Skip to content

[docs] PostgreSQL auto-user provisioning guide minor edits #48897

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
greedy52 merged 3 commits into from
Jan 30, 2025
Merged

[docs] PostgreSQL auto-user provisioning guide minor edits #48897

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
4e2eb72
[docs] PostgreSQL auto-user provisioning guide minor edits
greedy52 Nov 13, 2024
ed7d196
Merge branch 'master' of github.com:gravitational/teleport into STeve…
greedy52 Jan 29, 2025
879633f
remove admin option from rds_superuser and add note on admin option f…
greedy52 Jan 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 27 additions & 9 deletions docs/pages/enroll-resources/database-access/auto-user-provisioning/postgres.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,19 @@ Note that the RDS database must have IAM authentication enabled.

Refer to the [AWS documentation](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.DBAccounts.html) to make sure you are using the `rds_iam` role correctly.
for more information.

If the admin user needs to grant the `rds_superuser` role to auto-provisioned
users, the admin user must also be a `rds_superuser`:
```sql
GRANT rds_superuser TO "teleport-admin";
```

For PostgreSQL 16+, you must grant the `ADMIN` option to the admin user for each
PostgreSQL role that Teleport will assign to your Teleport user. For example, to
allow the admin user to grant and revoke role `reader`:
```sql
GRANT reader TO "teleport-admin" WITH ADMIN OPTION;
```
</TabItem>
<TabItem label="Self-hosted PostgreSQL">
The self-hosted PostgreSQL admin user must have X.509 authentication configured.
Expand All @@ -49,6 +62,13 @@ The self-hosted PostgreSQL admin user must have X.509 authentication configured.
CREATE USER "teleport-admin" login createrole;
```

For PostgreSQL 16+, you must grant the `ADMIN` option to the admin user for each
PostgreSQL role that Teleport will assign to your Teleport user. For example, to
allow the admin user to grant and revoke role `reader`:
```sql
GRANT reader TO "teleport-admin" WITH ADMIN OPTION;
```

Note that the database must be configured to accept client certificate auth
for the admin user by having the following entries in `pg_hba.conf`:

Expand All @@ -63,7 +83,13 @@ to ensure that your configuration is correct.
</Tabs>

<Admonition type="note" title="Database Access Controls for `teleport-admin`">
When [Database Access Controls](../rbac.mdx) feature is in use, the `teleport-admin` should have permissions to relevant database objects. For example:
When [Database Access Controls](../rbac.mdx) feature is in use, the
`teleport-admin` should have permissions to relevant database objects. You can
grant `teleport-admin` the `SUPERUSER` option for self-hosted databases, or the
`rds_superuser` role for RDS databases.

For improved security through the principle of least privilege, you can also
assign permissions directly to specific database objects. For example:

```sql
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA schema1, schema2, schema3 TO "teleport-admin";
Copy link
Copy Markdown
Contributor

@GavinFrazar GavinFrazar Feb 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to update this if the assumption is that they don't have a superuser role: It should be:

- GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA schema1, schema2, schema3 TO "teleport-admin";
+ GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA schema1, schema2, schema3 TO "teleport-admin" WITH GRANT OPTION;

Additionally, in light of #51851
the admin will need this:

GRANT ALL PRIVILEGES ON SCHEMA schema1, schema2, schema3 TO "teleport-admin" WITH GRANT OPTION

Or more specifically, the equivalent:

GRANT USAGE, CREATE ON SCHEMA schema1, schema2, schema3 TO "teleport-admin" WITH GRANT OPTION

cc @greedy52

Copy link
Copy Markdown
Contributor

@GavinFrazar GavinFrazar Feb 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And it may also be useful for non-superuser admins to alter their default permissions like this so that new tables are also supported:

GRANT USAGE, CREATE ON SCHEMA schema1, schema2, schema3 TO "teleport-admin" WITH GRANT OPTION;
GRANT ALL ON ALL TABLES IN SCHEMA schema1, schema2, schema3 TO "teleport-admin" WITH GRANT OPTION;
ALTER DEFAULT PRIVILEGES IN SCHEMA schema1, schema2, schema3 GRANT ALL ON TABLES TO "teleport-admin" WITH GRANT OPTION;

The same can be done for new tables created in all current/new schemas:

ALTER DEFAULT PRIVILEGES GRANT ALL ON TABLES TO "teleport-admin" WITH GRANT OPTION;

And for any new schemas as well:

ALTER DEFAULT PRIVILEGES GRANT USAGE,CREATE ON SCHEMAS TO "teleport-admin" WITH GRANT OPTION;

Copy link
Copy Markdown
Contributor Author

@greedy52 greedy52 Feb 5, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks! let's track these for #51851. why does admin need CREATE on schemas?

Copy link
Copy Markdown
Contributor

@GavinFrazar GavinFrazar Feb 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We discussed this in call but just to write it down: this would just be future proofing so that we can support permission grants for schema objects.

Expand All @@ -75,10 +101,6 @@ the database, which will be created automatically if it doesn't exist.

(!docs/pages/includes/database-access/auto-user-provisioning/db-definition-default-dbname.mdx protocol="postgres" uri="localhost:5432" default="the same database that the user is accessing" !)

<Admonition type="warning" title="Procedure Privileges in PostgreSQL 15+">
(!docs/pages/includes/database-access/auto-user-provisioning/postgres15-grant-create.mdx!)
</Admonition>
Comment on lines -78 to -80
Copy link
Copy Markdown
Contributor Author

@greedy52 greedy52 Nov 13, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GRANT CREATE ON SCHEMA public TO "teleport-admin";

This shouldn't be necessary any more after @gabrielcorado 's change that moved procedures to pg_temp


## Step 2/3. Configure a Teleport role

Database permissions are associated with a Teleport role, which can either allocate predefined database roles (configured in each database) or define specific database object permissions directly. Teleport grants these permissions for the duration of the connection.
Expand Down Expand Up @@ -169,10 +191,6 @@ Users created within the database will:

## Troubleshooting

### Permission denied for schema public error

(!docs/pages/includes/database-access/auto-user-provisioning/postgres15-grant-create.mdx!)

### User does not have CONNECT privilege error

You may encounter the following error when the admin user or the roles assigned
Expand Down
11 changes: 0 additions & 11 deletions ...ges/includes/database-access/auto-user-provisioning/postgres15-grant-create.mdx
View file
Open in desktop

This file was deleted.