Database Access Controls

[smallinsky]

What Would You Like Teleport to Do?

We'd like Teleport to provide the capability to configure database user permissions directly from within Teleport. At present, when a new database user is added, the sole method to grant that user database permissions is through the database's internal permission model. This involves logging into the database and assigning specific permissions, creating redundancy with Teleport's RBAC Permission model.

With the introduction of Database Auto User Provisioning, Teleport now possesses the ability to auto-configure users and grant predetermined permissions by assigning them to the appropriate database groups.

Investigate into transitioning the database permission model to one where Teleport can automatically manage user permissions based on Teleport's internal Permission model. This functionality should be configurable through Teleport's RBAC and Access Graph features.

[Tener]

@r0mant @greedy52

Here is the current status of this project along with the upcoming tasks.

1. RFD, approved and implemented: RFD 151: Database Permission Management #33734
2. The first version was implemented with Postgres tables in scope. There were several prerequisites:

• Add database object and database object import rule types #37795
• Add DatabasePermissions field to role #37797
• Add db.session.permissions.update event #37798
• Generic service adapter for RFD 153-style resources #37803
• Implement persistence for db_object_import_rule resource #37806
• Make resource helpers strict #37907
• Fix default expiry for timestamp-based RFD 153-style resources #37909
• Add missing error checks for against backend operations #37910

3. Finally, the RFD implementation landed in Implement granular db permissions for Postgres (RFD 151) #37808
4. An further extension for label templates was added Implement label templates for db objects #38630

Next steps:

• Documentation: [docs] Database Access Controls #39109
• Additional events: Add events for auto user provisioning #39394
• PostHog: Implement PostHog for database permissions, auto user provisioning #39018 Add usage events for database user provisioning #39841
• IaC support (on hold).
• E2E tests following update AWS RDS db e2e tests #40065

The TAG integration is the next phase, currently split into following implementation tasks:

• Implement persistence for database_object resource #39756
• Store imported database objects on tsh db connect
• Cache database_object_import_rule resources.
• Periodically import all database objects from all databases.
• Export database objects to TAG (Teleport side)
• Import database objects from Teleport (TAG side):
  • Dispatch from stream
  • Implement db permissions RBAC
  • Store new nodes and edges in the database
• Update TAG UI to show database objects

[greedy52]

Roman has brought up the idea of passing labels from db_server to db objects. What are your thoughts on it?

[Tener]

Roman has brought up the idea of passing labels from db_server to db objects. What are your thoughts on it?

This sounds vaguely useful, but I'm not sure what the exact use case would be.

I'm wary of copying all labels as is; this feels like a fragile setup. Instead, we could extend the templates to allow another variable, say: {{ db.environment }}. This way the user has full control of what is copied from the db_server.

[r0mant]

@greedy52 @Tener Let's not worry about this for now.

[greedy52]

FYI E2E auto-user provisioning test is added now #40065. We should add tests for Database Access Controls at some point.

[zmb3]

Anything left to do here or can this be closed?

[Tener]

I think we can close. There is always more work to do, but the scope #32627 (comment) is covered.