Database Access Controls

[smallinsky]

What Would You Like Teleport to Do?

We'd like Teleport to provide the capability to configure database user permissions directly from within Teleport. At present, when a new database user is added, the sole method to grant that user database permissions is through the database's internal permission model. This involves logging into the database and assigning specific permissions, creating redundancy with Teleport's RBAC Permission model.

With the introduction of Database Auto User Provisioning, Teleport now possesses the ability to auto-configure users and grant predetermined permissions by assigning them to the appropriate database groups.

Investigate into transitioning the database permission model to one where Teleport can automatically manage user permissions based on Teleport's internal Permission model. This functionality should be configurable through Teleport's RBAC and Access Graph features.

[Tener]

@r0mant @greedy52

Here is the current status of this project along with the upcoming tasks.

1. RFD, approved and implemented: https://github.com/gravitational/teleport/pull/33734
2. The first version was implemented with Postgres tables in scope. There were several prerequisites:
   • https://github.com/gravitational/teleport/pull/37795
   • https://github.com/gravitational/teleport/pull/37797
   • https://github.com/gravitational/teleport/pull/37798
   • https://github.com/gravitational/teleport/pull/37803
   • https://github.com/gravitational/teleport/pull/37806
   • https://github.com/gravitational/teleport/pull/37907
   • https://github.com/gravitational/teleport/pull/37909
   • https://github.com/gravitational/teleport/pull/37910
3. Finally, the RFD implementation landed in https://github.com/gravitational/teleport/pull/37808
4. An further extension for label templates was added https://github.com/gravitational/teleport/pull/38630

Next steps:

• Documentation: https://github.com/gravitational/teleport/pull/39109
• Additional events: https://github.com/gravitational/teleport/pull/39394
• PostHog: https://github.com/gravitational/teleport/issues/39018 https://github.com/gravitational/teleport/pull/39841
• [ ] IaC support (on hold).
• [ ] E2E tests following https://github.com/gravitational/teleport/pull/40065

The TAG integration is the next phase, currently split into following implementation tasks:

• [x] https://github.com/gravitational/teleport/pull/39756
• [ ] Store imported database objects on tsh db connect
• [x] Cache database_object_import_rule resources.
• [ ] Periodically import all database objects from all databases.
• [x] Export database objects to TAG (Teleport side)
• [x] Import database objects from Teleport (TAG side):
  • [x] Dispatch from stream
  • [x] Implement db permissions RBAC
  • [x] Store new nodes and edges in the database
• [x] Update TAG UI to show database objects

[greedy52]

Roman has brought up the idea of passing labels from db_server to db objects. What are your thoughts on it?

[Tener]

Roman has brought up the idea of passing labels from db_server to db objects. What are your thoughts on it?

This sounds vaguely useful, but I'm not sure what the exact use case would be.

I'm wary of copying all labels as is; this feels like a fragile setup. Instead, we could extend the templates to allow another variable, say: {{ db.environment }}. This way the user has full control of what is copied from the db_server.

[r0mant]

@greedy52 @Tener Let's not worry about this for now.

[greedy52]

FYI E2E auto-user provisioning test is added now https://github.com/gravitational/teleport/pull/40065. We should add tests for Database Access Controls at some point.