Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
小 白蛋
Vault
Commits
1e2cb9e7
Commit
1e2cb9e7
authored
3 years ago
by
mickael e
Browse files
Options
Download
Email Patches
Plain Diff
backport of commit d91ba9dce0a356814af49fb176ae474d57cac5f0
parent
cb2e5ffa
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
website/content/docs/auth/github.mdx
+6
-6
website/content/docs/auth/github.mdx
website/content/docs/auth/index.mdx
+13
-1
website/content/docs/auth/index.mdx
website/content/docs/internals/security.mdx
+12
-2
website/content/docs/internals/security.mdx
with
31 additions
and
9 deletions
+31
-9
website/content/docs/auth/github.mdx
+
6
-
6
View file @
1e2cb9e7
...
...
@@ -12,14 +12,14 @@ operators or developers using Vault directly via the CLI.
~> **IMPORTANT NOTE:** Vault does not support an OAuth workflow to generate
GitHub tokens, so does not act as a GitHub application. As a result, this method
uses personal access tokens. An important consequence is that any valid GitHub
access token with the `read:org` scope for any user belonging to the Vault-configured
organization can be used for authentication. If such a
uses personal access tokens. If the risks below are unacceptable to you, consider
using a different authentication method.
~> Any valid GitHub access token with the `read:org` scope for any user belonging
to the Vault-configured organization can be used for authentication. If such a
token is stolen from a third party service, and the attacker is able to make
network calls to Vault, they will be able to log in as the user that generated
the access token. When using this method it is a good idea to ensure that access
to Vault is restricted at a network level rather than public. If these risks are
unacceptable to you, you should use a different method.
the access token.
## Authentication
...
...
This diff is collapsed.
Click to expand it.
website/content/docs/auth/index.mdx
+
13
-
1
View file @
1e2cb9e7
...
...
@@ -7,7 +7,11 @@ description: Auth methods are mountable methods that perform authentication for
# Auth Methods
Auth methods are the components in Vault that perform authentication and are
responsible for assigning identity and a set of policies to a user.
responsible for assigning identity and a set of policies to a user. In all cases,
Vault will enforce authentication as part of the request processing. In most cases,
Vault will delegate the authentication administration and decision to the relevant configured
external auth method (e.g., Amazon Web Services, GitHub, Google Cloud Platform, Kubernetes, Microsoft
Azure, Okta ...).
Having multiple auth methods enables you to use an auth method that makes the
most sense for your use case of Vault and your organization.
...
...
@@ -42,3 +46,11 @@ $ vault auth enable -path=my-login userpass
When an auth method is disabled, all users authenticated via that method are
automatically logged out.
## External Auth Method Considerations
When using an external auth method (e.g., GitHub), Vault will call the external service
at the time of authentication and for any subsequent token renewals. This means that issued tokens
are valid for their entire duration, and are not invalidated until a renewal or user re-authentication
occurs. Operators should ensure appropriate [token TTLs](/docs/concepts/tokens#the-general-case)
are set when using these auth methods.
\ No newline at end of file
This diff is collapsed.
Click to expand it.
website/content/docs/internals/security.mdx
+
12
-
2
View file @
1e2cb9e7
...
...
@@ -60,6 +60,16 @@ The following are not parts of the Vault threat model:
to inspect the memory state of a running Vault instance then the confidentiality
of data may be compromised.
- Protecting against flaws in external systems or services used by Vault.
Some authentication methods or secrets engines delegate sensitive operations to
systems external to Vault. If an attacker can compromise credentials or otherwise
exploit a vulnerability in these external systems, then the confidentiality or
integrity of data may be compromised.
- Protecting against malicious plugins or code execution on the underlying host.
If an attacker can gain code execution or write privileges to the underlying host,
then the confidentiality or the integrity of data may be compromised.
# External Threat Overview
Given the architecture of Vault, there are 3 distinct systems we are concerned
...
...
@@ -128,8 +138,8 @@ notion of "sudo" privilege. As part of a policy, users may be granted "sudo"
privileges to certain paths, so that they can still perform security sensitive
operations without being granted global root access to Vault.
Lastly, Vault supports using a [Two-
ma
n
rule](https://en.wikipedia.org/wiki/Two-
ma
n_rule) for unsealing using [Shamir'
s
Lastly, Vault supports using a [Two-
perso
n
rule](https://en.wikipedia.org/wiki/Two-
perso
n_rule) for unsealing using [Shamir'
s
Secret
Sharing
technique
](
https
://
en
.
wikipedia
.
org
/
wiki
/
Shamir
's_Secret_Sharing). When Vault
is started, it starts in a _sealed_ state. This means that the encryption key
...
...
This diff is collapsed.
Click to expand it.
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment