-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ability to select database roles for auto-user-provisioning database session #35566
Comments
Database roles can also impose restrictions on a user, so I wonder if this feature should be opt-in? Otherwise user may sidestep the restrictions by skipping on a particular role. |
@Tener that's a good point. At least for MongoDB, |
Hmm, looking into Postgres in particular: https://www.postgresql.org/docs/current/role-attributes.html There is "connection limit", but I think a maximum one will be taken from multiple roles, so dropping a role can only limit you. A connection limit is not a very strong limitation anyway. Otherwise I think the roles in Postgres are designed to be "positive/allow", rather than "negative/deny". |
@jentfoo @r0mant what are your thoughts on this? To maintain current behaviour and be safe, a new role option like |
@greedy52 It may be difficult for customers to know when this option would be safe to use or not. I thought Database Permission Management was the path we were using to reduce this friction. When that RFD lands will this feature still be generally useful? |
|
If we want to introduce this maybe naming the option It adds more options, but if db roles could be marked as required (and unable to be excluded using this option), then it could provide all the options an administrator needs to ensure deny actions are enforced. In documentation we would probably describe it as only necessary if the role is restricting access. |
@jentfoo Could you confirm that it would be a security concern if we do not add any additional flags at all, and just always allow a user to pick a subset of db roles assigned? Would rather be simple if possible. ( I assume the answer is yes its a concern but really want your opinion) |
Sounds good. I will add a note to the guide on this. Something like if any role is meant to restrict permissions, assign that role to every role in |
What would you like Teleport to do?
When using auto-user provisioning feature, able to select a subset of allowed database roles for a database session, e.g.:
What problem does this solve?
A Teleport user may be granted multiple database roles for a select database. When Database Service provisions the user, it tries to assign all allowed database roles and will fail the session if any of the roles do not exist on the database.
If a workaround exists, please include it.
Teleport roles can be carefully crafted so that they only match the databases that have these roles preset in the database. Not feasible when no common database roles exist on a large number of databases.
Tasks
The text was updated successfully, but these errors were encountered: