issuing temporary credentials for mysql using hashicorp
play

Issuing temporary credentials for MySQL using Hashicorp Vault - PowerPoint PPT Presentation

Jan 12, 2023 •473 likes •692 views

Issuing temporary credentials for MySQL using Hashicorp Vault Walter Heck - CTO at OlinData Percona Live Europe 2017 Sounds familiar? Hey, Jane Doe from that department youve never heard of wants to do some analysis and she needs

  1. Issuing temporary credentials for MySQL using Hashicorp Vault Walter Heck - CTO at OlinData Percona Live Europe 2017

  2. Sounds familiar? “ Hey, Jane Doe from that department you’ve never heard of wants to do some analysis and she ‘needs’ direct access to our production database. Can you set that up in the next 30 minutes please, I know you have nothing better to do anyway. Cheers, not-your-manager.”

  3. Suuuuureeee….

  4. What if... ● They could self-service? ● They could request read-only credentials by authenticating against {LDAP, GitHub, AWS IAM, etc} ● Their credentials would automatically expire in 24 hours

  6. Demo Architecture ● AWS ○ 3 az’s, 1 region ● HashiCorp Consul ● HashiCorp Vault ○ Secrets backend: consul ○ Auth backend -> github ● MySQL ○ (any flavor/version > 5.0)

  7. Vault Vault is a tool for securely accessing secrets . A secret is The key features of Vault are: anything that you want to tightly control access to, such as ● Secure Secret Storage API keys, passwords, certificates, and more. Vault ● Dynamic Secrets provides a unified interface to any secret, while providing ● Data Encryption tight access control and recording a detailed audit log. ● Leasing and Renewal ● Revocation ● Vault is Open Source ● Enterprise support available ● The data stored with Vault is encrypted using 256-bit AES in GCM mode with a randomly generated nonce.

  8. Workflow (vault/mysql admin) ● Setup Consul cluster ● Setup MySQL ● Setup Vault and point it at the Consul cluster Terraform (Infra as Code) Manual (One time operations) ● vault init ● Unseal the vault ● Setup GitHub auth ● Configure database secret backend ● Create one or more roles

  9. Consul ● “A fancy Key/value store” ● Backend for our Vault cluster ○ Officially supported by Hashicorp root@ip-10-1-103-8:~# consul members Node Address Status Type Build Protocol DC Segment ip-10-1-103-104 10.1.103.104:8301 alive server 0.9.3 2 dc1 <all> ip-10-1-104-233 10.1.104.233:8301 alive server 0.9.3 2 dc1 <all> ip-10-1-105-147 10.1.105.147:8301 alive server 0.9.3 2 dc1 <all> ip-10-1-103-8 10.1.103.8:8301 alive client 0.9.3 2 dc1 <default>

  10. root@ip-10-1-103-8:~# vault init Unseal Key 1: p5Luba1DNJcFSvThese2rj/fJ4iJQMA8bUBG5fuvIsS Vault init Unseal Key 2: 3+M+ajrPVCS96fKeysxUOEfM4JxsT40sosMVHfq1bqA Unseal Key 3: aW1qaxI2H7u57YAreG26Fuchao0XEaWq/f79dljE3iLA Unseal Key 4: tNSeeA6WWkAMK5Notjs/gEqf+8KbqQ32ypcfh3oecsfu Unseal Key 5: nkbtNRGOUxiXPiRealtNBTai9bzVaMmkkbCVRzbaoFn8 Initial Root Token: d57d945b-yoaa-f476-5660-3f6645692555 ● Initialises the vault Vault initialized with 5 keys and a key threshold of 3. Please ● Seals the vault securely distribute the above keys. When the vault is re-sealed, restarted, or stopped, you must provide at least 3 of these keys to unseal it again. ● Hands out unseal keys Vault does not store the master key. Without at least 3 keys, ○ By default 5, need 3 minimum to your vault will remain permanently sealed. unseal ( Shamir's Secret Sharing) ○ Don’t lose them, you lose everything ○ Use gpg init for easier distribution (https://www.vaultproject.io/docs/con cepts/pgp-gpg-keybase.html) ● Hands out root auth token

  11. Sealing/Unsealing the vault root@ip-10-1-103-8:~# vault unseal 1 Key (will be hidden): Sealed: true Key Shares: 5 Key Threshold: 3 Unseal Progress: 1 ● A vault starts sealed 2 Unseal Nonce: d1747cd1-a850-bf79-9175-7ac1aaffdddd root@ip-10-1-103-8:~# vault unseal Key (will be hidden): ● If there’s ever any reason, a single Sealed: true Key Shares: 5 vault seal will seal the vault Key Threshold: 3 Unseal Progress: 2 Unseal Nonce: d1747cd1-a850-bf79-9175-7ac1aaffdddd ● Unsealing needs majority 3 out of 5 3 root@ip-10-1-103-8:~# vault unseal Key (will be hidden): keys by default Sealed: false Key Shares: 5 Key Threshold: 3 ● Sealing requires authentication first Unseal Progress: 0 Unseal Nonce: root@ip-10-1-103-8:~# vault status root@ip-10-1-103-8:~# vault seal ✓ Sealed: false Error sealing: Error making API request. Key Shares: 5 URL: PUT https://127.0.0.1:8200/v1/sys/seal Key Threshold: 3 Code: 500. Errors: Unseal Progress: 0 * 1 error occurred: Unseal Nonce: * missing client token Version: 0.8.2 root@ip-10-1-103-8:~# vault auth Cluster Name: vault-cluster-d2bd39fc Token (will be hidden): Cluster ID: d6957662-bc13-826e-5a10-1effde41a718 Successfully authenticated! You are now logged in. token: d57d945b-b0aa-f476-5660-3f6645692555 High-Availability Enabled: true token_duration: 0 Mode: standby token_policies: [root] Leader Cluster Address: https://10.1.104.220:8201 root@ip-10-1-103-8:~# vault seal Vault is now sealed.

  12. Policies cat <<EOF | vault policy-write core-policy /dev/stdin path "sys/*" { policy = "deny" } path "database/creds/readonly" { ● Policies provide a declarative way to policy = "read" capabilities = ["list", "sudo"] grant or forbid access to certain } path "database/creds/demodb_admin" { paths and operations policy = "read" capabilities = ["list", "sudo"] } path "database/roles/*" { policy = "read" capabilities = ["read", "list"] } EOF

  13. root@ip-10-1-103-8:~# vault auth-enable github Enable GitHub auth Successfully enabled 'github' at 'github'! root@ip-10-1-103-8:~# vault auth -methods Path Type Accessor Default TTL Max TTL Replication Behavior Description ● One of many auth mechanisms github/ github auth_github_db842730 system system replicated ○ AWS, Gcloud, LDAP, Radius, Okta and token/ token auth_token_84532020 system system more available replicated token based credentials ● Doesn’t use oauth but personal root@ip-10-1-103-8:~# vault write auth/github/config organization=olindata tokens Success! Data written to: auth/github/config ○ Beware! Losing a personal token is a root@ip-10-1-103-8:~# vault write auth/github/map/teams/core value=core-policy security risk Success! Data written to: auth/github/map/teams/core ● Access your Personal Access Tokens root@ip-10-1-103-8:~# vault auth -method=github in https://github.com/settings/tokens. token=10a8acd3f4ec0b2399146abb0ba6b70211bb6990 Successfully authenticated! You are now logged in. ○ Generate a new Token that has the scope The token below is already saved in the session. You do not need to "vault auth" again with the token. read:org . token: 58b52458-4e25-6642-f1f1-a24eda37913d token_duration: 2764799 token_policies: [core-policy default]

  14. 1 3 2

  15. Enable MySQL secrets backend ● Secrets backends are mounts in root@ip-10-1-103-194:~# vault mount database Successfully mounted 'database' at 'database'! the tree root@ip-10-1-103-8:~# vault write database/config/mysql \ ● The database backend is generic > plugin_name=mysql-database-plugin \ for a number of database engines > connection_url="user:mypwd@tcp(perconalive.olindata.local:3306)/" \ > allowed_roles="readonly" ○ Postgres, mongo, oracle, MS The following warnings were returned from the Vault server: SQL server * Read access to this endpoint should be controlled via ACLs as it will return the connection details as is, including passwords, if any. ● The creation_statements argument for the role is flexible root@ip-10-1-103-8:~# vault write database/roles/readonly \ > db_name=mysql \ and can contain whatever SQL > creation_statements="CREATE USER '{{name}}'@'%' \ statement you want > IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" \ > default_ttl="1h" \ ● Also see revocation_statements, > max_ttl="24h" Success! Data written to: database/roles/readonly max_open_connections and others

  16. Demo 1

  17. Workflow (Getting creds) 1. User auths against Vault 2. User asks vault for creds 3. Vault creates records in consul and issues a grant statement to MySQL 4. Vault returns username+password back to user … user does their thing 5. After X amount of time, vault removes grant from MySQL

  18. GitHub Auth & Get mysql creds ● Authentication on command line is not root@ip-10-1-103-8:~# vault auth -method=github token=a8acd3f4ec0b2399146abb0ba6b70211bb699010 really useful in prod Successfully authenticated! You are now logged in. The token below is already saved in the session. You do not ○ Use HTTP API instead need to "vault auth" again with the token. token: 76ee8b56-61e5-cbcd-2710-7f7d08668568 token_duration: 2764799 token_policies: [core-policy default] root@ip-10-1-103-8:~# vault read database/creds/readonly Key Value --- ----- lease_id database/creds/readonly/1b889400-092d-e634-6444-d1217d c93690 lease_duration 1h0m0s lease_renewable true password A1a-77r41spp13x57vy5 username v-github-wal-readonly-23q9t9vxx2

  19. Demo 2

  20. What’s next? ● Audit backend ● Vault in HA mode ● Check other integrations ○ AWS, LDAP, Kerberos, SSH, etc.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Nomad HASHICORP Armon Dadgar @armon HASHICORP HASHICORP Cluster Manager Scheduler Nomad

Nomad HASHICORP Armon Dadgar @armon HASHICORP HASHICORP Cluster Manager Scheduler Nomad

Nomad HASHICORP Armon Dadgar @armon HASHICORP HASHICORP Cluster Manager Scheduler Nomad HASHICORP Cluster Manager Scheduler Nomad HASHICORP Schedulers map a set of work to a set of resources HASHICORP Work (Input) Resources Web

2.39k views • 74 slides
MySQL Replication Update MySQL 5.5 (GA) &amp; MySQL 5.6.2 (Dev. Milestone) Lars Thalmann

MySQL Replication Update MySQL 5.5 (GA) &amp; MySQL 5.6.2 (Dev. Milestone) Lars Thalmann

&lt;Insert Picture Here&gt; MySQL Replication Update MySQL 5.5 (GA) &amp; MySQL 5.6.2 (Dev. Milestone) Lars Thalmann Development Director MySQL Replication, Backup &amp; Connectors O'Reilly MySQL Users Conference, April 2011 MySQL Releases

456 views • 42 slides
MySQL Proxy Making MySQL more flexible Jan Kneschke jan@mysql.com MySQL Proxy proxy-servers

MySQL Proxy Making MySQL more flexible Jan Kneschke jan@mysql.com MySQL Proxy proxy-servers

MySQL Proxy Making MySQL more flexible Jan Kneschke jan@mysql.com MySQL Proxy proxy-servers forward requests to backends and can transform, handle or block them released under the GPL see http://forge.mysql.com/wiki/MySQL_Proxy

945 views • 27 slides
CREDENTIALS STUDENT RECORD SERVICES TUTORIAL WHAT ARE CREDENTIALS ? 01 credentials ( noun )

CREDENTIALS STUDENT RECORD SERVICES TUTORIAL WHAT ARE CREDENTIALS ? 01 credentials ( noun )

CREDENTIALS STUDENT RECORD SERVICES TUTORIAL WHAT ARE CREDENTIALS ? 01 credentials ( noun ) reference materials used to support applications for employment or graduate study BENEFITS OF CREATING A FILE Compile all of your resources in the Career

677 views • 21 slides
PHP and MySQL Dr. E. Benoist Winter Term 2006-2007 PHP and MySQL 1 PHP and MySQL Introduction

PHP and MySQL Dr. E. Benoist Winter Term 2006-2007 PHP and MySQL 1 PHP and MySQL Introduction

Berner Fachhochschule - HTI PHP and MySQL Dr. E. Benoist Winter Term 2006-2007 PHP and MySQL 1 PHP and MySQL Introduction Basics of MySQL Create a Table See the content of a DB Tables: Change rows and Insert data Select

637 views • 53 slides
MySQL Proxy meets: binlogs Jan Kneschke MySQL Enterprise Tools mailto: jan@mysql.com What is

MySQL Proxy meets: binlogs Jan Kneschke MySQL Enterprise Tools mailto: jan@mysql.com What is

MySQL Proxy meets: binlogs Jan Kneschke MySQL Enterprise Tools mailto: jan@mysql.com What is MySQL Proxy Started Feb 2007 Current: MySQL Proxy 0.7.0 Source available on launchpad.net $ bzr branch lp:mysql-proxy Foundation of

308 views • 17 slides
Secret Management with Hashicorp's Vault Daniel Bornkessel Secret Management with Hashicorp's

Secret Management with Hashicorp's Vault Daniel Bornkessel Secret Management with Hashicorp's

Secret Management with Hashicorp's Vault Daniel Bornkessel Secret Management with Hashicorp's Vault X Secret Management with Hashicorp's Vault Daniel Bornkessel Secret Management with Hashicorp's Vault Focus of this talk what is

7.7k views • 123 slides
Anonymous Credentials: How to show credentials without compromising privacy Melissa Chase

Anonymous Credentials: How to show credentials without compromising privacy Melissa Chase

Anonymous Credentials: How to show credentials without compromising privacy Melissa Chase Microsoft Research Credentials: Motivation ID cards Sometimes used for other uses E.g. prove youre over 21, or verify your address

659 views • 48 slides
MySQL Group Replication &amp; MySQL InnoDB Cluster Production Ready? Kenny Gryp MySQL Practice

MySQL Group Replication &amp; MySQL InnoDB Cluster Production Ready? Kenny Gryp MySQL Practice

MySQL Group Replication &amp; MySQL InnoDB Cluster Production Ready? Kenny Gryp MySQL Practice Manager Table of Contents Group Replication MySQL Shell (AdminAPI) MySQL Group Replication MySQL Router Best Practices Limitations Production?

993 views • 72 slides
Forecasting MySQL Scalability Baron Schwartz O'Reilly MySQL Conference &amp; Expo 2011

Forecasting MySQL Scalability Baron Schwartz O'Reilly MySQL Conference &amp; Expo 2011

Forecasting MySQL Scalability Baron Schwartz O'Reilly MySQL Conference &amp; Expo 2011 Consulting Support Training Development For MySQL Percona Server Replaces MySQL Faster Queries More Consistent More Measurable More

670 views • 41 slides
PHP + MySQL MySQL on the command line is great and all well not its not really that great

PHP + MySQL MySQL on the command line is great and all well not its not really that great

PHP + MySQL MySQL on the command line is great and all well not its not really that great Using MySQL in PHP is somewhat similar to the command line: Set up a connection to a MySQL database Issue a bunch of commands to the

944 views • 43 slides
Certification and Accreditation of Certification and Accreditation of PIV Card Issuing

Certification and Accreditation of Certification and Accreditation of PIV Card Issuing

Certification and Accreditation of Certification and Accreditation of PIV Card Issuing Organizations PIV Card Issuing Organizations Joan Hash Manager, Computer Security Management &amp; Assistance June 28, 2005 1 NIST Special Publication

256 views • 25 slides
SQL &amp; MySQL Jeff Siarto - TC 361 Whats the Difference? MySQL is a database SQL is

SQL &amp; MySQL Jeff Siarto - TC 361 Whats the Difference? MySQL is a database SQL is

SQL &amp; MySQL Jeff Siarto - TC 361 Whats the Difference? MySQL is a database SQL is a language to interact with the database SQL is used with other databases: Access, Oracle, Portage SQL, MS SQL, etc... MySQL Open source

391 views • 7 slides
Percona MySQL About Me Qunar.com DB Director

Percona MySQL About Me Qunar.com DB Director

Percona MySQL About Me Qunar.com DB Director MySQL Inception MySQL ACMUG Oracle MySQL ACE Director What do we need to do for MySQL in

320 views • 20 slides
Temporary Residents Program Procedures to enrol temporary residents into NSW government schools

Temporary Residents Program Procedures to enrol temporary residents into NSW government schools

Temporary Residents Program Procedures to enrol temporary residents into NSW government schools Event date: 21 November 2018 Presenter: Agenda Different programs where temporary residents may go to school Role of the Temporary

1.2k views • 80 slides
Temporary Caregiver Insurance TCI is part of the Temporary Disability Insurance (TDI) Law in

Temporary Caregiver Insurance TCI is part of the Temporary Disability Insurance (TDI) Law in

Temporary Caregiver Insurance Webinar April 30 , 2019 Temporary Caregiver Insurance TCI is part of the Temporary Disability Insurance (TDI) Law in Rhode Island. Passed in 2013 and became effective in January 2014 Available to employees

524 views • 15 slides
O H! H! Auth th Implementation pitfalls &amp; the auth providers who have fell in it

O H! H! Auth th Implementation pitfalls &amp; the auth providers who have fell in it

H! H! O H! H! Auth th Implementation pitfalls &amp; the auth providers who have fell in it @samitanwer1 samit.anwer@gmail.com C: C:\&gt;whoami Samit Anwer Product Security Team @Citrix Web/Mobile App Security Enthusiast

724 views • 58 slides
Access and forward- looking charges London and Glasgow Workshops 28 February 2018 Agenda

Access and forward- looking charges London and Glasgow Workshops 28 February 2018 Agenda

Access and forward- looking charges London and Glasgow Workshops 28 February 2018 Agenda Overview of the Electricity 13:00 - 13:20 Network Access Project Linking the options for change 13:20 - 14:50 large users Breakout 14:50 - 15:10

504 views • 39 slides
Collaborative Ontology Development with Protg Tania Tudorache, Natasha Noy Jennifer

Collaborative Ontology Development with Protg Tania Tudorache, Natasha Noy Jennifer

Collaborative Ontology Development with Protg Tania Tudorache, Natasha Noy Jennifer Vendetti, Timothy Redmond Stanford Center for Biomedical Informatics Tutorial at the Protg conference 2009 Amsterdam, June 23, 2009 Outline

878 views • 57 slides
Race Conditions A common cause of security bugs Usually involve multiprogramming or

Race Conditions A common cause of security bugs Usually involve multiprogramming or

Race Conditions A common cause of security bugs Usually involve multiprogramming or multithreaded programs Caused by different threads of control operating in unpredictable fashion When programmer thought theyd work in a

649 views • 21 slides
openid connect all the things @pquerna CTO, ScaleFT CoreOS Fest 2017 - 2017-07-01 Problem -

openid connect all the things @pquerna CTO, ScaleFT CoreOS Fest 2017 - 2017-07-01 Problem -

openid connect all the things @pquerna CTO, ScaleFT CoreOS Fest 2017 - 2017-07-01 Problem - More Client Devices per-Human - Many Cloud Accounts - More Apps: yay k8s - More Distributed Teams - VPNs arent fun - Legacy Solutions

788 views • 32 slides
Courtesy of Andrea Zonca, SDSC Science Gateway Security Considerations Applications of OAuth2

Courtesy of Andrea Zonca, SDSC Science Gateway Security Considerations Applications of OAuth2

Courtesy of Andrea Zonca, SDSC Science Gateway Security Considerations Applications of OAuth2 and OpenID Connect to Science Gateways https://tools.ietf.org/html/rfc6749 Three Layers of Science Gateway Cyberinfrastructure Tenants Resources

813 views • 43 slides
Network Tokens A DPI-alternative to deploy network services ONF Spotlight: 5G Transformation with

Network Tokens A DPI-alternative to deploy network services ONF Spotlight: 5G Transformation with

Network Tokens A DPI-alternative to deploy network services ONF Spotlight: 5G Transformation with Open Source Yiannis Yiakoumis, Co-Founder &amp; CEO, Selfie Networks Work with Nick McKeown (Stanford), Frode Sorensen (NKOM)

506 views • 29 slides
OpenID Connect &amp; OAuth 2.0 Server for the Enterprise Your enterprise server for single

OpenID Connect &amp; OAuth 2.0 Server for the Enterprise Your enterprise server for single

OpenID Connect &amp; OAuth 2.0 Server for the Enterprise Your enterprise server for single identity sign-on provision identity API access federation management The four Connect2id server pillars Based on the latest standards OpenID

580 views • 26 slides

More recommend