Skip to content

Instantly share code, notes, and snippets.

@vishalnayak

vishalnayak/control_group_namespace.sh

Last active March 30, 2020 12:50
Show Gist options
  • Save vishalnayak/286fcbaafd7242f0d24c35396ac801fb to your computer and use it in GitHub Desktop.
Save vishalnayak/286fcbaafd7242f0d24c35396ac801fb to your computer and use it in GitHub Desktop.
Download ZIP
Raw
control_group_namespace.sh
#!/bin/bash
set -aex
pkill -9 vault || true
sleep 2s
tee /tmp/config.hcl <<EOF
storage "inmem" {}
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = "true"
}
api_addr = "http://127.0.0.1:8200"
pid_file = "/tmp/vault.pid"
EOF
vault server -config /tmp/config.hcl > /tmp/config.log 2>&1 &
while ! nc -w 1 localhost 8200 </dev/null; do sleep 1; done
initResponse=$(vault operator init -format=json -key-shares 1 -key-threshold 1)
unsealKey=$(echo $initResponse | jq -r '.unseal_keys_b64[0]')
rootToken=$(echo $initResponse| jq -r '.root_token')
vault operator unseal $unsealKey
sleep 3s
vault login $rootToken
vault namespace create team1
cat > /tmp/nsadmin.hcl -<<EOF
# Default to granting full access to the namespace
path "team1/*" {
capabilities = [
"create", "read", "update", "delete", "list", "sudo"
]
}
# Limit creation of new policies to those approved by Infra
path "team1/sys/policy/*" {
capabilities = ["delete", "list", "read"]
}
path "team1/sys/policies/acl/*" {
capabilities = ["delete", "list", "read"]
}
# Annoyingly writing a new policy requires updated permission rather than create permission
# so we cannot differentiate between the two actions here
path "team1/sys/policy/*" {
capabilities = ["create", "update"]
control_group = {
ttl = "168h"
factor "infra approval" {
identity {
group_names = ["approvers"]
approvals = 1
}
}
}
}
path "team1/sys/policies/acl/*" {
capabilities = ["create", "update"]
control_group = {
ttl = "168h"
factor "infra approval" {
identity {
group_names = ["approvers"]
approvals = 1
}
}
}
}
EOF
vault policy write nsadmin /tmp/nsadmin.hcl
cat > /tmp/nsapprover.hcl -<<EOF
# To approve the request
path "sys/control-group/authorize" {
capabilities = ["create", "update"]
}
# To check control group request status
path "sys/control-group/request" {
capabilities = ["create", "update"]
}
# To approve the request
path "team1/sys/control-group/authorize" {
capabilities = ["create", "update"]
}
# To check control group request status
path "team1/sys/control-group/request" {
capabilities = ["create", "update"]
}
EOF
vault policy write -ns team1 nsapprover /tmp/nsapprover.hcl
vault auth enable userpass
vault auth enable -ns team1 userpass
vault write auth/userpass/users/admin password=bar policies=nsadmin
vault write -ns team1 auth/userpass/users/approver password=bar policies=nsapprover
nsAdminToken=$(vault write -format json auth/userpass/login/admin password=bar | jq -r '.auth.client_token')
nsApproverToken=$(vault write -ns team1 -format json auth/userpass/login/approver password=bar | jq -r '.auth.client_token')
nsApproverEntityID=$(VAULT_TOKEN=$nsApproverToken vault token lookup -ns team1 -format json | jq -r '.data.entity_id')
vault write -format json -ns team1 identity/group name=approvers member_entity_ids=$nsApproverEntityID
vault read -format json -ns team1 identity/group/name/approvers
wrappedResponse=$(VAULT_TOKEN=$nsAdminToken vault write -format json -ns team1 sys/policy/xname02 policy="#test")
accessor=$(echo -n $wrappedResponse | jq -r '.wrap_info.accessor')
VAULT_TOKEN=$nsApproverToken vault write -ns team1 sys/control-group/request accessor=$accessor
VAULT_TOKEN=$nsApproverToken vault write -ns team1 sys/control-group/authorize accessor=$accessor
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment