博客
关于我
强烈建议你试试无所不能的chatGPT,快点击我
Vault 0.11 新特性抢鲜看: 命名空间
阅读量:6118 次
发布时间:2019-06-21

本文共 3790 字,大约阅读时间需要 12 分钟。

AUG 17 2018    ANDY MANOSKE

Vault 0.11 新特性抢鲜看: 命名空间

The Vault team is quickly closing on the next major release of Vault: Vault 0.11. As we approach the release we will preview some of the new functionality coming soon to Vault Open Source and Vault Enterprise.

This post will focus on namespaces: a new feature in Vault Enterprise that enables the creation and delegated management of secure multi-tenant environments within a single Vault Enterprise infrastructure.

Over the last two years Vault has become an essential part of many organizations’ production environments. Some of the sensitive information protected by Vault today includes information on upcoming IPO and M&A transactions, credentials to databases containing PII data, and even application tokens and certificates used by defense systems in Multilevel Security (MLS) clearance infrastructures.

Secrets like these are often subject to regulations like GDPR, SEC broker-trade regulations, and NIST SP 800-53 that require strict isolation of this data. Even without these regulations, providing delegated tiers of administrators within Vault is critical to help deal with the human cost of writing/managing policies as Vault Enterprise infrastructures grow.

Namespaces allow Vault Enterprise users to create isolated namespaces within a centrally managed Vault infrastructure. These namespaces maintain a discrete set of Secret Engines and policies that are invisible to other users and can be managed by delegate admins that are empowered with rights to manage their own tenant environment.

Consider the fictional company Bream/Hall. Bream/Hall is a Managed Security Services Provider for a series of tech company clients.

image

Two of those developers are Pied Piper and Project X, independent companies who contract Bream/Hall to manage their sensitive access credentials and encryption keys. They are competitors and are managed by different teams within Bream/Hall.

Bream/Hall also has an independent Infosec group that manages internal security for Bream/Hall, their own credentials and cryptography infrastructure, and protects the overall infrastructure for their clients.

Vault 0.11 新特性抢鲜看: 命名空间

Namespaces allow Bream/Hall to create isolated tenant environments for their clients’ account teams. The teams managing security credentials for Pied Piper and Project X cannot see each other or each other’s infrastructure.

Namespaces can create and manage separate versions of the following:

  • Secret Mounts
  • Identities (Entities and Identity Groups)
  • Policies
  • Tokens

Additionally, users in a namespace log in via a separate login path. For all intents and purposes, they are presented with their own “Vault within a Vault."

Vault 0.11 新特性抢鲜看: 命名空间

These isolated namespaces can still leverage the benefits of centralized management within Vault. Teams within Pied Piper and Project X can use existing Auth Methods configured for Bream/Hall’s Vault, and the Bream/Hall Infosec team can be configured to enforce requirements for some or all of Bream/Hall’s teams when they use Vault. Namespaces can also be configured to inherit select secrets mounts in order to streamline the process of creating and managing namespaces.

Delegated admins can also be created to manage namespaces. These admins can create ACL policies that apply only within their namespace, and higher level admins authorize which powers are given to their delegated admins. Delegate admins can even create their own namespaces—and grant access to other users to manage those namespaces.

What’s Next?

Namespaces is just one of many new features coming soon in Vault 0.11. In our next feature preview we will be looking at Vault Agent: a new open source application we are releasing with Vault 0.11 to streamline secure introduction and accessing of secrets locally by users and applications.

转载于:https://blog.51cto.com/13883466/2162582

你可能感兴趣的文章
android studio修改新项目package名称
查看>>
深入python的set和dict
查看>>
C++ 11 lambda
查看>>
Hadoop2.5.0 搭建实录
查看>>
实验吧 recursive write up
查看>>
High-speed Charting Control--MFC绘制图表(折线图、饼图、柱形图)控件
查看>>
go test命令參数问题
查看>>
linux 搜索文本
查看>>
超实用Mac软件分享(二)
查看>>
Android JSON数据解析
查看>>
DEV实现日期时间效果
查看>>
java注解【转】
查看>>
Oracle表分区
查看>>
centos 下安装g++
查看>>
嵌入式,代码调试----GDB扫盲
查看>>
类斐波那契数列的奇妙性质
查看>>
配置设置[Django]引入模版之后报错Requested setting TEMPLATE_DEBUG, but settings are not configured....
查看>>
下一步工作分配
查看>>
Response. AppendHeader使用大全及文件下载.net函数使用注意点(转载)
查看>>
Wait Functions
查看>>