luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/website/source/docs/enterprise/namespaces/index.html.md
Andy Manoske 9d41d4c407
Update index.html.md
2018-08-15 17:44:00 -07:00

2.6 KiB
Raw Blame History

layout page_title sidebar_current description
docs Namespaces - Vault Enterprise docs-vault-enterprise-namespaces Vault Enterprise has support for Namespaces, a feature to enable Secure Multi-tenancy (SMT) and self-management.

Vault Enterprise Namespaces

Overview

Many organizations implement Vault as a Service (or "VaaS"), providing centralized management to a security or ops team while ensuring that separate teams within that organization operate within self-contained environments known as "tenants."

There are two common challenges when implementing this architecture in Vault:

Tenant Isolation Frequently teams within a VaaS environment require strong isolation from other users in their policies, secrets, and sometimes even their own identity entities and groups. Frequently tenant isolation is a result of regulations such as GDPR, though it may be necessitated by corporate or organizational infosec requirements as well.

Self-Management As new tenants are added, there is an additional human cost in the management overhead for teams. Given that tenants will likely have different policies and request changes at a different rate, managing a multi-tenant environment can become very difficult for a single team as the number of tenants within that environment grow.

'Namespaces' is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy (or SMT) within a single Vault Enterprise infrastructure. Through namespaces, Vault administrators can support tenant isolation for teams and individuals as well as empower those individuals to self-manage their own tenant environment.

Architecture

Namespaces are isolated environments that functionally exist as "Vaults within a Vault." They have separate login paths and support creating and managing data isolated to a namespace including the following:

  • Secret Engine Mounts
  • Policies
  • Identities (Entities, Groups)
  • Tokens

Namespaces can also be configured to inherit all of this data from a higher parent namespace. This simplifies the deployment of new namespaces, and can be combined with sentinel policies to prescribe organization-wide infosec policies on tenants.

Example Implementation

Setup and Best Practices

A deployment guide is available to help you get started, and contains examples on namespace architecture.

API

Namespaces supports a full HTTP API. Please see the Vault Namespace API for more details.