Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing Databases with Dynamic Credentials and HashiCorp’s Vault

372 views

Published on

PGDay.Seoul 2019

Published in: Internet
  • Be the first to comment

Securing Databases with Dynamic Credentials and HashiCorp’s Vault

  1. 1. Securing Databases with Dynamic Credentials and HashiCorp’s Vault PGDay.Seoul 2019 FB/hyeongchae.lee 1PGDay.Seoul 2019
  2. 2. Temporary Security Credentials • shell script 또는 config 안에 username, password 필요한 경우 • 개발팀에서 운영 DB서버에 접속하여 몇가지 확인하고 싶을 경우 • 단발성 계정 생성 및 삭제가 빈번하게 일어날 경우 • GDPR 처럼 보안규정상 password expired 가 필요한 경우 PGDay.Seoul 2019 2
  3. 3. Ansible : ssh delima PGDay.Seoul 2019 3
  4. 4. HashiCorp 4PGDay.Seoul 2019
  5. 5. HashiCorp’s Vault 란? 5PGDay.Seoul 2019
  6. 6. Vault’s Policies 6PGDay.Seoul 2019
  7. 7. Vault’s Polcies path “postgresql/creds/readonly” { capabilities = ["create", "read", "update", "delete", "list"] } root@pgsql12:/# ls -la /var/lib/postgresql/data/ drwx------ 19 postgres postgres 4096 Dec 2 02:45 . drwxr-xr-x 1 postgres postgres 4096 Nov 23 08:10 .. drwx------ 6 postgres postgres 4096 Dec 2 05:19 base drwx------ 2 postgres postgres 4096 Dec 2 06:58 global -rw------- 1 postgres postgres 4535 Dec 2 02:45 pg_hba.conf PGDay.Seoul 2019 7
  8. 8. HashiCorp’s Vault 8PGDay.Seoul 2019
  9. 9. Vault’s Token $ vault read postgresql/creds/readonly Key Value --- ----- lease_id postgresql/creds/readonly/Dw35ApjCjE3x4WolwcD4GTgq lease_duration 1h lease_renewable true password ee1a06db-9d28-2e74-41fc-c97a8d137dd8 username token-a6c161c7-dbee-b2b1-4ede-7300ed4350fa PGDay.Seoul 2019 9
  10. 10. Dynamically Securing Databases using Vault 10PGDay.Seoul 2019 Security Team Define secret policies PostgreSQL APPs username : root password : password Rotate the root credentials username : root password : newpassword Create DB credentials username : token-a6c161c… password : ee1a06db-9d… App gets unique set of DB Credentials to connect Read / Write from DB 1 1 2 2 3 4
  11. 11. PotgreSQL Secrets Engine $ export VAULT_ADDR="http://127.0.0.1:8200" $ export VAULT_TOKEN="vault" $ vault secrets enable postgresql # dba admin / superuser $ vault write postgresql/config/connection connection_url="postgresql://root:root@172.16.100.1:5432/postgres?sslmode=disable" # create user and role $ vault write postgresql/roles/readonly sql="CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";" # get credential $ vault read postgresql/creds/readonly PGDay.Seoul 2019 11 2 1 1 2 3 no policies get token connect create credential get credential
  12. 12. 승인 워크플로우 (Approval Workflow) 12PGDay.Seoul 2019 1 2 3 4 5 Developer Dev Manager “You’re fired” DevOps Update /request_pgsql_access Auth / Role
  13. 13. 액세스 워크플로우 ( Access Workflow ) 13PGDay.Seoul 2019 Developer SQLGate / flyway psql client / Token CLI / HTTP API 15 2 3 4 6 Auth / Role Personal Identification
  14. 14. https://github.com/sql2/PostgreSQL_with_Dynamic_Credentials PGDay.Seoul 2019 14
  15. 15. PGDay.Seoul 2019 15

×