diff --git a/docs/pages/access-controls/reference.mdx b/docs/pages/access-controls/reference.mdx index 225df2a287f11..8251f6fa73d4b 100644 --- a/docs/pages/access-controls/reference.mdx +++ b/docs/pages/access-controls/reference.mdx @@ -120,6 +120,7 @@ The table below documents the behavior of each option if multiple roles are assi | `pin_source_ip` | Enable source IP pinning for SSH certificates. **Note:** IP pinning is currently in Preview mode | Logical "OR" i.e. evaluates to "yes" if at least one role requires session termination | | `cert_extensions` | Specifies extensions to be included in SSH certificates | | | `create_host_user_mode` | Allow users to be automatically created on a host | Logical "AND" i.e. if all roles matching a server specify host user creation (`off`, `drop`, `keep`), it will evaluate to the option specified by all of the roles. If some roles specify both `drop` or `keep` it will evaluate to `keep`| +| `create_db_user_mode` | Allow [database user auto provisioning](../database-access/auto-user-provisioning.mdx). Options: `off` (disable database user auto-provisioning), `keep` (disables the user at session end, removing the roles and locking it), and `best_effort_drop` (try to drop the user at session end, if it doesn't succeed, fallback to disabling it). | Logical "OR" i.e. if any role allows database user auto-provisioning, it's allowed | ## Preset roles diff --git a/docs/pages/database-access/auto-user-provisioning/mysql.mdx b/docs/pages/database-access/auto-user-provisioning/mysql.mdx index 9feaa25f467e1..510235c9dd969 100644 --- a/docs/pages/database-access/auto-user-provisioning/mysql.mdx +++ b/docs/pages/database-access/auto-user-provisioning/mysql.mdx @@ -70,10 +70,6 @@ GRANT ALTER ROUTINE, CREATE ROUTINE, EXECUTE ON `teleport`.* TO 'teleport-admin' Users created by Teleport will be assigned the `teleport-auto-user` role in the database, which will be created automatically if it doesn't exist. -Teleport will not delete the automatically created user at the end of the -session. Instead, the user will be stripped of all roles and the user account -will be locked. - Next, enable the database admin on the Teleport Database Service configuration: diff --git a/docs/pages/database-access/auto-user-provisioning/postgres.mdx b/docs/pages/database-access/auto-user-provisioning/postgres.mdx index d426bcc836bbd..0be246c79dbac 100644 --- a/docs/pages/database-access/auto-user-provisioning/postgres.mdx +++ b/docs/pages/database-access/auto-user-provisioning/postgres.mdx @@ -69,10 +69,6 @@ to ensure that your configuration is correct. Users created by Teleport will be placed in the `teleport-auto-user` group in the database, which will be created automatically if it doesn't exist. -Teleport will not delete the automatically created user at the end of the session. -Instead, the user will be stripped of all roles, updated with `nologin` trait -and reactivated during the next connection. - Next, enable the database admin on the Teleport database configuration: diff --git a/docs/pages/includes/database-access/auto-user-provisioning-common-teleport-role.mdx b/docs/pages/includes/database-access/auto-user-provisioning-common-teleport-role.mdx index a0f59b550b82c..918a8e1a31657 100644 --- a/docs/pages/includes/database-access/auto-user-provisioning-common-teleport-role.mdx +++ b/docs/pages/includes/database-access/auto-user-provisioning-common-teleport-role.mdx @@ -8,8 +8,8 @@ metadata: name: auto-db-users spec: options: - # create_db_user enables automatic user provisioning for matching databases - create_db_user: true + # create_db_user_mode enables automatic user provisioning for matching databases + create_db_user_mode: keep allow: db_labels: "*": "*" @@ -25,3 +25,14 @@ spec: With automatic user provisioning, users always connect to the database with their Teleport username so the `db_users` role field is ignored for roles that have database user provisioning enabled. + +The available provisioning modes are: + +* `off`: Disables user provisioning. + +* `keep`: Enables user provisioning and disables users at session end. The user + will be stripped of all roles and the user account will be locked. + +* `best_effort_drop`: Enables user provisioning and tries to drop user + at session end. If the drop fails, fallback to disabling them (same as `keep` + mode). diff --git a/docs/pages/includes/role-spec.mdx b/docs/pages/includes/role-spec.mdx index 94df10f9c630d..84e7f5fe3860e 100644 --- a/docs/pages/includes/role-spec.mdx +++ b/docs/pages/includes/role-spec.mdx @@ -102,7 +102,11 @@ spec: # and off (disable host user creation) create_host_user_mode: drop # Controls whether this role requires automatic database user provisioning. - create_db_user: true + # Options: off (disable database user auto-provisioning), keep (disables the + # user at session end, removing the roles and locking it), and + # best_effort_drop (try to drop the user at session end, if it doesn't + # succeed, fallback to disabling it). + create_db_user_mode: keep # Specifies role specific options for identity provider access. idp: # Specifies role specific options for SAML identity provider access.