New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Database Automatic User Provisioning support for MariaDB #33018
Conversation
11c606e
to
3909d8c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good so far. This is a fairly large change, and the SQL parts are unfamiliar, so I'll do another round on Monday.
…/27323_mariadb_auto_user
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
…/27323_mariadb_auto_user
…/27323_mariadb_auto_user
* User auto-provisioning support for MariaDB * fix lint * revoke all-in-one role on deactivation * review comments * MariaDB to fallback on DeleteUser * move sql files to a folder
…34256) * Database Automatic User Provisioning support for MariaDB (#33018) * User auto-provisioning support for MariaDB * fix lint * revoke all-in-one role on deactivation * review comments * MariaDB to fallback on DeleteUser * move sql files to a folder * Support MariaDB auto provisioned user deletion (#33938) * feat(mysql): support mariadb delete auto provisioned user * Update lib/srv/db/mysql/sql/mariadb_delete_user.sql Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com> --------- Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com> --------- Co-authored-by: Gabriel Corado <gabriel.oliveira@goteleport.com>
Related
changelog: Database Automatic User Provisioning support for MariaDB
Changes:
db.admin_user.default_database
The overall flow is similar to MySQL. Differences are outlined in the comments for
mariadbProcedures
Next:
Tested:
Logged in as: a.very.very.very.very.very.very.very.very.very.very.very.very.long.name@teleport.example.com
Test Setup Examples:
Manual testing example with self-hosted MariaDB
1. Configure self-hosted MariaDB
Sample docker instance:
https://github.com/greedy52/teleport-database-test-setup/tree/main/mariadb
Log into the database as the default admin then set up Teleport admin user
teleport-admin
:Create a few roles for testing:
2. Configure Teleport
Create a Teleport role for auto-user and assign it to your Teleport user, ex:
Create a static database in Database Service, ex:
3. Connect
tsh login
tsh db connect --db-user <teleport-user> --db-name test self-hosted-mariadb-auto
select current_user()
show grants;
Manual testing example with RDS MariaDB
1. Configure RDS MariaDB
Setup a MariaDB instance in AWS RDS, and add tags to the RDS instance:
Log into the database as the default admin then set up Teleport admin user
teleport-admin
:Create a few roles for testing:
Note that the default admin user in RDS MariaDB does not have permission to do
CREATE ROLE role1 WITH ADMIN teleport-admin
. The workaround is to updatemysql.roles_mapping
manually (and thenFLUSH PRIVILEGES
).2. Configure Teleport
Create a Teleport role for auto-user and assign it to your Teleport user, ex:
Use auto-discovery to register the RD MariaDB database.
3. Connect
tsh login
tsh db connect --db-user <teleport-user> --db-name test steve-mariadb
select current_user()
show grants;