开源KMS之vault part8

2024-06-03 10:13:26 浏览数 (2)

密码策略

https://developer.hashicorp.com/vault/api-docs/system/policies-password

https://developer.hashicorp.com/vault/docs/concepts/password-policies

自定义密码策略

创建密码策略文件

代码语言:txt复制
cat my-policy.hcl
# cat my-policy.hcl
length = 20
rule "charset" {
 charset = "abcde"
 min-chars = 1
}
rule "charset" {
 charset = "01234"
 min-chars = 1
}

此策略将从字符集 abcde01234 生成密码。但是,密码必须至少包含 1 个来自 abcde 的字符和至少 1 个来自 01234 的字符。如果规则之间的字符集重叠,则会对字符集进行重复数据删除,以防止出现对重叠集的偏差。例如:如果您有两个字符集规则:abcde 和 cdefg,则字符集 abcdefg 将用于生成候选密码,但每个 abcde 和 cdefg 中至少有一个字符仍必须出现在密码中。

将策略提交到vault

代码语言:txt复制
$ vault write sys/policies/password/my-policy policy=@my-policy.hcl
Success! Data written to: sys/policies/password/my-policy

读取策略

代码语言:txt复制
$ vault read sys/policies/password/my-policy
Key Value
--- -----
policy length = 20
rule "charset" {
 charset = "abcde"
}

删除策略

代码语言:txt复制
$ vault delete sys/policies/password/my-policy
Success! Data deleted (if it existed) at: sys/policies/password/my-policy

默认的密码策略

Vault 附带默认密码策略,该策略适用于 Vault 生成的任何密码,无需明确的策略分配。默认策略要求密码包括:

代码语言:txt复制
20 characters total
1 uppercase character
1 lowercase character
1 number
1 special character

用hcl配置文件表示如下:

代码语言:txt复制
length = 20
rule "charset" {
 charset = "abcdefghijklmnopqrstuvwxyz"
 min-chars = 1
}
rule "charset" {
 charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
 min-chars = 1
}
rule "charset" {
 charset = "0123456789"
 min-chars = 1
}
rule "charset" {
 charset = "-"
 min-chars = 1
}

0 人点赞