update

gravitational · Sep 27, 2021 · 5e7931f · 5e7931f
1 parent 89a15c9
commit 5e7931f
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 20 deletions.
diff --git a/lib/srv/db/common/role/role.go b/lib/srv/db/common/role/role.go
@@ -24,7 +24,7 @@ import (
 // DatabaseRoleMatchers returns role matchers based on the database protocol.
 func DatabaseRoleMatchers(dbProtocol string, user, database string, labels map[string]string) services.RoleMatchers {
 	switch dbProtocol {
-	case defaults.ProtocolPostgres:
+	case defaults.ProtocolMySQL:
 		// In MySQL, unlike Postgres, "database" and "schema" are the same thing
 		// and there's no good way to prevent users from performing cross-database
 		// queries once they're connected, apart from granting proper privileges

diff --git a/lib/srv/db/mongodb/engine.go b/lib/srv/db/mongodb/engine.go
@@ -191,7 +191,7 @@ func (e *Engine) authorizeClientMessage(sessionCtx *common.Session, message prot
 	dbRoleMatchers := role.DatabaseRoleMatchers(
 		defaults.ProtocolMongoDB,
 		sessionCtx.DatabaseUser,
-		sessionCtx.DatabaseName,
+		database,
 		sessionCtx.Database.GetAllLabels(),
 	)
 	err := sessionCtx.Checker.CheckAccessToDatabase(sessionCtx.Database,

diff --git a/tool/tsh/db.go b/tool/tsh/db.go
@@ -165,25 +165,21 @@ func fetchDatabaseCreds(cf *CLIConf, tc *client.TeleportClient) error {
 	defer cluster.Close()
 
 	for _, db := range profile.Databases {
-		if false {
-			mfaResp, err := cluster.IsMFARequired(cf.Context, &proto.IsMFARequiredRequest{
-				Target: &proto.IsMFARequiredRequest_Database{
-					Database: &proto.RouteToDatabase{
-						ServiceName: db.ServiceName,
-						Protocol:    db.Protocol,
-						Username:    cf.Username,
-						Database:    db.Database,
-					},
+		mfaResp, err := cluster.IsMFARequired(cf.Context, &proto.IsMFARequiredRequest{
+			Target: &proto.IsMFARequiredRequest_Database{
+				Database: &proto.RouteToDatabase{
+					ServiceName: db.ServiceName,
+					Protocol:    db.Protocol,
+					Username:    cf.Username,
+					Database:    db.Database,
 				},
-			})
-			if err != nil {
-				return trace.Wrap(err)
-			}
-			if mfaResp.GetRequired() {
-				// Skip DB if databaseLogin command will require MFA.
-				// to prevent MFA prompt during tsh db ls command where DB certs are refreshed.
-				continue
-			}
+			},
+		})
+		if err != nil {
+			return trace.Wrap(err)
+		}
+		if mfaResp.GetRequired() {
+			continue
 		}
 		if err := databaseLogin(cf, tc, db, true); err != nil {
 			log.WithError(err).Errorf("Failed to fetch database access certificate for %s.", db)