Database Automatic User Provisioning support for Redshift#33307
Merged
Database Automatic User Provisioning support for Redshift#33307
Conversation
greedy52
force-pushed
the
STeve/27323_redshift
branch
from
0ba8343 to
af74b13
Compare
Tener
reviewed
Oct 12, 2023
Tener
approved these changes
Oct 17, 2023
Contributor
Tener
left a comment
Tener
left a comment
There was a problem hiding this comment.
Sorry, I missed this one; uppercase scripts were a pure nit, so my intent was to approve prior to this change.
gabrielcorado
approved these changes
Oct 18, 2023
smallinsky
reviewed
Oct 20, 2023
| @@ -0,0 +1,40 @@ | |||
| CREATE OR REPLACE PROCEDURE teleport_activate_user(username varchar, roles text) | |||
Contributor
There was a problem hiding this comment.
nit: can me move the sql scripts to a separate directory postgres/assets? ( not necessary in this PR)
Contributor
There was a problem hiding this comment.
I planned to suggest the same, except I had postgres/sql in mind.
| -- Otherwise reactivate the user, but first strip it of all roles to | ||
| -- account for scenarios with left-over roles if database agent crashed | ||
| -- and failed to cleanup upon session termination. | ||
| CALL teleport_deactivate_user(username); |
Contributor
There was a problem hiding this comment.
I got following error from teleport_activate_user procedure call in fresh redshift setup during testing:
tsh db connect --db-user=marek --db-name=dev marek-redshift-cluster-1
psql: error: connection to server at "localhost" (::1), port 54170 failed: Connection refused
Is the server running on that host and accepting TCP/IP connections?
connection to server at "localhost" (127.0.0.1), port 54170 failed: your Teleport role requires automatic database user provisioning but an attempt to activate database user "marek" failed due to the following error: ERROR: user "marek" does not exist (SQLSTATE 42704)
Also when I tries to call teleport_activate_user manually:
dev=# select * from pg_user;
usename | usesysid | usecreatedb | usesuper | usecatupd | passwd | valuntil | useconfig
----------------+----------+-------------+----------+-----------+----------+----------+-----------
rdsdb | 1 | t | t | t | ******** | infinity |
admin | 100 | t | t | f | ******** | |
teleport-admin | 101 | f | f | f | ******** | |
dev=# select * from SVV_ROLES;
role_id | role_name | role_owner | external_id
---------+--------------------+----------------+-------------
105587 | sys:operator | rdsdb |
105588 | sys:monitor | rdsdb |
105589 | sys:dba | rdsdb |
105590 | sys:secadmin | rdsdb |
105591 | sys:superuser | rdsdb |
106245 | role1 | admin |
106246 | role2 | admin |
106247 | role3 | admin |
106248 | teleport-auto-user | teleport-admin |
@greedy52 I'm missing something ?
Contributor
Author
There was a problem hiding this comment.
Seems caused by missing spaces. fixed in dc1cdc4.
Could you give it a try?
This is so weird that it worked for my user STeve. I think because QUOTE_IDENT has no effect on username with only lower cases. Even then, we are supposed to see CREATE USER failed first before the grant. I played around a little bit more but so far seems just Redshift weirdness. Doc didn't say much either.
Contributor
There was a problem hiding this comment.
Yes, After dc1cdc4 my setup works. Thanks for the alignment.
smallinsky
approved these changes
Oct 23, 2023
greedy52
added a commit
that referenced
this pull request
Nov 1, 2023
* Database Automatic User Provisioning support for Redshift * capitalize sql script * DeleteUser to fallback to deactivate. * add TPxxx code to RAISE messages * fix missing space in scripts
2 tasks
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Nov 6, 2023
* Database Automatic User Provisioning support for Redshift (#33307) * Database Automatic User Provisioning support for Redshift * capitalize sql script * DeleteUser to fallback to deactivate. * add TPxxx code to RAISE messages * fix missing space in scripts * feat(postgres): support auto-provisioned user deletion Redshift (#34006) --------- Co-authored-by: Gabriel Corado <gabriel.oliveira@goteleport.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Part of:
Related:
Summary
executeraise exceptionto generate errorsconnection limitto lock/unlock the account (client seesFATAL: too many connections for user "STeve"if attempt to login)User has active connections and roles have changedManual testing setup example
1. Configure Redshift
Login in as a superuser, create
teleport-admin:Generate a few roles for testing:
2. Configure Teleport
Create a Teleport role for auto-user and assign it to your Teleport user, ex:
Use auto-discovery to register the Redshift database. Make sure
teleport.dev/db-adminresource tag is set toteleport-admin.3. Connect
tsh logintsh db connect --db-user <teleport-user> --db-name test steve-redshiftselect * from svv_user_grants