Skip to content
This repository has been archived by the owner on Oct 6, 2019. It is now read-only.

Features

Jump to bottom
Tony Cai edited this page Sep 5, 2018 · 8 revisions

Features

  1. Searching all tokens for a particular policy or display name
  2. Searching all policies for capabilities on a particular path
  3. Submitting a policy change request
  4. Change vault policies according to a github commit
  5. Using Vault's PKI backend

Searching tokens

You can search for a string or regex match to a token's policies and display name:

The logged in user needs policy: vagrant/policies/user_admin.hcl Screenshot

Searching policies

You can search for all policies that can read/list/update/delete/sudo/deny against a secret path.

This functionality is identical to Vault's policy detection. Therefore, if a policy is able to read secret/*, searching for secret/foo will return this policy. Feel free to test this out in the public demo.

The user will need permissions to read and list all policies.

Policy change requests

The logged in user (request and approving admin) needs policy: vagrant/policies/policies_admin.hcl

Making a policy change request

To make a request, go to Administration -> Policies and edit a policy in particular.

Clicking on Request changes will make goldfish take a snapshot of the current policy rules, and the newly proposed rules. If the logged in user is able to read the policy, a request will be stored in goldfish's cubbyhole, and a hash will be returned. This hash doubles as the change ID.

Screenshot

Slack integration

If goldfish's run-time configuration path has:

  • SlackWebhook
  • SlackChannel

Then goldfish will send the newly requested change ID to the slack channel using the webhook. No confidential information will be sent.

Approving a policy change request

When the admin receives the change ID, through Slack or other means, he can view, approve, or reject the policy change request.

To do so, go to Administration -> Requests and enter in the change ID.

To approve the request, click Approve and enter an unseal token. The unseal token will be vault-wrapped by goldfish, ensuring that as long as goldfish's memory is not compromised, no one can view it.

Screenshot

The unseal token is wrapped with a 1 hour timeout. So other admins must enter their unseal tokens for this change ID within the hour of the first admin's approval.

Once the last required admin to form a quorum enters an unseal token, goldfish will:

  • Start a root token generation with a randomly generated OTP
  • Unwrap all vault wrapped unseal tokens for this change ID
  • Use all unseal tokens for this particular root token generation
  • Using the root token, perform the policy change
  • Revoke the root token, and report success to the last admin

Because of the nature of shamir's secret sharing algorithm, goldfish cannot verify if any unseal tokens were wrong. If any of the entered unseal tokens were wrong, goldfish will purge all unseal tokens for this particular change ID and reset the progress so that admins can approve again.

To reject a request, simply click Reject and Confirm Reject. This will purge the request snapshot and proposed policy from goldfish's cubbyhole.

Request policy change by Github commit

If goldfish's run-time configuration path has:

  • GithubAccessToken
  • GithubRepoOwner
  • GithubRepo
  • GithubPoliciesPath

For an interactive example, go to the live demo, login with goldfish token, and go to the Requests page. Change to Commit hash type, and put in the sha-1 hash in the notification message. This is an old hash from goldfish repo that will give a good diff with the list of vault policies in the demo.

To approve the entire set of changes, each admin puts in their unseal token just like a regular policy request. The only difference is that goldfish will change the entire set of policies at once. Terraform for vault!

Using Vault's PKI backend

In v0.8.0, Goldfish can operate from certificates generated by Vault's PKI backend. This is convenient if it is difficult to obtain certificates otherwise.

Requirements:

  1. Setup PKI backend on Vault (Vault's documentation can guide you through the process)
  2. Add the key listener.tls_pki_path to Goldfish's launch time config file. See example here: https://github.com/Caiyeon/goldfish/blob/master/config/sample.hcl
    • Note that listener.tls_disable must be 0, and listener.tls_cert_file and listener.tls_key_file must be empty
  3. Add update capabilities to the PKI path to goldfish's policy
  4. Launch goldfish. Note that with PKI integration, bootstrapping must be done at launch-time. That is, the token cmd line argument must be provided.

The PKI certificate TTL can be set to very low, to ensure that no long-lived certificates are generated. Goldfish will request for a new certificate at half-life of the current one, and hot-reload certificates as needed.

Clone this wiki locally