Skip to content

[v11] Docs: expand user creation or update for MySQL/Mariadb #23931

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
alexfornuto merged 1 commit into from
Apr 4, 2023
Merged

[v11] Docs: expand user creation or update for MySQL/Mariadb #23931

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 38 additions & 11 deletions docs/pages/database-access/guides/mysql-self-hosted.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,8 +54,8 @@ which you'll need to enable mutual TLS on your MySQL server.
## Step 3/4. Configure MySQL/MariaDB

<Tabs>
<TabItem label="MySQL">
To configure MySQL to accept TLS connections, add the following to your
<TabItem label="MySQL">
To configure MySQL to accept TLS connections, add the following to your
MySQL configuration file, `mysql.cnf`:

```conf
Expand All @@ -65,9 +65,10 @@ ssl-ca=/path/to/server.cas
ssl-cert=/path/to/server.crt
ssl-key=/path/to/server.key
```
</TabItem>
<TabItem label="MariaDB">
To configure MariaDB to accept TLS connections, add the following to your

</TabItem>
<TabItem label="MariaDB">
To configure MariaDB to accept TLS connections, add the following to your
MariaDB configuration file, `mysql.cnf`:

```conf
Expand All @@ -77,29 +78,55 @@ ssl-ca=/path/to/server.cas
ssl-cert=/path/to/server.crt
ssl-key=/path/to/server.key
```
</TabItem>

</TabItem>
</Tabs>

Additionally, your MySQL/MariaDB database user accounts must be configured to require a
valid client certificate. If you're creating a new user:
valid client certificate.

<Tabs>
<TabItem label="New User">
Create a new user:

```sql
CREATE USER 'alice'@'%' REQUIRE SUBJECT '/CN=alice';
```

If you're updating an existing user:
By default, the created user may not have access to anything and won't be able
to connect, so let's grant it some permissions:

```sql
GRANT ALL ON `%`.* TO 'alice'@'%';
```

<Admonition type="warning">
This is an example command that grants database-wide permissions to a user.
In a production environment you should follow the principle of least privilege
</Admonition>
</TabItem>
<TabItem label="Existing User">

Because Teleport uses certificates to authenticate database users, the user must
not have a password set. Note that removing an existing user's password may break
existing integrations. Consider using a new Database user specifically for Teleport
access.

Update the existing user to require a valid certificate:

```sql
ALTER USER 'alice'@'%' REQUIRE SUBJECT '/CN=alice';
```

By default, the created user may not have access to anything and won't be able
to connect, so let's grant it some permissions:
Remove the password from the user:

```sql
GRANT ALL ON `%`.* TO 'alice'@'%';
SET PASSWORD FOR 'alice'@'%' = PASSWORD("");
```

</TabItem>
</Tabs>

See
[Configuring MySQL to Use Encrypted Connections](https://dev.mysql.com/doc/refman/8.0/en/using-encrypted-connections.html)
in the MySQL documentation or
Expand Down