Amazon Keyspaces(Apache Cassandra)를 이용한 데이터베이스 접근
Teleport can provide secure access to Amazon Keyspaces (Apache Cassandra) via the Teleport Database Service. In this guide, you will:
Teleport can provide secure access to Amazon Keyspaces (Apache Cassandra) via the Teleport Database Service. This allows for fine-grained access control through Teleport's RBAC.
In this guide, you will:
- Configure your Amazon Keyspaces (Apache Cassandra) database IAM 인증을 사용하여.
- Add the database to your Teleport cluster.
- Connect to the database via Teleport.
작동 원리#
The Teleport Database Service uses IAM authentication to communicate with Amazon Keyspaces. When a user connects to the database via Teleport, the Teleport Database Service obtains AWS credentials and authenticates to AWS as an IAM principal with permissions to access the database.
필수 조건#
-
A running Teleport cluster. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.
-
The
tctlandtshclients.Installing `tctl` and `tsh` clients
-
Determine the version of your Teleport cluster. The
tctlandtshclients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at/v1/webapi/findand use a JSON query tool to obtain your cluster version. Replace with the web address of your Teleport Proxy Service:$ TELEPORT_DOMAIN= $ TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')" -
Follow the instructions for your platform to install
tctlandtshclients:
-
- IAM 정책을 생성하고 연결할 권한이 있는 Amazon Keyspaces 데이터베이스를 포함한 AWS 계정
cqlshCassandra 클라이언트가 설치되어 시스템의PATH환경 변수에 추가된 상태- Teleport 데이터베이스 서비스를 실행할 호스트 (예: Amazon EC2 인스턴스)
To check that you can connect to your Teleport cluster, sign in with tsh login, then
verify that you can run tctl commands using your current credentials.
For example, run the following command, assigning to the domain name of the Teleport Proxy Service in your cluster and to your Teleport username:
$ tsh login --proxy= --user=
$ tctl status
# Cluster (=teleport.url=)
# Version (=teleport.version=)
# CA pin (=presets.ca_pin=)
If you can connect to the cluster and run the tctl status command, you can use your
current credentials to run subsequent tctl commands from your workstation.
If you host your own Teleport cluster, you can also run tctl commands on the computer that
hosts the Teleport Auth Service for full permissions.
1/5단계. Teleport 데이터베이스 서비스 설정#
The Database Service requires a valid join token to join your Teleport cluster.
Run the following tctl command and save the token output in /tmp/token
on the server that will run the Database Service:
$ tctl tokens add --type=db --format=text
(=presets.tokens.first=)
Alternative methods
For users with a lot of infrastructure in AWS, or who might create or recreate many instances, consider alternative methods for joining new EC2 instances running Teleport:
To install a Teleport Agent on your Linux server:
The recommended installation method is the cluster install script. It will select the correct version, edition, and installation mode for your cluster.
-
Assign to your Teleport cluster hostname and port, but not the scheme (https://).
-
Run your cluster's install script:
$ curl "https:///scripts/install.sh" | sudo bash
Teleport 프록시 서비스의 주소를 --proxy 플래그에 지정하여 Teleport 데이터베이스 서비스 구성을 생성합니다:
$ sudo teleport db configure create \
-o file \
--token=/tmp/token \
--proxy=teleport.example.com:443 \
--name=keyspaces \
--protocol=cassandra \
--aws-account-id=12345678912 \
--aws-region=us-east-1 \
--labels=env=dev
Teleport 프록시 서비스의 주소를 --proxy 플래그에 지정하여 Teleport 데이터베이스 서비스 구성을 생성합니다:
$ sudo teleport db configure create \
-o file \
--token=/tmp/token \
--proxy=mytenant.teleport.sh:443 \
--name=keyspaces \
--protocol=cassandra \
--aws-account-id=12345678912 \
--aws-region=us-east-1 \
--labels=env=dev
Grant the Teleport Database Service access to credentials that it can use to authenticate to AWS.
- If you are running the Teleport Database Service on an EC2 instance, you may use the EC2 Instance Metadata Service method
- If you are running the Teleport Database Service in Kubernetes, you can use IAM Roles for Service Accounts (IRSA)
- Otherwise, you must use environment variables
Have multiple sources of AWS credentials?
Teleport's AWS client loads credentials from different sources in the following order:
- Environment Variables
- Shared credentials file
- Shared configuration file (Teleport always enables shared configuration)
- EC2 Instance Metadata (credentials only)
While you can provide AWS credentials via a shared credentials file or shared
configuration file, you will need to run the Teleport Database Service with the AWS_PROFILE
environment variable assigned to the name of your profile of choice.
If you have a specific use case that the instructions above do not account for, consult the documentation for the AWS SDK for Go for a detailed description of credential loading behavior.
Configure the Teleport Database Service to start automatically when the host boots up by creating a systemd service for it. The instructions depend on how you installed the Teleport Database Service.
You can check the status of the Teleport Database Service with systemctl status teleport
and view its logs with journalctl -fu teleport.
2/5단계. Teleport 사용자 생성#
| Flag | Description |
|---|---|
--roles |
List of roles to assign to the user. The builtin access role allows them to connect to any database server registered with Teleport. |
--db-users |
List of database usernames the user will be allowed to use when connecting to the databases. A wildcard allows any user. |
--db-names |
List of logical databases (aka schemas) the user will be allowed to connect to within a database server. A wildcard allows any database. |
For more detailed information about database access controls and how to restrict access see RBAC documentation.
3/5단계. Amazon Keyspaces 역할 생성#
Keyspaces 사용자로 사용할 AWS IAM 역할을 생성합니다. IAM -> 액세스 관리 -> 역할로 이동합니다. 역할 생성을 클릭합니다.
AWS는 Keyspaces 사용자의 역할에 포함할 수 있는 AmazonKeyspacesReadOnlyAccess 및 AmazonKeyspacesFullAccess IAM 정책을 제공합니다.
Amazon Keyspaces에 대한 읽기 전용 액세스를 위해 AmazonKeyspacesReadOnlyAccess를 선택하거나, 전체 액세스를 위해 AmazonKeyspacesFullAccess를 선택할 수 있습니다.
AmazonKeyspacesReadOnlyAccess 및 AmazonKeyspacesReadOnlyAccess 정책은
의도한 것보다 너무 많거나 적은 액세스를 제공할 수 있습니다.
사용 계획이 있다면 이 정책들이 요구 사항을 충족하는지 검증하세요.
사용자 지정 Amazon Keyspaces 권한 정책을 직접 만들 수도 있습니다: Amazon Keyspaces ID 기반 정책 예제.
역할 이름을 입력하고 "역할 생성"을 클릭합니다.
4/5단계. Teleport에 역할 수임 권한 부여#
다음으로, Teleport 데이터베이스 서비스 인스턴스가 사용하는 IAM 역할 또는 IAM 사용자에게 다음 정책을 연결합니다. 이 정책은 데이터베이스 서비스가 IAM 역할을 수임할 수 있도록 허용합니다:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "*"
}
]
}
와일드카드 대신 "Resource" 필드에 특정 IAM 역할 리소스 ARN을 제공하여 정책을 더 엄격하게 만들 수 있습니다.
5/5단계. 연결#
데이터베이스 서비스가 클러스터에 참가하면 로그인하여 사용 가능한 데이터베이스를 확인합니다:
$ tsh login --proxy=teleport.example.com --user=alice
$ tsh db ls
# Name Description Allowed Users Labels Connect
# --------- ----------- ------------- ------- -------
# keyspaces [*] env=dev
$ tsh login --proxy=mytenant.teleport.sh --user=alice
$ tsh db ls
# Name Description Allowed Users Labels Connect
# --------- ----------- ------------- ------- -------
# keyspaces [*] env=dev
데이터베이스 사용자로 KeyspacesReader AWS IAM Keyspaces 역할을 사용하여 특정 데이터베이스 인스턴스에 연결하려면:
$ tsh db connect --db-user=KeyspacesReader keyspaces
# Connected to Amazon Keyspaces at localhost:55084
# [cqlsh 6.0.0 | Cassandra 3.11.2 | CQL spec 3.4.4 | Native protocol v4]
# Use HELP for help.
# KeyspacesReader@cqlsh>
이 섹션의 내용은 원문 문서를 참조하세요. (proxy-db-tunnel.mdx)
데이터베이스에서 로그아웃하고 자격 증명을 제거하려면:
# 특정 데이터베이스 인스턴스의 자격 증명 제거.
$ tsh db logout keyspaces
# 모든 데이터베이스 인스턴스의 자격 증명 제거.
$ tsh db logout
추가 자료#
다음 단계#
-
Learn how to restrict access to certain users and databases.
-
View the High Availability (HA) guide.
-
Take a look at the YAML configuration reference.
-
See the full CLI reference.