You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi,
I'm in the process of implementing MySQL automatic user provisioning in Teleport. While the users are being correctly created in the database, they all end up assigned to the default role teleport-auto-user. I am attempting to utilize the db_object_import_rule to not only restrict access to certain tables within a database but also to couple these restrictions with specific Teleport roles for user assignments. However, this isn't working as anticipated. I am unsure if my understanding or implementation is off. My expectation was that combining db_object_import_rule with a Teleport role would allow me to control access for automatically provisioned users to specific databases and tables effectively. Or should we manually create db roles in Mysql and assign it to teleport role(this worked for me).But I like to know if the db role can also be auto created in Mysql. Below, I will share a sample configurations I am using for both the role and the rule. Could someone clarify if my approach is correct or suggest what I might be missing?
spec: AWS RDS Mysql version 8.0.33, teleport -15.2.1
Terraform teleport role config
`resource "teleport_role" "db_rw_access" {
version = "v7"
metadata = {
name = "db-dev-common-rw-access"
description = "Accessing with read/write rights to all common tables in dev databases. Currently under testing with db import rule"
labels = merge(
local.tags,
{
"teleport.dev/origin" = "dynamic"
}
)
}
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hi,
I'm in the process of implementing MySQL automatic user provisioning in Teleport. While the users are being correctly created in the database, they all end up assigned to the default role teleport-auto-user. I am attempting to utilize the db_object_import_rule to not only restrict access to certain tables within a database but also to couple these restrictions with specific Teleport roles for user assignments. However, this isn't working as anticipated. I am unsure if my understanding or implementation is off. My expectation was that combining db_object_import_rule with a Teleport role would allow me to control access for automatically provisioned users to specific databases and tables effectively. Or should we manually create db roles in Mysql and assign it to teleport role(this worked for me).But I like to know if the db role can also be auto created in Mysql. Below, I will share a sample configurations I am using for both the role and the rule. Could someone clarify if my approach is correct or suggest what I might be missing?
spec: AWS RDS Mysql version 8.0.33, teleport -15.2.1
Terraform teleport role config
`resource "teleport_role" "db_rw_access" {
version = "v7"
metadata = {
name = "db-dev-common-rw-access"
description = "Accessing with read/write rights to all common tables in dev databases. Currently under testing with db import rule"
labels = merge(
local.tags,
{
"teleport.dev/origin" = "dynamic"
}
)
}
spec = {
options = {
forward_agent = false
max_session_ttl = "24h0m0s"
port_forwarding = true
client_idle_timeout = "1h"
disconnect_expired_cert = true
permit_x11_forwarding = false
request_access = "denied"
create_db_user_mode = 2
}
allow = {
db_names = [
"*",
]
db_labels = {
"Environment" = [
"dev",
]
"Name" = [
"dev-common-mysql"
]
}
db_permissions = [
{
match = {
"dev" = ["common_tables"]
"Environment" = [
"dev",
]
}
permissions = [
"SELECT",
]
}
]
}
deny = {
logins = [
"anonymous",
]
db_users = [
"root",
"admin",
]
}
}
}`
db_object_import_rule
`kind: db_object_import_rule
metadata:
name: dev_common_tables
spec:
priority: 10
database_labels:
- name: 'Environment'
values:
- 'dev'
- name: 'Name'
values:
- 'dev-common-mysql'
mappings:
- add_labels:
dev: common_tables
match:
procedure_names:
- ''
table_names:
- 'CMS'
view_names:
- ''
scope:
database_names:
- 'lp_staging'
version: v1
`
Beta Was this translation helpful? Give feedback.
All reactions