You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Using Teleport v15.4.19
I have a clickhouse server (named "clickhouse00") on my production network. This server has several users defined in its configuration, like :
With my team, we need to be able to connect in read-only to our production database, while production applications are running, using the prod-rw user.
So on my laptop, I first authenticate to Teleport :
tsh db connect clickhouse00 --db-user teleport-ro => success, I am connected with read-only privileges
tsh db connect clickhouse00 --db-user prod-rw => fail, access denied (as intended ; so far, so good)
tsh proxy db --tunnel clickhouse00 --port 9440 then, in another window: clickhouse-client --host localhost --port 9440 --user prod-rw => success, I am connected with FULL privileges (which I'm not supposed to be able to do)
Am I doing something wrong ?
Is there any other way to achieve the desired result : restricting distant people through Teleport from using unallowed users with tunnel mode (which is needed since we use GUI tools like dbeaver) ?
Please let me know if I could post any additional useful information
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Using Teleport v15.4.19
I have a clickhouse server (named "clickhouse00") on my production network. This server has several users defined in its configuration, like :
My production network is on a private network and clickhouse server is not reachable from the outside, except through teleport services.
Extract of teleport.yaml from clickhouse server :
With my team, we need to be able to connect in read-only to our production database, while production applications are running, using the
prod-rw
user.So on my laptop, I first authenticate to Teleport :
Starting from here, if I :
tsh db connect clickhouse00 --db-user teleport-ro
=> success, I am connected with read-only privilegestsh db connect clickhouse00 --db-user prod-rw
=> fail, access denied (as intended ; so far, so good)tsh proxy db --tunnel clickhouse00 --port 9440
then, in another window:clickhouse-client --host localhost --port 9440 --user prod-rw
=> success, I am connected with FULL privileges (which I'm not supposed to be able to do)Am I doing something wrong ?
Is there any other way to achieve the desired result : restricting distant people through Teleport from using unallowed users with tunnel mode (which is needed since we use GUI tools like dbeaver) ?
Please let me know if I could post any additional useful information
Beta Was this translation helpful? Give feedback.
All reactions