wip vault

1e73b750 · Vincent Mazenod · 7982f9ae · 1e73b750 · 1e73b750
Commit 1e73b750 authored 5 years ago by Vincent Mazenod
--- a/content/slides/privacy/images/vault/password_management.jpg
+++ b/content/slides/privacy/images/vault/password_management.jpg
--- a/content/slides/privacy/md/vault.md
+++ b/content/slides/privacy/md/vault.md
@@ -28,10 +28,10 @@
 ## gestion de mot de passe
-[ photo ]
+![vault](images/vault/password_management.jpg "vault")<!-- .element width="80%" -->
-## servicess
+## services
 * [LastPass](https://www.lastpass.com/fr)
 * [Dashlane](https://www.dashlane.com/)
@@ -48,19 +48,35 @@
 * [KeePass2Android](https://play.google.com/store/apps/details?id=keepass2android.keepass2android&hl=fr)
 * iKeePass?
-* pas de gestion collaborative
+<br />
-* pas d'ACL
+### pas de gestion collaborative!
+### pas d'ACL!
 ## Vault
 * Un binaire: [https://releases.hashicorp.com/vault/](https://releases.hashicorp.com/vault/)
-  * serveur
+  * un serveur
-    * créer un service systemd
+    * une api
+    * une UI
+  * un cli
-  * cli
+* [écrit en go](https://github.com/hashicorp/hcl)
-    * `/usr/local/bin/vault `
+* [auditable](https://www.vaultproject.io/docs/commands/audit/enable.html)
+* cross plateform
+## Utilisation
+* via la ligne de commande
+  * [binaire à télécharger](https://releases.hashicorp.com/vault/)
+    * cross plateform
+    * deux variables d'environnement
+      * $VAULT_ADDR=https://vault.isima.fr
+      * $VAULT_TOKEN ou authentification ldap
+* via l'[<i class="fa fa-book" aria-hidden="true"></i> api](https://www.vaultproject.io/api/overview)
 ## Configuration
@@ -181,68 +197,33 @@ $ vault login -method=ldap username=vimazeno
  * stocke le token d'authentificayion dans ~/.vault-token
-## LDAP
-```shell
-$ vault write auth/ldap/config \
-    url="ldaps://samantha.local.isima.fr" \
-    userattr="sAMAccountName" \
-    userdn="dc=local,dc=isima,dc=fr" \
-    groupattr="cn" \
-    groupfilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))" \
-    groupdn="ou=GROUPES_LOCAUX,dc=local,dc=isima,dc=fr" \
-    binddn="cn=vault,ou=Comptes de Services,dc=local,dc=isima,dc=fr" \
-    bindpass="secret" \
-    insecure_tls="false" \
-    starttls="true"
-```
-[<i class="fa fa-book" aria-hidden="true"></i> LDAP Auth Method](https://www.vaultproject.io/docs/auth/ldap.html)
 ## Policy
-/etc/vault/users/cri.hcl
+description `/etc/vault/cri.hcl` ([hcl](https://github.com/hashicorp/hcl))
 ```
 # Write and manage secrets in key-value secret engine
 path "cri/*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
 }
-# To enable secret engines
-path "sys/mounts/*" {
-  capabilities = [ "create", "read", "update", "delete" ]
-}
-path "cubbyhole/*" {
-  capabilities = ["create", "read", "update", "delete", "list"]
-}
 ```
+* écriture
 ```shell
-$ vault policy write cri /etc/vault/cri.hcl
+$ vault policy write cri `/etc/vault/cri.hcl`
 ```
+* application à un groupe
-## appliquer une policy à un groupe ldap
 ```shell
 $ vault write auth/ldap/groups/cri policies=cri
 ```
+* création de token à aprtir de la policy
-## Utilisation
+```shell
+$ vault token create -policy=cri
-* via la ligne de commande
+```
-  * [binaire à télécharger](https://releases.hashicorp.com/vault/)
-    * cross plateform
-    * deux variables d'environnement
-      * $VAULT_ADDR=https://vault.isima.fr
-      * $VAULT_TOKEN ou authentification ldap
-* via l'[<i class="fa fa-book" aria-hidden="true"></i> api](https://www.vaultproject.io/api/overview)
 ## Workflow
@@ -259,26 +240,6 @@ $ vault kv patch cri/test password1=$(date | sha256sum | cut -c -50)
 $ vault delete cri/test
 ```
-## création de token
-my.hcl
-```
-path "secret/data/cri/apps/my" {
-  capabilities = ["create", "read", "update", "delete", "list"]
-}
-```
-```shell
-$ vault policy write vault/hcl/apps/my.hcl
-$ vault token create -policy=my
-```
-## Audit
 ## avec ansible
 * lookup natif [hashi_vault](https://docs.ansible.com/ansible/latest/plugins/lookup/hashi_vault.html)