Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Split user keys for db access #44718

Merged
merged 1 commit into from
Aug 8, 2024
Merged

Split user keys for db access #44718

merged 1 commit into from
Aug 8, 2024

Conversation

nklaassen
Copy link
Contributor

@nklaassen nklaassen commented Jul 26, 2024
edited
Loading

This PR is part of the implementation of RFD 136.

The main change here is that tsh now uses a unique private key every time it gets a new db cert issued. This new key will use a signature algorithm according to the cluster's currently configured signature_algorithm_suite.

Changelog: Changed the certificate and private key file paths for application, database, and Kubernetes access.

@nklaassen nklaassen mentioned this pull request Jul 27, 2024
Closed
@nklaassen nklaassen marked this pull request as ready for review July 27, 2024 00:06
@github-actions github-actions bot added machine-id size/sm tsh tsh - Teleport's command line tool for logging into nodes running Teleport. labels Jul 27, 2024
@nklaassen nklaassen added the no-changelog Indicates that a PR does not require a changelog entry label Jul 27, 2024
@gravitational gravitational deleted a comment from github-actions bot Jul 29, 2024
@nklaassen nklaassen mentioned this pull request Jul 29, 2024
Merged
@zmb3 zmb3 requested a review from greedy52 July 31, 2024 14:57
@nklaassen
Copy link
Contributor Author

friendly ping @greedy52 @timothyb89 @flyinghermit

flyinghermit
flyinghermit approved these changes Aug 6, 2024
View reviewed changes
Copy link
Contributor

@flyinghermit flyinghermit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I only reviewed code level changes and those changes LGTM.

Please also get a review from database access team.

lib/client/profile.go Show resolved Hide resolved
@nklaassen nklaassen force-pushed the nklaassen/split-db-keys branch from 326dbba to f43a861 Compare August 6, 2024 19:03
greedy52
greedy52 approved these changes Aug 6, 2024
View reviewed changes
Copy link
Contributor

@greedy52 greedy52 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall LGTM. Thanks!

Several comments:

  1. Looks like lib/teleterm does not need an update? (as recently we changed it to use TLS cert in memory instead of paths

    teleport/lib/teleterm/clusters/cluster_databases.go

    Line 135 in 39b2d0f

    key, _, err := clusterClient.IssueUserCertsWithMFA(ctx, client.ReissueParams{
    )
  2. The team will test out all databases during release testing.
  3. Since some paths changed, this would be a breaking change for existing scripts that assumes the key/cert path. Might worth a small note on the release change log?

tool/tsh/common/db_test.go
@@ -441,7 +441,7 @@ func testDatabaseLogin(t *testing.T) {
}
args := append([]string{
// default --db-user and --db-name are selected from roles.
"db", "login",
"db", "login", "--insecure",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what happened here? =p

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I introduced a Ping that hits the proxy and requires --insecure flag for this test, mustLogin already used for the initial login uses --insecure as well

@nklaassen nklaassen removed the no-changelog Indicates that a PR does not require a changelog entry label Aug 6, 2024
@nklaassen
Copy link
Contributor Author

Overall LGTM. Thanks!

Several comments:

  1. Looks like lib/teleterm does not need an update? (as recently we changed it to use TLS cert in memory instead of paths

    teleport/lib/teleterm/clusters/cluster_databases.go

    Line 135 in 39b2d0f

    key, _, err := clusterClient.IssueUserCertsWithMFA(ctx, client.ReissueParams{

    )

Yep, looks like it's fine.

  1. The team will test out all databases during release testing.

Thanks! I'm counting on it

  1. Since some paths changed, this would be a breaking change for existing scripts that assumes the key/cert path. Might worth a small note on the release change log?

I'm planning to add a changelog entry for the whole "configurable algorithm suites" feature later, but these seems like a good point to mention the changed file paths, added a CL entry to the PR description

@nklaassen nklaassen force-pushed the nklaassen/split-db-keys branch from f43a861 to a57db58 Compare August 6, 2024 23:00
Base automatically changed from nklaassen/renames to master August 7, 2024 18:36
@nklaassen nklaassen force-pushed the nklaassen/split-db-keys branch from a57db58 to 951fe64 Compare August 7, 2024 23:09
@nklaassen nklaassen added this pull request to the merge queue Aug 8, 2024
Merged via the queue into master with commit 7906e13 Aug 8, 2024
37 checks passed
@nklaassen nklaassen deleted the nklaassen/split-db-keys branch August 8, 2024 01:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@greedy52 greedy52 greedy52 approved these changes

@flyinghermit flyinghermit flyinghermit approved these changes

@timothyb89 timothyb89 timothyb89 approved these changes

Assignees
No one assigned
Labels
machine-id size/sm tsh tsh - Teleport's command line tool for logging into nodes running Teleport.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@nklaassen @timothyb89 @flyinghermit @greedy52