Allow users to request database certificates in Machine ID #11904
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This adds a new destination-level config option to `tbot.yaml` that
allows users to request database access for a particular destination
certificate. Behind the scenes, this triggers generates two
impersonated certs: the first identity is generated to request the
specified roles and resolve the database config, then is replaced
with a new identity using those roles plus a fully-formed
`RouteToDatabase` request.
Database requests are made by adding a destination entry like the
following to `tbot.yaml`:
```yaml
destinations:
- directory: /foo/bar
database:
service: <teleport database name>
username: <database username>
database: <database name>
# The certs won't be very useful without TLS
kinds: [tls]
```
We currently don't support proxying or generating db-specific config
files. See #11596 for an `identityfile` implementation that can help.
Additionally, we don't currently have a `tsh proxy` equivalent so the
legacy MySQL handlers need to be enabled, which is not the case by
default in Teleport 9. However, that same PR can export a
tsh-compatible identity file for the datbase identity which can be
passed along to `tsh -i ...` and presumably used with its proxy
commands. We plan to follow-up with another PR to improve this UX.
|
While writing the PR description I realized I did still have a manual hack in place for the TLS CA certs. We still use |
zmb3
reviewed
Apr 13, 2022
Comment on lines
26
to
27
| // Service is the service name of the | ||
| Service string `yaml:"service,omitempty"` |
There was a problem hiding this comment.
The godoc is incomplete here. What is service supposed to be?
|
After thinking on it I think I'd like to resolve the missing TLS CAs as part of #11596 where we'll be making significant changes to artifact saving/loading anyway. Any changes here are just going to create conflicts and I don't think it's too awful to borrow the cluster's CA cert from tsh or cut and paste it from our |
r0mant
approved these changes
Apr 15, 2022
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
zmb3
approved these changes
Apr 19, 2022
timothyb89
added a commit
that referenced
this pull request
Apr 23, 2022
* Allow users to request database certificates in Machine ID
This adds a new destination-level config option to `tbot.yaml` that
allows users to request database access for a particular destination
certificate. Behind the scenes, this triggers generates two
impersonated certs: the first identity is generated to request the
specified roles and resolve the database config, then is replaced
with a new identity using those roles plus a fully-formed
`RouteToDatabase` request.
Database requests are made by adding a destination entry like the
following to `tbot.yaml`:
```yaml
destinations:
- directory: /foo/bar
database:
service: <teleport database name>
username: <database username>
database: <database name>
# The certs won't be very useful without TLS
kinds: [tls]
```
We currently don't support proxying or generating db-specific config
files. See #11596 for an `identityfile` implementation that can help.
Additionally, we don't currently have a `tsh proxy` equivalent so the
legacy MySQL handlers need to be enabled, which is not the case by
default in Teleport 9. However, that same PR can export a
tsh-compatible identity file for the datbase identity which can be
passed along to `tsh -i ...` and presumably used with its proxy
commands. We plan to follow-up with another PR to improve this UX.
* Try to fix flaky test
* Address review feedback
* Update tool/tbot/renew.go
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
* Add special username checks for MongoDB and Redis
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
timothyb89
added a commit
that referenced
this pull request
May 4, 2022
…12195) * Allow users to request database certificates in Machine ID This adds a new destination-level config option to `tbot.yaml` that allows users to request database access for a particular destination certificate. Behind the scenes, this triggers generates two impersonated certs: the first identity is generated to request the specified roles and resolve the database config, then is replaced with a new identity using those roles plus a fully-formed `RouteToDatabase` request. Database requests are made by adding a destination entry like the following to `tbot.yaml`: ```yaml destinations: - directory: /foo/bar database: service: <teleport database name> username: <database username> database: <database name> # The certs won't be very useful without TLS kinds: [tls] ``` We currently don't support proxying or generating db-specific config files. See #11596 for an `identityfile` implementation that can help. Additionally, we don't currently have a `tsh proxy` equivalent so the legacy MySQL handlers need to be enabled, which is not the case by default in Teleport 9. However, that same PR can export a tsh-compatible identity file for the datbase identity which can be passed along to `tsh -i ...` and presumably used with its proxy commands. We plan to follow-up with another PR to improve this UX. * Try to fix flaky test * Address review feedback * Update tool/tbot/renew.go Co-authored-by: Roman Tkachenko <roman@goteleport.com> * Add special username checks for MongoDB and Redis Co-authored-by: Roman Tkachenko <roman@goteleport.com> Co-authored-by: Roman Tkachenko <roman@goteleport.com>
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds a new destination-level config option to
tbot.yamlthat allows users to request database access for a particular destination certificate. Behind the scenes, this triggers generates two impersonated certs: the first identity is generated to request the specified roles and resolve the database config, then is replaced with a new identity using those roles plus a fully-formedRouteToDatabaserequest. We don't matchtsh's behavior here as the additional certs generated conceptually similar enough to Machine ID's multiple destinations - if users don't want a cert withRouteToDatabasethey can just add another destination with the same roles.Database requests are made by adding a destination entry like the following to
tbot.yaml:We currently don't support proxying or generating db-specific config files. See #11596 for an
identityfileimplementation that can help. Additionally, we don't currently have atsh proxyequivalent so the legacy MySQL handlers need to be enabled, which is not the case by default in Teleport 9. However, that same PR can export a tsh-compatible identity file for the datbase identity which can be passed along totsh -i ...and presumably used with its proxy commands. We plan to follow-up with another PR to improve this UX.If using MySQL/MariaDB with the legacy proxy handler exposed, this command should connect to the database:
Somewhat unrelatedly, this PR also moves most cert renewal-related code into a new file. It makes for an unpleasant diff, but it needed to happen eventually.