Teleport can automatically create users in your database, removing the need for creating individual user accounts in advance or using the same set of shared database accounts for all users.

전제 조건#

• Amazon Redshift 데이터베이스가 구성된 Teleport 클러스터.
• 대상 데이터베이스에 연결하고 사용자 계정을 생성할 수 있는 권한.

1/3단계. 데이터베이스 관리자 구성#

Teleport는 관리자 사용자로 연결할 때 일반 사용자 연결과 동일한 인증 메커니즘(IAM 인증)을 사용합니다.

관리자 사용자는 데이터베이스 내에서 사용자를 생성하고 권한을 부여할 수 있는 권한이 있어야 합니다. 또한 사용자 프로세스 및 역할 할당을 모니터링할 수 있는 권한도 있어야 합니다:

CREATE USER "teleport-admin" WITH PASSWORD DISABLE;
GRANT ROLE "sys:superuser" TO "teleport-admin";

Teleport가 생성한 사용자는 데이터베이스에서 teleport-auto-user 역할이 할당되며, 해당 역할이 존재하지 않으면 자동으로 생성됩니다.

Next, configure the database admin user in the Teleport database configuration:

kind: db
version: v3
metadata:
  name: example
spec:
  protocol: "postgres"
  uri: "redshift-cluster-1.abcdefghijklm.us-east-1.redshift.amazonaws.com:5439"
  admin_user:
    name: "teleport-admin"

This example assumes that you have configured the database as a dynamic resource. If you have configured your database using a static Teleport Database Service configuration, edit the entry in your db_service.databases configuration.

For auto-discovered cloud databases, the name of the admin user is taken from the teleport.dev/db-admin label.

2/3단계. Teleport 역할 구성#

To specify the database roles a user should be assigned within the database, use the db_roles role option:

kind: role
version: v7
metadata:
  name: auto-db-users
spec:
  options:
    # create_db_user_mode enables automatic user provisioning for matching databases
    create_db_user_mode: keep
  allow:
    db_labels:
      "*": "*"
    db_names:
    - "*"
    # db_roles is a list of roles the database user will be assigned
    db_roles:
    - reader
    - "{{internal.db_roles}}"
    - "{{external.db_roles}}"

(!docs/pages/includes/database-access/auto-user-provisioning/db_users_ignored.mdx!)

(!docs/pages/includes/database-access/auto-user-provisioning/modes.mdx!)

데이터베이스 내에서 생성된 사용자는 다음과 같이 설정됩니다:

• 인증된 Teleport 사용자와 동일한 사용자 이름을 갖습니다.
• teleport-auto-user 역할이 할당됩니다.
• 데이터베이스와 일치하는 Teleport 사용자의 역할 집합에서 모든 역할이 할당됩니다. 역할 이름은 유효하고 데이터베이스에 존재해야 합니다.

Note that in case of a name conflict where a user with the same name already exists in the database and is not managed by Teleport (i.e. not assigned the teleport-auto-user role), the connection will be aborted.

3/3단계. 데이터베이스에 연결#

Now, log into your Teleport cluster and connect to the database:

$ tsh login --proxy=teleport.example.com
$ tsh db connect --db-name <database> example

To view the list of database roles that are allowed for each database, you can use the command tsh db ls -v. By default, all database roles will be assigned to your auto-provisioned database user. You can optionally select a subset of the database roles with --db-roles:

$ tsh db connect --db-name <database> --db-roles reader example

문제 해결#

매핑된 원격 사용자 이름 오류 사용#

You may encounter the following error when connecting to a database in a remote cluster:

> tsh db connect --db-name <database> example
ERROR: please use your mapped remote username ("remote-<your-teleport-username>-<root-cluster-name>") to connect instead of "<database-user>"

When you access resources in a remote cluster, the remote cluster will receive the name remote-<your-teleport-username>-<root-cluster-name> from the local cluster. This is to prevent any naming collisions with users in the remote cluster. Please use the username from the error message as the database username for when connecting through tsh or GUI clients.

Unable to cancel a query#

If you use a PostgreSQL cli client like psql, and you try to cancel a query with Ctrl+C, but it doesn't cancel the query, then you need to connect using a tsh local proxy instead. When psql cancels a query, it establishes a new connection without TLS certificates, however Teleport requires TLS certificates not only for authentication, but also to route database connections.

If you enable TLS Routing in Teleport then tsh db connect will automatically start a local proxy for every connection. Alternatively, you can connect via Teleport Connect which also uses a local proxy. Otherwise, you need to start a tsh local proxy manually using tsh proxy db and connect via the local proxy.

If you have already started a long-running query in a psql session that you cannot cancel with Ctrl+C, you can start a new client session to cancel that query manually:

First, find the query's process identifier (PID):

SELECT pid,starttime,duration,trim(user_name) AS user,trim(query) AS query FROM stv_recents WHERE status = 'Running';

Next, gracefully cancel the query using its PID. This will send a SIGINT signal to the postgres backend process for that query:

SELECT pg_cancel_backend(<PID>);

You should always try to gracefully terminate a query first, but if graceful cancellation is taking too long, then you can forcefully terminate the query instead. This will send a SIGTERM signal to the postgres backend process for that query:

SELECT pg_terminate_backend(<PID>);

See the PostgreSQL documentation on admin functions for more information about the pg_cancel_backend and pg_terminate_backend functions.

SSL SYSCALL error#

You may encounter the following error when your local psql is not compatible with newer versions of OpenSSL:

$ tsh db connect --db-user postgres --db-name postgres postgres
psql: error: connection to server at "localhost" (::1), port 12345 failed: Connection refused
    Is the server running on that host and accepting TCP/IP connections?
connection to server at "localhost" (127.0.0.1), port 12345 failed: SSL SYSCALL error: Undefined error: 0

Please upgrade your local psql to the latest version.

다음 단계#

• GUI 데이터베이스 클라이언트를 사용하여 연결합니다.
• 역할 템플릿에 대해 알아봅니다.
• 자동 사용자 프로비저닝 RFD를 읽어봅니다.