How does database access role binding work? #5550

deusxanima · 2021-02-11T23:27:28Z

deusxanima
Feb 11, 2021
Collaborator

How does teleport handle role bindings between teleport users and database users when db access is configured?

Is there anything that gets set/updated on the client side (as in the case of kubernetes service updating a user's local kubeconfig), or is it all handled on the db service server side by extracting and verifying the user identity from a TLS cert and matching against a previously-created database user?

Answered by r0mant

Feb 12, 2021

@AHARIC Hey Alen, great question!

When connecting to a database using psql, mysql or other client, users still specify which database account they want to connect as or which "logical" database within the database server they want to connect to.

For example, say you've retrieved credentials for a Postgres instance that you named "example":

$ tsh db login example

The tsh db login command does update local configuration files which are database-specific. For Postgres it's the connection service file, for MySQL - option file. In there, it puts various connection parameters for the database you've logged into so CLI clients can reference them. It's somewhat similar to K8s' kubeconfig/contexts…

View full answer

deusxanima · 2021-02-11T23:28:25Z

deusxanima
Feb 11, 2021
Collaborator Author

@r0mant let me know if I need to elaborate or provide more context. Any help clarifying the process is appreciated.

0 replies

r0mant · 2021-02-12T01:43:00Z

r0mant
Feb 12, 2021
Maintainer

@AHARIC Hey Alen, great question!

When connecting to a database using psql, mysql or other client, users still specify which database account they want to connect as or which "logical" database within the database server they want to connect to.

For example, say you've retrieved credentials for a Postgres instance that you named "example":

$ tsh db login example

The tsh db login command does update local configuration files which are database-specific. For Postgres it's the connection service file, for MySQL - option file. In there, it puts various connection parameters for the database you've logged into so CLI clients can reference them. It's somewhat similar to K8s' kubeconfig/contexts and how kubectl handles it.

Then, when connecting to the database using psql, you can still choose the database account name and database name you want to use - exactly the same way as you would if connecting to the database directly.

For example here I'm connecting as database account "viewer" to the "metrics" database:

$ psql "service=xxx user=viewer dbname=metrics"

You can also specify optional --db-user and --db-name flags for the login command, in which case they will also be used as default user/name:

$ tsh db login --db-user=viewer --db-name=metrics example
$ psql "service=xxx" # will connect as "viewer" to "metrics" by default

The "viewer" user should obviously exist in the database.

Your Teleport user role (RBAC gets open-sourced in 6.0 so it'll be the case for OSS too) should allow you to use the "viewer" database account in order for you to be able to connect, something like:

spec:
  allow:
    db_labels:
      "*": "*"
    db_users: ["viewer", "editor"]
    db_names: ["main", "metrics", "postgres"]

Hope that clears things up!

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How does database access role binding work? #5550

{{title}}

Replies: 2 comments

{{title}}

{{title}}

Select a reply

How does database access role binding work? #5550

deusxanima Feb 11, 2021 Collaborator

Replies: 2 comments

deusxanima Feb 11, 2021 Collaborator Author

r0mant Feb 12, 2021 Maintainer

deusxanima
Feb 11, 2021
Collaborator

deusxanima
Feb 11, 2021
Collaborator Author

r0mant
Feb 12, 2021
Maintainer