์ž.

์ •์ฑ…์€ Hashicorp์˜ ๋‹ค์–‘ํ•œ ์ œํ’ˆ๋“ค์ด ๊ทธ๋Ÿฌํ•˜๋“ฏ HCL๊ณผ JSON์„ ์‚ฌ์šฉํ•˜์—ฌ ๊ตฌ์„ฑํ•  ์ˆ˜ ์žˆ๋‹ค.
์—ฌ๊ธฐ์„œ๋Š” HCL์„ ์‚ฌ์šฉํ•  ๊ฒƒ์ด๋‹ค.

๊ฐ€์žฅ ๊ฐ„๋‹จํ•œ Policy๋Š” ๋‹ค์Œ๊ณผ ๊ฐ™์ด ๊ตฌ์„ฑ๋œ๋‹ค.

path "secret/foo" {
  capabilities = ["read"]
}

path๋ฅผ ํŽธ์ง‘ํ•˜์—ฌ ์ •๋ณด์— ๋Œ€ํ•œ ์ ‘๊ทผ ๊ถŒํ•œ์„ ์ง€์ •ํ•  ์ˆ˜ ์žˆ๊ณ  capabilities๋Š” ํ•ด๋‹น path์— ๋Œ€ํ•œ ๊ถŒํ•œ์„ ์„ค์ •ํ•œ๋‹ค. ๋˜ํ•œ allowed_parameters ์˜ต์…˜์„ ํ†ตํ•˜์—ฌ ํŠน์ •ํ•œ Key์˜ Vaule์— ๋“ค์–ด๊ฐˆ ์ˆ˜ ์žˆ๋Š” ๊ฐ’์˜ ๋ชฉ๋ก์„ ์ง€์ •ํ•  ์ˆ˜ ์žˆ๋‹ค.

capabilities๋Š” ๋‹ค์Œ์ค‘ ๋ณต์ˆ˜์˜ ์˜ต์…˜์„ ์„ ํƒํ•  ์ˆ˜ ์žˆ๋‹ค.

  • create
  • read
  • update
  • delete
  • list
  • sudo: root ๋กœ ๋ณดํ˜ธ๋œ ๊ณณ์— ์ ‘๊ทผํ•˜๊ฒŒ ํ•ด ์ค€๋‹ค. read, update๋ฅผ ๋ช…์‹œํ•ด ์ฃผ์–ด์•ผ ํ•œ๋‹ค.
  • deny - ํ•ด๋‹น ๊ฒฝ๋กœ์— ๋Œ€ํ•œ ์ ‘๊ทผ์„ ์ฐจ๋‹จํ•œ๋‹ค. ๋‹ค๋ฅธ ์„ค์ •๋ณด๋‹ค ์šฐ์„ ํ•œ๋‹ค.

๋‹ค์Œ์˜ ์˜ˆ์‹œ๋ฅผ ๋ณด์ž

# secret ์•„๋ž˜ ๋ชจ๋“  ๊ฒฝ๋กœ์— ๋Œ€ํ•˜์—ฌ ๋‹ค์Œ์˜ capabilities๊ฐ€ ์ ์šฉ๋œ๋‹ค
path "secret/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

# deny๊ฐ€ ์ ์šฉ๋˜์–ด ์œ„์—์„œ ์ง€์ •ํ•œ ์„ค์ •์ด ์žˆ์ง€๋งŒ secret/super-secret์—๋Š” ์ ‘๊ทผํ•  ์ˆ˜ ์—†๋‹ค.
path "secret/super-secret" {
  capabilities = ["deny"]
}

# foo๋Š” ์•„๋ฌด ๊ฐ’์ด๋‚˜ ๋“ค์–ด๊ฐ€์ง€๋งŒ bar๋Š” zip๋˜๋Š” zap ๋งŒ ์„ค์ •ํ•  ์ˆ˜ ์žˆ๋‹ค.
path "secret/restricted" {
  capabilities = ["create"]
  allowed_parameters = {
    "foo" = []
    "bar" = ["zip", "zap"]
  }

# prefix๋ฅผ ์ง€์ •ํ•  ์ˆ˜ ์žˆ๋‹ค.
secret/zip-zap์—๋Š” read ๋งŒ ํ•  ์ˆ˜ ์žˆ๊ฒŒ ๋œ๋‹ค.
path "secret/zip-*" {
  capabilities = ["read"]
}

์ง€๊ธˆ๊นŒ์ง€ ๊ธฐ๋ณธ์ ์ธ Vault์˜ ๊ถŒํ•œ ์„ค์ •์— ๋Œ€ํ•ด์„œ ์•Œ์•„๋ณด์•˜๋‹ค. ๋”์šฑ ์ƒ์„ธํ•œ ๋‚ด์šฉ์€ Vault์˜ Policies ๋ฌธ์„œ๋ฅผ ์ฝ์–ด๋ณด๋„๋ก ํ•˜์ž

๋‹ค์Œ์—๋Š” Secret Backend์˜ ์‚ฌ์šฉ์— ๋Œ€ํ•ด ์•Œ์•„๋ณผ ์˜ˆ์ •์ด๋‹ค.