From 074d584b7a9447dfde15314455bf7e82f3604ccf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Skrz=C4=99tnicki?= Date: Mon, 23 Dec 2024 14:03:41 +0100 Subject: [PATCH] Document disabling default import rule (#50324) * Document disabling default import rule * Update docs/pages/enroll-resources/database-access/rbac.mdx Co-authored-by: Paul Gottschling * Update docs/pages/enroll-resources/database-access/rbac.mdx Co-authored-by: Paul Gottschling --------- Co-authored-by: Paul Gottschling --- .../enroll-resources/database-access/rbac.mdx | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/docs/pages/enroll-resources/database-access/rbac.mdx b/docs/pages/enroll-resources/database-access/rbac.mdx index 38a63801be474..d383ab0d0b8d9 100644 --- a/docs/pages/enroll-resources/database-access/rbac.mdx +++ b/docs/pages/enroll-resources/database-access/rbac.mdx @@ -264,6 +264,35 @@ spec: version: v1 ``` +### Disabling the default import rule + +Teleport expects at least one import rule to be defined. If it is missing, the Teleport Auth Service will create a default import rule on startup. + +If you don't want to import any database objects, create a rule that matches no databases. In the example below, the list of matching label values is empty, so no database will ever match this selector. + +```yaml +kind: db_object_import_rule +metadata: + name: import_no_objects +spec: + database_labels: + - {} + mappings: + - {} +version: v1 +``` + +Create the custom rule and remove the default one: + +{/* spell-checker: disable */} +```code +$ tctl create -f import_no_objects.yaml +rule "import_no_objects" has been created +$ tctl rm db_object_import_rule/import_all_objects +Rule "import_all_objects" has been deleted +``` +{/* spell-checker: enable */} + ### Database admin user A database admin user is responsible for granting permissions to end users. You