Successfully reported this slideshow.

Securing Databases with Dynamic Credentials and HashiCorp’s Vault

4

Share

1 of 15
1 of 15

More Related Content

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Securing Databases with Dynamic Credentials and HashiCorp’s Vault

  1. 1. Securing Databases with Dynamic Credentials and HashiCorp’s Vault PGDay.Seoul 2019 FB/hyeongchae.lee 1PGDay.Seoul 2019
  2. 2. Temporary Security Credentials • shell script 또는 config 안에 username, password 필요한 경우 • 개발팀에서 운영 DB서버에 접속하여 몇가지 확인하고 싶을 경우 • 단발성 계정 생성 및 삭제가 빈번하게 일어날 경우 • GDPR 처럼 보안규정상 password expired 가 필요한 경우 PGDay.Seoul 2019 2
  3. 3. Ansible : ssh delima PGDay.Seoul 2019 3
  4. 4. HashiCorp 4PGDay.Seoul 2019
  5. 5. HashiCorp’s Vault 란? 5PGDay.Seoul 2019
  6. 6. Vault’s Policies 6PGDay.Seoul 2019
  7. 7. Vault’s Polcies path “postgresql/creds/readonly” { capabilities = ["create", "read", "update", "delete", "list"] } root@pgsql12:/# ls -la /var/lib/postgresql/data/ drwx------ 19 postgres postgres 4096 Dec 2 02:45 . drwxr-xr-x 1 postgres postgres 4096 Nov 23 08:10 .. drwx------ 6 postgres postgres 4096 Dec 2 05:19 base drwx------ 2 postgres postgres 4096 Dec 2 06:58 global -rw------- 1 postgres postgres 4535 Dec 2 02:45 pg_hba.conf PGDay.Seoul 2019 7
  8. 8. HashiCorp’s Vault 8PGDay.Seoul 2019
  9. 9. Vault’s Token $ vault read postgresql/creds/readonly Key Value --- ----- lease_id postgresql/creds/readonly/Dw35ApjCjE3x4WolwcD4GTgq lease_duration 1h lease_renewable true password ee1a06db-9d28-2e74-41fc-c97a8d137dd8 username token-a6c161c7-dbee-b2b1-4ede-7300ed4350fa PGDay.Seoul 2019 9
  10. 10. Dynamically Securing Databases using Vault 10PGDay.Seoul 2019 Security Team Define secret policies PostgreSQL APPs username : root password : password Rotate the root credentials username : root password : newpassword Create DB credentials username : token-a6c161c… password : ee1a06db-9d… App gets unique set of DB Credentials to connect Read / Write from DB 1 1 2 2 3 4
  11. 11. PotgreSQL Secrets Engine $ export VAULT_ADDR="http://127.0.0.1:8200" $ export VAULT_TOKEN="vault" $ vault secrets enable postgresql # dba admin / superuser $ vault write postgresql/config/connection connection_url="postgresql://root:root@172.16.100.1:5432/postgres?sslmode=disable" # create user and role $ vault write postgresql/roles/readonly sql="CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";" # get credential $ vault read postgresql/creds/readonly PGDay.Seoul 2019 11 2 1 1 2 3 no policies get token connect create credential get credential
  12. 12. 승인 워크플로우 (Approval Workflow) 12PGDay.Seoul 2019 1 2 3 4 5 Developer Dev Manager “You’re fired” DevOps Update /request_pgsql_access Auth / Role
  13. 13. 액세스 워크플로우 ( Access Workflow ) 13PGDay.Seoul 2019 Developer SQLGate / flyway psql client / Token CLI / HTTP API 15 2 3 4 6 Auth / Role Personal Identification
  14. 14. https://github.com/sql2/PostgreSQL_with_Dynamic_Credentials PGDay.Seoul 2019 14
  15. 15. PGDay.Seoul 2019 15

×