Database Automatic User Provisioning support for self-hosted MongoDB

[greedy52]

Part of #27323

changelog: Database Automatic User Provisioning support for self-hosted MongoDB

Implemented as RFD: #33750

Testing:

• Modes
  • keep
  • drop
• Single self-hosted MongoDB
  • Mongo 7.0
  • Mongo 6.0
  • Mongo 5.0
  • Mongo 4.4
  • Mongo 4.2
  • Mongo 4.0

Manual testing example

1. Configure self-hosted MongoDB

Setup a self-hosted MongoDB. Sample docker setup
https://github.com/greedy52/teleport-database-test-setup/tree/main/mongo

Log into the database as the default admin, for ex:

docker exec -it mongo mongosh -u mongoadmin -p secret

Create the role for teleport-admin:

db.getSiblingDB("admin").runCommand({
    createRole: "teleport-admin-role",
    privileges: [
        { resource: { cluster: true }, actions: [ "inprog" ] },
        { resource: { db: "", collection: "" }, actions: [ "grantRole", "revokeRole" ] },
        { resource: { db: "$external", "collection": "" }, actions: [ "createUser", "updateUser", "dropUser", "viewUser", "setAuthenticationRestriction", "changeCustomData"] },
    ],
    roles: [],
})

Create teleport-admin user:

db.getSiblingDB("$external").runCommand({
  createUser: "CN=teleport-admin",
  roles: [ { role: 'teleport-admin-role', db: 'admin' } ],
})

Create a custom role for testing:

db.getSiblingDB("test").createRole({role: "my-custom-role", privileges:[], roles:[]});

2. Configure Teleport

Create a Teleport role for auto-user and assign it to your Teleport user, ex:

kind: role
version: v6
metadata:
  name: mongo-auto-user
spec:
  options:
    create_db_user_mode: keep
  allow:
    db_labels:
      automongo: "true"
    db_names:
    - "*"
    db_roles:
    - read@test2
    - readWrite@test
    - my-custom-role@test

Assign the role to your User.

Create a database:

  - name: "self-hosted-mongo-auto"
    protocol: "mongodb"
    uri: "localhost:27017"
    static_labels:
      automongo: "true"
    admin_user:
      name: "teleport-admin"

3. Connect

• tsh login
• tsh db connect --db-user <teleport-user> --db-name test self-hosted-mongo-auto

test> db.users.insertOne({name:"steve", age: 99})
{
  acknowledged: true,
  insertedId: ObjectId("...")
}
test> use $external
$external> db.getUser("CN=<teleport-user>",{showCustomData:1})
{
  _id: '$external.CN=<teleport-user>',
  userId: new UUID("..."),
  user: 'CN=STeve',
  db: '$external',
  customData: { 'teleport-auto-user': true },
  roles: [
    { role: 'readWrite', db: 'test' },
    { role: 'read', db: 'test2' },
    { role: 'my-custom-role', db: 'test' }
  ],
  mechanisms: [ 'external' ]
}

The change is ready but waiting for #34132 to merge before open for review.
Also need #34271 to show proper error messages when setup is bad.

[github-actions]

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

[smallinsky]

Great job. Tested on my local setup without any issue. LGTM

[smallinsky]

Probably there is a corner case during CA rotation where a shared client should be reused but a connection needs to be recreated but this should be really narrow case.

[greedy52]

Good catch. During a rotation, the server should be restarted with a new configuration so the connection will be dead. The connection could be killed for other reasons as well.

Let me try to add a check on whether the shared client is dead after getting it from the cache. If so, just make a non-shared client.

[greedy52]

Seems the mongo client connection pool has the ability to reconnect even if i restarted mongo docker. So I will not handle that case.

As for the CA rotation case, users should understand that the connection may have issues during rotation. And it should self-heal after cache expires (one minute). I will leave a comment in the code for this case but not worth it to fix properly.

[gabrielcorado]

I've also tested with my local setup and everything worked as expected. Nice work.