Open smallinsky opened 1 year ago
@r0mant @greedy52
Here is the current status of this project along with the upcoming tasks.
Next steps:
The TAG integration is the next phase, currently split into following implementation tasks:
tsh db connect
database_object_import_rule
resources.Roman has brought up the idea of passing labels from db_server
to db objects. What are your thoughts on it?
Roman has brought up the idea of passing labels from
db_server
to db objects. What are your thoughts on it?
This sounds vaguely useful, but I'm not sure what the exact use case would be.
I'm wary of copying all labels as is; this feels like a fragile setup. Instead, we could extend the templates to allow another variable, say: {{ db.environment }}
. This way the user has full control of what is copied from the db_server
.
@greedy52 @Tener Let's not worry about this for now.
FYI E2E auto-user provisioning test is added now https://github.com/gravitational/teleport/pull/40065. We should add tests for Database Access Controls at some point.
What Would You Like Teleport to Do?
We'd like Teleport to provide the capability to configure database user permissions directly from within Teleport. At present, when a new database user is added, the sole method to grant that user database permissions is through the database's internal permission model. This involves logging into the database and assigning specific permissions, creating redundancy with Teleport's RBAC Permission model.
With the introduction of Database Auto User Provisioning, Teleport now possesses the ability to auto-configure users and grant predetermined permissions by assigning them to the appropriate database groups.
Investigate into transitioning the database permission model to one where Teleport can automatically manage user permissions based on Teleport's internal Permission model. This functionality should be configurable through Teleport's RBAC and Access Graph features.