Basic ACL Policies Lab

00:00

Welcome back. I hope you had some success. And I hope you didn't have to dig into the lab sub folder because that's where we have the solution for this. I'm gonna walk through this lab solution in this second part of the lesson. First step. Let's look at the actual until upload policy file itself.

00:18

It's pretty straightforward. Set up. We wanted to go secret data and then any mission name. That's the structure we're using here at M I. Six. Right? We're going to create a sub folder for the particular mission and then another sub path for Agent Intel. And we want to allow these

00:35

different secret agents to have the rights of creating

00:38

and updating, and that's about it.

00:50

I'm gonna shoot over to my terminal now and go ahead and create that policy. Clear the screening and upload the policy. First

01:02

involved policy. Right. We're gonna call the policy Intel lab dash intel upload dot hcea

01:12

success.

01:15

Now we're gonna create a few keys. Just Teoh set this stage and pre populate with some data that will want for later testing on the 1st 1 of the for doctor. No, doctor, No mission.

01:27

Animal to say

01:30

the value don't need to make it 22 exciting. Here. We're gonna create another secret.

01:38

And the doctor? No. Will say Agent Intel.

01:44

Even though we're not James Bond right now on the route. User, I'm gonna go ahead and create a secret there.

01:49

Let's, uh, create a secret for the good old GoldenEye mission,

01:57

and we'll create some pre populated agent in detail there.

02:01

And then finally, we're gonna go straight and just create some agent intel here for some false positive testing.

02:08

Let's go ahead and enable the user paths. Maybe user pass

02:17

looks. Looks like I was thinking audit when I should have been is thinking off.

02:23

Okay, user passes. No, no, no.

02:27

I think we are in good shape. Let's just do a little bit of a check here. Say, vault off list. So we have the authentication set up.

02:37

Okay, I'm just checking here. We have policies. There's our policy called the Intel policy. Let's go forward and create the James Bond account off user pass users. James password will be

02:57

shaken

02:58

and policies will be until

03:02

beautiful.

03:06

So, for final testing way, we would like to log in

03:12

using the user past method user name James Bond in the password Shaken.

03:24

And there we go so we can see automatically. We have our token and were associated with a few policies, namely default in Intel. So that's shaping up to be what we want. Let's go ahead and run the different commands to interact with keys. What's even get the secret for Dr No. Sure enough, we can't

03:44

as similarly, the Agent Intel sub Secret Directory

03:47

should be denied. Get no permissions to perform those activities about GoldenEye mission. That's another secret that we created.

03:59

No permission is denied. Um, Gold, just street agent Intel Secret that we created directly off the route.

04:08

We cannot perform that activity. Let's try creating a secrets in Dr No, and we will do it in such a way nooky equals value. And, um, way should not

04:26

have success here either.

04:29

Sure enough, we don't and let's try and write one more secret directly into, let's say the Agent Intel

04:39

directory and Secret Stash cannot do that either.

04:45

Now, on to performing some operations that were, we should have success. So let's put a secrets doctor. No mission. We want to upload some agent intel because we are logged in as James Bond. We want to send it back to base. We say new key equals new value

05:04

success.

05:08

We should be able to do something very similar for the GoldenEye. Mission. Success.

05:16

Let's test this out. Just one more area by specifying a mission that doesn't even exist yet wasn't even created. Call the Spectrum mission also have success there, so we can upload and create secrets to any Agent Intel

05:34

for closing this out. What did we learn? Well, we talked about vault policies and theory. We looked at the actual policy files and understood the basics of the syntax. We applied that knowledge in an actual lab activity, and we ended up creating a custom policy file

05:49

that provided right only access to certain secrets following that particular agent Intel