#!/bin/bashset -aex# Create namespace foovault namespace create foo# Crea

1. #!/bin/bash
2.  
3. set -aex
4.  
5. # Create namespace foo
6. vault namespace create foo
7.  
8. # Create policy in root namespace for foo's admin
9. vault policy write foo-ns-admin - <<EOF
10. path "foo/auth/*"
11. {
12. capabilities = ["create", "read", "update", "delete", "list", "sudo"]
13. }
14.  
15. path "foo/sys/auth"
16. {
17. capabilities = ["create", "read", "update", "delete", "list", "sudo"]
18. }
19.  
20. path "foo/sys/auth/*"
21. {
22. capabilities = ["create", "read", "update", "delete", "list", "sudo"]
23. }
24.  
25. path "identity/*"
26. {
27. capabilities = ["read", "list"]
28. }
29.  
30. path "foo/identity/*"
31. {
32. capabilities = ["create", "read", "update", "delete", "list", "sudo"]
33. }
34.  
35. path "foo/sys/policies"
36. {
37. capabilities = ["create", "read", "update", "delete", "list", "sudo"]
38. }
39.  
40. path "foo/sys/policies/*"
41. {
42. capabilities = ["create", "read", "update", "delete", "list", "sudo"]
43. }
44.  
45. path "foo/sys/policy"
46. {
47. capabilities = ["read", "update", "list"]
48. }
49.  
50. path "foo/sys/policy/*"
51. {
52. capabilities = ["create", "read", "update", "delete", "list", "sudo"]
53. }
54.  
55. path "foo/sys/capabilities-self"
56. {
57. capabilities = ["read", "update", "list"]
58. }
59.  
60. path "foo/sys/mounts"
61. {
62. capabilities = ["read", "list"]
63. }
64. path "foo/sys/mounts/*"
65. {
66. capabilities = ["create", "read", "update", "delete", "list", "sudo"]
67. }
68.  
69. path "foo/sys/namespaces"
70. {
71. capabilities = ["read", "list"]
72. }
73.  
74. path "foo/sys/namespaces/*"
75. {
76. capabilities = ["create", "update", "delete", "list"]
77. }
78. EOF
79.  
80. # Mount and configure LDAP Auth
81. cat > ldapConfig -<<EOF
82. {
83. "url": "ldap://ldap.forumsys.com",
84. "userattr": "uid",
85. "userdn": "dc=example,dc=com",
86. "groupdn": "dc=example,dc=com",
87. "binddn": "cn=read-only-admin,dc=example,dc=com"
88. }
89. EOF
90. vault auth enable ldap
91. vault write auth/ldap/config @ldapConfig
92. vault write auth/ldap/groups/dev policies=foo-ns-admin
93. vault write auth/ldap/users/tesla groups=dev
94.  
95. # Create an external group and a respective group alias
96. devGroupID=$(vault write -format json identity/group name=dev type=external | jq -r '.data.id')
97. ldapMountAccessor=$(vault auth list -format json | jq -r '.["ldap/"].accessor')
98. vault write identity/group-alias name=dev mount_accessor=$ldapMountAccessor canonical_id=$devGroupID
99.  
100. # Login using LDAP to get a client token
101. clientToken=$(vault write -format json auth/ldap/login/tesla password=password | jq -r '.auth.client_token')
102. vault token lookup $clientToken
103.  
104. # Delete namespace foo and see if the login still works
105. vault namespace delete foo
106. vault write auth/ldap/login/tesla password=password