wip vault

1e73b750 · Vincent Mazenod · 7982f9ae · 1e73b750 · 1e73b750
Commit 1e73b750 authored 5 years ago by Vincent Mazenod
--- a/content/slides/privacy/images/vault/password_management.jpg
+++ b/content/slides/privacy/images/vault/password_management.jpg
--- a/content/slides/privacy/md/vault.md
+++ b/content/slides/privacy/md/vault.md
@@ -28,10 +28,10 @@

 ## gestion de mot de passe

-[ photo ]
+![vault](images/vault/password_management.jpg "vault")<!-- .element width="80%" -->


-## servicess
+## services

 * [LastPass](https://www.lastpass.com/fr)
 * [Dashlane](https://www.dashlane.com/)
@@ -48,19 +48,35 @@
 * [KeePass2Android](https://play.google.com/store/apps/details?id=keepass2android.keepass2android&hl=fr)
 * iKeePass?

-* pas de gestion collaborative
-* pas d'ACL
+<br />
+
+### pas de gestion collaborative!
+### pas d'ACL!


 ## Vault

 * Un binaire: [https://releases.hashicorp.com/vault/](https://releases.hashicorp.com/vault/)

-  * serveur
-    * créer un service systemd
+  * un serveur
+    * une api
+    * une UI
+  * un cli

-  * cli
-    * `/usr/local/bin/vault `
+* [écrit en go](https://github.com/hashicorp/hcl)
+* [auditable](https://www.vaultproject.io/docs/commands/audit/enable.html)
+* cross plateform
+
+  
+## Utilisation
+
+* via la ligne de commande
+  * [binaire à télécharger](https://releases.hashicorp.com/vault/)
+    * cross plateform
+    * deux variables d'environnement
+      * $VAULT_ADDR=https://vault.isima.fr
+      * $VAULT_TOKEN ou authentification ldap
+* via l'[<i class="fa fa-book" aria-hidden="true"></i> api](https://www.vaultproject.io/api/overview)


 ## Configuration
@@ -181,68 +197,33 @@ $ vault login -method=ldap username=vimazeno
  * stocke le token d'authentificayion dans ~/.vault-token


-## LDAP
-
-```shell
-$ vault write auth/ldap/config \
-    url="ldaps://samantha.local.isima.fr" \
-    userattr="sAMAccountName" \
-    userdn="dc=local,dc=isima,dc=fr" \
-    groupattr="cn" \
-    groupfilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))" \
-    groupdn="ou=GROUPES_LOCAUX,dc=local,dc=isima,dc=fr" \
-    binddn="cn=vault,ou=Comptes de Services,dc=local,dc=isima,dc=fr" \
-    bindpass="secret" \
-    insecure_tls="false" \
-    starttls="true"
-```
-
-[<i class="fa fa-book" aria-hidden="true"></i> LDAP Auth Method](https://www.vaultproject.io/docs/auth/ldap.html)
-
-
 ## Policy

-/etc/vault/users/cri.hcl
+description `/etc/vault/cri.hcl` ([hcl](https://github.com/hashicorp/hcl))

 ```
 # Write and manage secrets in key-value secret engine
 path "cri/*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
 }
-
-# To enable secret engines
-path "sys/mounts/*" {
-  capabilities = [ "create", "read", "update", "delete" ]
-}
-
-path "cubbyhole/*" {
-  capabilities = ["create", "read", "update", "delete", "list"]
-}
-
 ```

+* écriture
+
 ```shell
-$ vault policy write cri /etc/vault/cri.hcl
+$ vault policy write cri `/etc/vault/cri.hcl`
 ```
-
-
-## appliquer une policy à un groupe ldap
+* application à un groupe

 ```shell
 $ vault write auth/ldap/groups/cri policies=cri
 ```

+* création de token à aprtir de la policy

-## Utilisation
-
-* via la ligne de commande
-  * [binaire à télécharger](https://releases.hashicorp.com/vault/)
-    * cross plateform
-    * deux variables d'environnement
-      * $VAULT_ADDR=https://vault.isima.fr
-      * $VAULT_TOKEN ou authentification ldap
-* via l'[<i class="fa fa-book" aria-hidden="true"></i> api](https://www.vaultproject.io/api/overview)
-
+```shell
+$ vault token create -policy=cri
+```

 ## Workflow

@@ -259,26 +240,6 @@ $ vault kv patch cri/test password1=$(date | sha256sum | cut -c -50)
 $ vault delete cri/test
 ```

-
-## création de token
-
-my.hcl
-
-```
-path "secret/data/cri/apps/my" {
-  capabilities = ["create", "read", "update", "delete", "list"]
-}
-```
-
-```shell
-$ vault policy write vault/hcl/apps/my.hcl
-$ vault token create -policy=my
-```
-
-
-## Audit
-
-
 ## avec ansible

 * lookup natif [hashi_vault](https://docs.ansible.com/ansible/latest/plugins/lookup/hashi_vault.html)