SlideShare una empresa de Scribd logo

Securing Databases with Dynamic Credentials

hyeongchae lee
hyeongchae lee

PGDay.Seoul 2019

Internet
1 de 15
Descargar para leer sin conexión
Securing Databases with Dynamic Credentials and HashiCorp’s Vault PGDay.Seoul 2019 FB/hyeongchae.lee 1PGDay.Seoul 2019
Temporary Security Credentials • shell script 또는 config 안에 username, password 필요한 경우 • 개발팀에서 운영 DB서버에 접속하여 몇가지 확인하고 싶을 경우 • 단발성 계정 생성 및 삭제가 빈번하게 일어날 경우 • GDPR 처럼 보안규정상 password expired 가 필요한 경우 PGDay.Seoul 2019 2
Ansible : ssh delima PGDay.Seoul 2019 3
HashiCorp 4PGDay.Seoul 2019
HashiCorp’s Vault 란? 5PGDay.Seoul 2019
Vault’s Policies 6PGDay.Seoul 2019
Vault’s Polcies path “postgresql/creds/readonly” { capabilities = ["create", "read", "update", "delete", "list"] } root@pgsql12:/# ls -la /var/lib/postgresql/data/ drwx------ 19 postgres postgres 4096 Dec 2 02:45 . drwxr-xr-x 1 postgres postgres 4096 Nov 23 08:10 .. drwx------ 6 postgres postgres 4096 Dec 2 05:19 base drwx------ 2 postgres postgres 4096 Dec 2 06:58 global -rw------- 1 postgres postgres 4535 Dec 2 02:45 pg_hba.conf PGDay.Seoul 2019 7
HashiCorp’s Vault 8PGDay.Seoul 2019
Vault’s Token $ vault read postgresql/creds/readonly Key Value --- ----- lease_id postgresql/creds/readonly/Dw35ApjCjE3x4WolwcD4GTgq lease_duration 1h lease_renewable true password ee1a06db-9d28-2e74-41fc-c97a8d137dd8 username token-a6c161c7-dbee-b2b1-4ede-7300ed4350fa PGDay.Seoul 2019 9
Dynamically Securing Databases using Vault 10PGDay.Seoul 2019 Security Team Define secret policies PostgreSQL APPs username : root password : password Rotate the root credentials username : root password : newpassword Create DB credentials username : token-a6c161c… password : ee1a06db-9d… App gets unique set of DB Credentials to connect Read / Write from DB 1 1 2 2 3 4
PotgreSQL Secrets Engine $ export VAULT_ADDR="http://127.0.0.1:8200" $ export VAULT_TOKEN="vault" $ vault secrets enable postgresql # dba admin / superuser $ vault write postgresql/config/connection connection_url="postgresql://root:root@172.16.100.1:5432/postgres?sslmode=disable" # create user and role $ vault write postgresql/roles/readonly sql="CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";" # get credential $ vault read postgresql/creds/readonly PGDay.Seoul 2019 11 2 1 1 2 3 no policies get token connect create credential get credential
승인 워크플로우 (Approval Workflow) 12PGDay.Seoul 2019 1 2 3 4 5 Developer Dev Manager “You’re fired” DevOps Update /request_pgsql_access Auth / Role
액세스 워크플로우 ( Access Workflow ) 13PGDay.Seoul 2019 Developer SQLGate / flyway psql client / Token CLI / HTTP API 15 2 3 4 6 Auth / Role Personal Identification
https://github.com/sql2/PostgreSQL_with_Dynamic_Credentials PGDay.Seoul 2019 14
PGDay.Seoul 2019 15

Recomendados

Александр Сергиенко, Senior Android Developer, DataArt
Александр Сергиенко, Senior Android Developer, DataArtАлександр Сергиенко, Senior Android Developer, DataArt
Александр Сергиенко, Senior Android Developer, DataArtAlina Vilk
 
Achieving Pci Compliace
Achieving Pci CompliaceAchieving Pci Compliace
Achieving Pci CompliaceDenish Patel
 
2 network tips
2 network tips2 network tips
2 network tipsBinary Studio
 
CouchDB: replicated data store for distributed proxy server
CouchDB: replicated data store for distributed proxy serverCouchDB: replicated data store for distributed proxy server
CouchDB: replicated data store for distributed proxy servertkramar
 
https://docs.google.com/presentation/d/1DcL4zK6i3HZRDD4xTGX1VpSOwyu2xBeWLT6a_...
https://docs.google.com/presentation/d/1DcL4zK6i3HZRDD4xTGX1VpSOwyu2xBeWLT6a_...https://docs.google.com/presentation/d/1DcL4zK6i3HZRDD4xTGX1VpSOwyu2xBeWLT6a_...
https://docs.google.com/presentation/d/1DcL4zK6i3HZRDD4xTGX1VpSOwyu2xBeWLT6a_...MongoDB
 
2012 mongo db_bangalore_roadmap_new
2012 mongo db_bangalore_roadmap_new2012 mongo db_bangalore_roadmap_new
2012 mongo db_bangalore_roadmap_newMongoDB
 
MongoDB Administration 101
MongoDB Administration 101MongoDB Administration 101
MongoDB Administration 101MongoDB
 
Webinar: Avoiding Sub-optimal Performance in your Retail Application
Webinar: Avoiding Sub-optimal Performance in your Retail ApplicationWebinar: Avoiding Sub-optimal Performance in your Retail Application
Webinar: Avoiding Sub-optimal Performance in your Retail ApplicationMongoDB
 

Recomendados

Александр Сергиенко, Senior Android Developer, DataArt
Александр Сергиенко, Senior Android Developer, DataArtАлександр Сергиенко, Senior Android Developer, DataArt
Александр Сергиенко, Senior Android Developer, DataArtAlina Vilk
 
Achieving Pci Compliace
Achieving Pci CompliaceAchieving Pci Compliace
Achieving Pci CompliaceDenish Patel
 
2 network tips
2 network tips2 network tips
2 network tipsBinary Studio
 
CouchDB: replicated data store for distributed proxy server
CouchDB: replicated data store for distributed proxy serverCouchDB: replicated data store for distributed proxy server
CouchDB: replicated data store for distributed proxy servertkramar
 
https://docs.google.com/presentation/d/1DcL4zK6i3HZRDD4xTGX1VpSOwyu2xBeWLT6a_...
https://docs.google.com/presentation/d/1DcL4zK6i3HZRDD4xTGX1VpSOwyu2xBeWLT6a_...https://docs.google.com/presentation/d/1DcL4zK6i3HZRDD4xTGX1VpSOwyu2xBeWLT6a_...
https://docs.google.com/presentation/d/1DcL4zK6i3HZRDD4xTGX1VpSOwyu2xBeWLT6a_...MongoDB
 
2012 mongo db_bangalore_roadmap_new
2012 mongo db_bangalore_roadmap_new2012 mongo db_bangalore_roadmap_new
2012 mongo db_bangalore_roadmap_newMongoDB
 
MongoDB Administration 101
MongoDB Administration 101MongoDB Administration 101
MongoDB Administration 101MongoDB
 
Webinar: Avoiding Sub-optimal Performance in your Retail Application
Webinar: Avoiding Sub-optimal Performance in your Retail ApplicationWebinar: Avoiding Sub-optimal Performance in your Retail Application
Webinar: Avoiding Sub-optimal Performance in your Retail ApplicationMongoDB
 
Discover MongoDB - Israel
Discover MongoDB - IsraelDiscover MongoDB - Israel
Discover MongoDB - IsraelMichael Fiedler
 
JCR In Action (ApacheCon EU 2008)
JCR In Action (ApacheCon EU 2008)JCR In Action (ApacheCon EU 2008)
JCR In Action (ApacheCon EU 2008)Carsten Ziegeler
 
Mateusz Gruszczynski - Performance tests in Gatling (Quality Questions Confer...
Mateusz Gruszczynski - Performance tests in Gatling (Quality Questions Confer...Mateusz Gruszczynski - Performance tests in Gatling (Quality Questions Confer...
Mateusz Gruszczynski - Performance tests in Gatling (Quality Questions Confer...Grand Parade Poland
 
Beyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB databaseBeyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB databaseMongoDB
 
Elasticsearch und die Java-Welt
Elasticsearch und die Java-WeltElasticsearch und die Java-Welt
Elasticsearch und die Java-WeltFlorian Hopf
 
Securing Your MongoDB Implementation
Securing Your MongoDB ImplementationSecuring Your MongoDB Implementation
Securing Your MongoDB ImplementationMongoDB
 
Back to Basics 2017: Introduction to Sharding
Back to Basics 2017: Introduction to ShardingBack to Basics 2017: Introduction to Sharding
Back to Basics 2017: Introduction to ShardingMongoDB
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World MongoDB
 
PhpRain- Build better web
PhpRain- Build better webPhpRain- Build better web
PhpRain- Build better webRk King
 
Living with SQL and NoSQL at craigslist, a Pragmatic Approach
Living with SQL and NoSQL at craigslist, a Pragmatic ApproachLiving with SQL and NoSQL at craigslist, a Pragmatic Approach
Living with SQL and NoSQL at craigslist, a Pragmatic ApproachJeremy Zawodny
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
 
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...Andrey Devyatkin
 
Developing with the Go client for Apache Kafka
Developing with the Go client for Apache KafkaDeveloping with the Go client for Apache Kafka
Developing with the Go client for Apache KafkaJoe Stein
 
21 05-2018
21 05-201821 05-2018
21 05-2018Praaveen Vr
 
Operating PostgreSQL at Scale with Kubernetes
Operating PostgreSQL at Scale with KubernetesOperating PostgreSQL at Scale with Kubernetes
Operating PostgreSQL at Scale with KubernetesJonathan Katz
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedOctavio Paguaga
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Valerii Moisieienko
 
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...Andrey Devyatkin
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudVelocidex Enterprises
 
Redis深入浅出
Redis深入浅出Redis深入浅出
Redis深入浅出ruoyi ruan
 

Más contenido relacionado

La actualidad más candente

Discover MongoDB - Israel
Discover MongoDB - IsraelDiscover MongoDB - Israel
Discover MongoDB - IsraelMichael Fiedler
 
JCR In Action (ApacheCon EU 2008)
JCR In Action (ApacheCon EU 2008)JCR In Action (ApacheCon EU 2008)
JCR In Action (ApacheCon EU 2008)Carsten Ziegeler
 
Mateusz Gruszczynski - Performance tests in Gatling (Quality Questions Confer...
Mateusz Gruszczynski - Performance tests in Gatling (Quality Questions Confer...Mateusz Gruszczynski - Performance tests in Gatling (Quality Questions Confer...
Mateusz Gruszczynski - Performance tests in Gatling (Quality Questions Confer...Grand Parade Poland
 
Beyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB databaseBeyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB databaseMongoDB
 
Elasticsearch und die Java-Welt
Elasticsearch und die Java-WeltElasticsearch und die Java-Welt
Elasticsearch und die Java-WeltFlorian Hopf
 
Securing Your MongoDB Implementation
Securing Your MongoDB ImplementationSecuring Your MongoDB Implementation
Securing Your MongoDB ImplementationMongoDB
 
Back to Basics 2017: Introduction to Sharding
Back to Basics 2017: Introduction to ShardingBack to Basics 2017: Introduction to Sharding
Back to Basics 2017: Introduction to ShardingMongoDB
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World MongoDB
 
PhpRain- Build better web
PhpRain- Build better webPhpRain- Build better web
PhpRain- Build better webRk King
 
Living with SQL and NoSQL at craigslist, a Pragmatic Approach
Living with SQL and NoSQL at craigslist, a Pragmatic ApproachLiving with SQL and NoSQL at craigslist, a Pragmatic Approach
Living with SQL and NoSQL at craigslist, a Pragmatic ApproachJeremy Zawodny
 

La actualidad más candente (10)

Discover MongoDB - Israel
Discover MongoDB - IsraelDiscover MongoDB - Israel
Discover MongoDB - Israel
 
JCR In Action (ApacheCon EU 2008)
JCR In Action (ApacheCon EU 2008)JCR In Action (ApacheCon EU 2008)
JCR In Action (ApacheCon EU 2008)
 
Mateusz Gruszczynski - Performance tests in Gatling (Quality Questions Confer...
Mateusz Gruszczynski - Performance tests in Gatling (Quality Questions Confer...Mateusz Gruszczynski - Performance tests in Gatling (Quality Questions Confer...
Mateusz Gruszczynski - Performance tests in Gatling (Quality Questions Confer...
 
Beyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB databaseBeyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB database
 
Elasticsearch und die Java-Welt
Elasticsearch und die Java-WeltElasticsearch und die Java-Welt
Elasticsearch und die Java-Welt
 
Securing Your MongoDB Implementation
Securing Your MongoDB ImplementationSecuring Your MongoDB Implementation
Securing Your MongoDB Implementation
 
Back to Basics 2017: Introduction to Sharding
Back to Basics 2017: Introduction to ShardingBack to Basics 2017: Introduction to Sharding
Back to Basics 2017: Introduction to Sharding
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World
 
PhpRain- Build better web
PhpRain- Build better webPhpRain- Build better web
PhpRain- Build better web
 
Living with SQL and NoSQL at craigslist, a Pragmatic Approach
Living with SQL and NoSQL at craigslist, a Pragmatic ApproachLiving with SQL and NoSQL at craigslist, a Pragmatic Approach
Living with SQL and NoSQL at craigslist, a Pragmatic Approach
 

Similar a Securing Databases with Dynamic Credentials

DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
 
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...Andrey Devyatkin
 
Developing with the Go client for Apache Kafka
Developing with the Go client for Apache KafkaDeveloping with the Go client for Apache Kafka
Developing with the Go client for Apache KafkaJoe Stein
 
Operating PostgreSQL at Scale with Kubernetes
Operating PostgreSQL at Scale with KubernetesOperating PostgreSQL at Scale with Kubernetes
Operating PostgreSQL at Scale with KubernetesJonathan Katz
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedOctavio Paguaga
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Valerii Moisieienko
 
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...Andrey Devyatkin
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudVelocidex Enterprises
 
Redis深入浅出
Redis深入浅出Redis深入浅出
Redis深入浅出ruoyi ruan
 
DEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webDEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webFelipe Prado
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...LOADays 2015 - syslog-ng - from log collection to processing and infomation e...
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...BalaBit
 
LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops Chris Gates
 
Oracle Blockchain Platform_Wonjo Yoo
Oracle Blockchain Platform_Wonjo YooOracle Blockchain Platform_Wonjo Yoo
Oracle Blockchain Platform_Wonjo YooOracle Korea
 
Anwendungsfälle für Elasticsearch JAX 2015
Anwendungsfälle für Elasticsearch JAX 2015Anwendungsfälle für Elasticsearch JAX 2015
Anwendungsfälle für Elasticsearch JAX 2015Florian Hopf
 
Introduction to real time big data with Apache Spark
Introduction to real time big data with Apache SparkIntroduction to real time big data with Apache Spark
Introduction to real time big data with Apache SparkTaras Matyashovsky
 

Similar a Securing Databases with Dynamic Credentials (20)

DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
 
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
 
Developing with the Go client for Apache Kafka
Developing with the Go client for Apache KafkaDeveloping with the Go client for Apache Kafka
Developing with the Go client for Apache Kafka
 
21 05-2018
21 05-201821 05-2018
21 05-2018
 
Operating PostgreSQL at Scale with Kubernetes
Operating PostgreSQL at Scale with KubernetesOperating PostgreSQL at Scale with Kubernetes
Operating PostgreSQL at Scale with Kubernetes
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicated
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
 
Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)
 
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The Cloud
 
Redis深入浅出
Redis深入浅出Redis深入浅出
Redis深入浅出
 
DEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webDEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot web
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
 
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...LOADays 2015 - syslog-ng - from log collection to processing and infomation e...
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...
 
Video Analysis in Hadoop
Video Analysis in HadoopVideo Analysis in Hadoop
Video Analysis in Hadoop
 
LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops
 
Oracle Blockchain Platform_Wonjo Yoo
Oracle Blockchain Platform_Wonjo YooOracle Blockchain Platform_Wonjo Yoo
Oracle Blockchain Platform_Wonjo Yoo
 
Anwendungsfälle für Elasticsearch JAX 2015
Anwendungsfälle für Elasticsearch JAX 2015Anwendungsfälle für Elasticsearch JAX 2015
Anwendungsfälle für Elasticsearch JAX 2015
 
Introduction to real time big data with Apache Spark
Introduction to real time big data with Apache SparkIntroduction to real time big data with Apache Spark
Introduction to real time big data with Apache Spark
 

Más de hyeongchae lee

patroni-based citrus high availability environment deployment
patroni-based citrus high availability environment deploymentpatroni-based citrus high availability environment deployment
patroni-based citrus high availability environment deploymenthyeongchae lee
 
[PGDay.Seoul 2020] PostgreSQL 13 New Features
[PGDay.Seoul 2020] PostgreSQL 13 New Features[PGDay.Seoul 2020] PostgreSQL 13 New Features
[PGDay.Seoul 2020] PostgreSQL 13 New Featureshyeongchae lee
 
[HashiTalk Korea] OCP with Super Tengen Toppa
[HashiTalk Korea] OCP with Super Tengen Toppa[HashiTalk Korea] OCP with Super Tengen Toppa
[HashiTalk Korea] OCP with Super Tengen Toppahyeongchae lee
 
OCP with super tengen toppa
OCP with super tengen toppaOCP with super tengen toppa
OCP with super tengen toppahyeongchae lee
 
PostgreSQL 정기 기술 세미나 22회
PostgreSQL 정기 기술 세미나 22회PostgreSQL 정기 기술 세미나 22회
PostgreSQL 정기 기술 세미나 22회hyeongchae lee
 
PGDay.Seoul 2016 lightingtalk
PGDay.Seoul 2016 lightingtalkPGDay.Seoul 2016 lightingtalk
PGDay.Seoul 2016 lightingtalkhyeongchae lee
 
20141206 4 q14_dataconference_i_am_your_db
20141206 4 q14_dataconference_i_am_your_db20141206 4 q14_dataconference_i_am_your_db
20141206 4 q14_dataconference_i_am_your_dbhyeongchae lee
 
osscon_mysql_redis_plugin
osscon_mysql_redis_pluginosscon_mysql_redis_plugin
osscon_mysql_redis_pluginhyeongchae lee
 
Oracle2DBMS Notes and Comments
Oracle2DBMS Notes and CommentsOracle2DBMS Notes and Comments
Oracle2DBMS Notes and Commentshyeongchae lee
 
in-memory database system and low latency
in-memory database system and low latencyin-memory database system and low latency
in-memory database system and low latencyhyeongchae lee
 

Más de hyeongchae lee (12)

patroni-based citrus high availability environment deployment
patroni-based citrus high availability environment deploymentpatroni-based citrus high availability environment deployment
patroni-based citrus high availability environment deployment
 
[PGDay.Seoul 2020] PostgreSQL 13 New Features
[PGDay.Seoul 2020] PostgreSQL 13 New Features[PGDay.Seoul 2020] PostgreSQL 13 New Features
[PGDay.Seoul 2020] PostgreSQL 13 New Features
 
[HashiTalk Korea] OCP with Super Tengen Toppa
[HashiTalk Korea] OCP with Super Tengen Toppa[HashiTalk Korea] OCP with Super Tengen Toppa
[HashiTalk Korea] OCP with Super Tengen Toppa
 
OCP with super tengen toppa
OCP with super tengen toppaOCP with super tengen toppa
OCP with super tengen toppa
 
PostgreSQL 정기 기술 세미나 22회
PostgreSQL 정기 기술 세미나 22회PostgreSQL 정기 기술 세미나 22회
PostgreSQL 정기 기술 세미나 22회
 
PGDay.Seoul 2016 lightingtalk
PGDay.Seoul 2016 lightingtalkPGDay.Seoul 2016 lightingtalk
PGDay.Seoul 2016 lightingtalk
 
20141206 4 q14_dataconference_i_am_your_db
20141206 4 q14_dataconference_i_am_your_db20141206 4 q14_dataconference_i_am_your_db
20141206 4 q14_dataconference_i_am_your_db
 
osscon_mysql_redis_plugin
osscon_mysql_redis_pluginosscon_mysql_redis_plugin
osscon_mysql_redis_plugin
 
Oracle2DBMS Notes and Comments
Oracle2DBMS Notes and CommentsOracle2DBMS Notes and Comments
Oracle2DBMS Notes and Comments
 
NewSQL
NewSQLNewSQL
NewSQL
 
eXtremeDB FE
eXtremeDB FEeXtremeDB FE
eXtremeDB FE
 
in-memory database system and low latency
in-memory database system and low latencyin-memory database system and low latency
in-memory database system and low latency
 

Último

Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
Intellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxIntellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxBipin Adhikari
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleanscorenetworkseo
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 

Último (20)

Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
Intellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxIntellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptx
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleans
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 

Securing Databases with Dynamic Credentials

  • 1. Securing Databases with Dynamic Credentials and HashiCorp’s Vault PGDay.Seoul 2019 FB/hyeongchae.lee 1PGDay.Seoul 2019
  • 2. Temporary Security Credentials • shell script 또는 config 안에 username, password 필요한 경우 • 개발팀에서 운영 DB서버에 접속하여 몇가지 확인하고 싶을 경우 • 단발성 계정 생성 및 삭제가 빈번하게 일어날 경우 • GDPR 처럼 보안규정상 password expired 가 필요한 경우 PGDay.Seoul 2019 2
  • 3. Ansible : ssh delima PGDay.Seoul 2019 3
  • 7. Vault’s Polcies path “postgresql/creds/readonly” { capabilities = ["create", "read", "update", "delete", "list"] } root@pgsql12:/# ls -la /var/lib/postgresql/data/ drwx------ 19 postgres postgres 4096 Dec 2 02:45 . drwxr-xr-x 1 postgres postgres 4096 Nov 23 08:10 .. drwx------ 6 postgres postgres 4096 Dec 2 05:19 base drwx------ 2 postgres postgres 4096 Dec 2 06:58 global -rw------- 1 postgres postgres 4535 Dec 2 02:45 pg_hba.conf PGDay.Seoul 2019 7
  • 9. Vault’s Token $ vault read postgresql/creds/readonly Key Value --- ----- lease_id postgresql/creds/readonly/Dw35ApjCjE3x4WolwcD4GTgq lease_duration 1h lease_renewable true password ee1a06db-9d28-2e74-41fc-c97a8d137dd8 username token-a6c161c7-dbee-b2b1-4ede-7300ed4350fa PGDay.Seoul 2019 9
  • 10. Dynamically Securing Databases using Vault 10PGDay.Seoul 2019 Security Team Define secret policies PostgreSQL APPs username : root password : password Rotate the root credentials username : root password : newpassword Create DB credentials username : token-a6c161c… password : ee1a06db-9d… App gets unique set of DB Credentials to connect Read / Write from DB 1 1 2 2 3 4
  • 11. PotgreSQL Secrets Engine $ export VAULT_ADDR="http://127.0.0.1:8200" $ export VAULT_TOKEN="vault" $ vault secrets enable postgresql # dba admin / superuser $ vault write postgresql/config/connection connection_url="postgresql://root:root@172.16.100.1:5432/postgres?sslmode=disable" # create user and role $ vault write postgresql/roles/readonly sql="CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";" # get credential $ vault read postgresql/creds/readonly PGDay.Seoul 2019 11 2 1 1 2 3 no policies get token connect create credential get credential
  • 12. 승인 워크플로우 (Approval Workflow) 12PGDay.Seoul 2019 1 2 3 4 5 Developer Dev Manager “You’re fired” DevOps Update /request_pgsql_access Auth / Role
  • 13. 액세스 워크플로우 ( Access Workflow ) 13PGDay.Seoul 2019 Developer SQLGate / flyway psql client / Token CLI / HTTP API 15 2 3 4 6 Auth / Role Personal Identification