Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Database Automatic User Provisioning support for MariaDB #33018

Merged
merged 10 commits into from Oct 23, 2023
Merged

Database Automatic User Provisioning support for MariaDB #33018

merged 10 commits into from Oct 23, 2023

Conversation

greedy52
Copy link
Contributor

@greedy52 greedy52 commented Oct 5, 2023
edited

Related

changelog: Database Automatic User Provisioning support for MariaDB

Changes:

  • Added support db.admin_user.default_database
  • Added MariaDB auto-user provisioning stored procedures.
  • Enabled MariaDB auto-user provisioning in the engine.

The overall flow is similar to MySQL. Differences are outlined in the comments for mariadbProcedures

Next:

  • Docs for auto-user provisioning for MySQL/MariaDB

Tested:

  • Self-hosted MariaDB 10.2.11 (older than 10.2.11 are not supported)
  • Self-hosted MariaDB 10.3.3 (older than 10.3.3 are not supported)
  • Self-hosted MariaDB 10.4.0
  • Self-hosted MariaDB 10.7
  • Self-hosted MariaDB 11.1
  • RDS MariaDB instance 10.11
  • Logged in as: a.very.very.very.very.very.very.very.very.very.very.very.very.long.name@teleport.example.com

Test Setup Examples:

Manual testing example with self-hosted MariaDB

1. Configure self-hosted MariaDB

Sample docker instance:
https://github.com/greedy52/teleport-database-test-setup/tree/main/mariadb

Log into the database as the default admin then set up Teleport admin user teleport-admin:

CREATE DATABASE IF NOT EXISTS teleport; -- Default database.
CREATE USER "teleport-admin" REQUIRE SUBJECT "/CN=teleport-admin";
GRANT PROCESS, CREATE USER ON *.* TO 'teleport-admin' ;
GRANT SELECT ON mysql.roles_mapping TO 'teleport-admin' ;
GRANT ALL ON teleport.* TO 'teleport-admin'; -- Allow access to default database.
GRANT UPDATE ON mysql.* TO 'teleport-admin' ; -- Allow SET DEFAULT ROLE FOR.

Create a few roles for testing:

CREATE ROLE role1 WITH ADMIN 'teleport-admin';
CREATE ROLE role2 WITH ADMIN 'teleport-admin';
CREATE ROLE role3 WITH ADMIN 'teleport-admin';
CREATE DATABASE IF NOT EXISTS test;
GRANT SELECT ON test.* to role1;

2. Configure Teleport

Create a Teleport role for auto-user and assign it to your Teleport user, ex:

kind: role
version: v6
metadata:
  name: mysql-auto-user
spec:
  options:
    create_db_user: true
  allow:
    db_labels:
      "Owner": "STeve"
      "teleport.dev/db-admin": "teleport-admin"
    db_names:
    - "*"
    db_roles:
    - "role1"
    - "role3"

Create a static database in Database Service, ex:

db_service:
  enabled: "yes"
  databases:
  - name: "self-hosted-mariadb-auto"
    protocol: "mysql"
    uri: "localhost:3307"
    static_labels:
      Owner: "STeve"
      "teleport.dev/db-admin": "teleport-admin"
    admin_user:
      name: "teleport-admin"

3. Connect

  • tsh login
  • tsh db connect --db-user <teleport-user> --db-name test self-hosted-mariadb-auto
  • select current_user()
  • show grants;
Manual testing example with RDS MariaDB

1. Configure RDS MariaDB

Setup a MariaDB instance in AWS RDS, and add tags to the RDS instance:

Tags Value
Owner STeve
teleport.dev/db-admin teleport-admin

Log into the database as the default admin then set up Teleport admin user teleport-admin:

CREATE DATABASE IF NOT EXISTS teleport;  -- Default database.
CREATE USER 'teleport-admin' IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';
GRANT PROCESS, CREATE USER ON *.* TO 'teleport-admin' ;
GRANT SELECT ON mysql.roles_mapping TO 'teleport-admin' ;
GRANT ALL ON teleport.* TO 'teleport-admin'; -- Allow access to default database.
GRANT UPDATE ON mysql.* TO 'teleport-admin' ; -- Allow SET DEFAULT ROLE FOR.

Create a few roles for testing:

CREATE ROLE role1;
CREATE ROLE role2;
CREATE ROLE role3;
UPDATE mysql.roles_mapping SET User ='teleport-admin' WHERE Admin_option='Y' AND Role='role1';
UPDATE mysql.roles_mapping SET User ='teleport-admin' WHERE Admin_option='Y' AND Role='role2';
UPDATE mysql.roles_mapping SET User ='teleport-admin' WHERE Admin_option='Y' AND Role='role3';
CREATE DATABASE IF NOT EXISTS test;
GRANT SELECT ON test.* to role1;
FLUSH PRIVILEGES;

Note that the default admin user in RDS MariaDB does not have permission to do CREATE ROLE role1 WITH ADMIN teleport-admin. The workaround is to update mysql.roles_mapping manually (and then FLUSH PRIVILEGES).

2. Configure Teleport

Create a Teleport role for auto-user and assign it to your Teleport user, ex:

kind: role
version: v6
metadata:
  name: mysql-auto-user
spec:
  options:
    create_db_user: true
  allow:
    db_labels:
      "Owner": "STeve"
      "teleport.dev/db-admin": "teleport-admin"
    db_names:
    - "*"
    db_roles:
    - "role1"
    - "role3"

Use auto-discovery to register the RD MariaDB database.

3. Connect

  • tsh login
  • tsh db connect --db-user <teleport-user> --db-name test steve-mariadb
  • select current_user()
  • show grants;

@greedy52 greedy52 added database-access Database access related issues and PRs changelog labels Oct 5, 2023
@greedy52 greedy52 self-assigned this Oct 5, 2023
@greedy52 greedy52 changed the title User auto-provisioning support for MariaDB Database Automatic User Provisioning support for MariaDB Oct 5, 2023
@greedy52 greedy52 force-pushed the STeve/27323_mariadb_auto_user branch from 11c606e to 3909d8c Compare October 5, 2023 17:33
@greedy52 greedy52 marked this pull request as ready for review October 5, 2023 20:01
@github-actions github-actions bot added size/md tsh tsh - Teleport's command line tool for logging into nodes running Teleport. labels Oct 5, 2023
Tener
Tener reviewed Oct 6, 2023
View reviewed changes
Copy link
Contributor

@Tener Tener left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good so far. This is a fairly large change, and the SQL parts are unfamiliar, so I'll do another round on Monday.

lib/srv/db/mysql/autousers.go Outdated Show resolved Hide resolved
@greedy52 greedy52 mentioned this pull request Oct 6, 2023
Merged
Tener
Tener reviewed Oct 12, 2023
View reviewed changes
lib/srv/db/mysql/mariadb_activate_user.sql Outdated Show resolved Hide resolved
lib/srv/db/mysql/mariadb_activate_user.sql Outdated Show resolved Hide resolved
lib/srv/db/mysql/autousers.go Outdated Show resolved Hide resolved
smallinsky
smallinsky approved these changes Oct 23, 2023
View reviewed changes
api/types/database.go Outdated Show resolved Hide resolved
lib/srv/db/mysql/autousers.go Show resolved Hide resolved
@github-actions
Copy link

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

@greedy52 greedy52 added this pull request to the merge queue Oct 23, 2023
Merged via the queue into master with commit 8180618 Oct 23, 2023
35 checks passed
@greedy52 greedy52 deleted the STeve/27323_mariadb_auto_user branch October 23, 2023 20:23
@public-teleport-github-review-bot
Copy link

@greedy52 See the table below for backport results.

Branch Result
branch/v14 Failed

@greedy52 greedy52 mentioned this pull request Oct 24, 2023
Merged
greedy52 added a commit that referenced this pull request Nov 6, 2023
@greedy52
Database Automatic User Provisioning support for MariaDB (#33018)
620d2b0 
* User auto-provisioning support for MariaDB

* fix lint

* revoke all-in-one role on deactivation

* review comments

* MariaDB to fallback on DeleteUser

* move sql files to a folder
This was referenced Nov 6, 2023
Merged
Merged
github-merge-queue bot pushed a commit that referenced this pull request Nov 8, 2023
@greedy52 @gabrielcorado
[v14] Added Database Automatic User Provisioning support for MariaDB (#…
4906fd7 
…34256)

* Database Automatic User Provisioning support for MariaDB (#33018)

* User auto-provisioning support for MariaDB

* fix lint

* revoke all-in-one role on deactivation

* review comments

* MariaDB to fallback on DeleteUser

* move sql files to a folder

* Support MariaDB auto provisioned user deletion (#33938)

* feat(mysql): support mariadb delete auto provisioned user

* Update lib/srv/db/mysql/sql/mariadb_delete_user.sql

Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com>

---------

Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com>

---------

Co-authored-by: Gabriel Corado <gabriel.oliveira@goteleport.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Tener Tener Tener approved these changes

@gabrielcorado gabrielcorado gabrielcorado approved these changes

@smallinsky smallinsky smallinsky approved these changes

Assignees

@greedy52 greedy52

Labels
backport/branch/v14 database-access Database access related issues and PRs size/md tsh tsh - Teleport's command line tool for logging into nodes running Teleport.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@greedy52 @Tener @gabrielcorado @smallinsky