Allow users impersonating database service generate database certs #7024
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
r0mant
added
backport-required
database-access
smallinsky
approved these changes
May 25, 2021
xacrimon
approved these changes
May 25, 2021
This was referenced May 25, 2021
Joerger
approved these changes
May 25, 2021
|
@klizhentas I've updated to check for impersonation permissions for builtin system roles instead, as we discussed. Since impersonation requires both users and roles, users wishing to generate db certs would need to add the following permission in their role: impersonate:
roles:
- Db
users:
- DbPTAL. |
klizhentas
approved these changes
May 25, 2021
r0mant
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR fixes the issue with users not being able to produce database certificates using
tctl auth sign --format=dbwith remote proxy: #6937. The effect of this issue is that it is basically impossible to connect self-hosted databases to the Cloud currently.Note: Here "database certificate" refers to the certificate that cluster admin uses to configure their self-hosted database instance with (signed with Teleport's host CA), not the client certificate issued during
tsh db login.Previously, we would only check for built-in roles
AdminandDatabasewhich is both inflexible and, arguably, less secure. With this change I introduced a separatedb_certresource kind we're checking for "create" permission on: rather than checking for "create" ondb_serveras proposed in the linked ticket, I decided that having a separate resource makes more sense and also this is in-line with how host certificates RBAC is checked - which is conceptually similar.Consequentially, I've updated our default
adminandeditoruser roles and built-inDatabaserole (used by database service agent) to include permission to generate these certificates.Closes #6937. Needs backport to v6.