From b786b86326a41f34ebc39e91cc5965d82bcc3f8a Mon Sep 17 00:00:00 2001 From: STeve Huang Date: Wed, 13 Nov 2024 10:20:16 -0500 Subject: [PATCH 1/2] [docs] PostgreSQL auto-user provisioning guide minor edits --- .../auto-user-provisioning/postgres.mdx | 22 +++++++++++-------- .../postgres15-grant-create.mdx | 11 ---------- 2 files changed, 13 insertions(+), 20 deletions(-) delete mode 100644 docs/pages/includes/database-access/auto-user-provisioning/postgres15-grant-create.mdx diff --git a/docs/pages/enroll-resources/database-access/auto-user-provisioning/postgres.mdx b/docs/pages/enroll-resources/database-access/auto-user-provisioning/postgres.mdx index 2fb8c7c1aac83..fa402c21a0aaf 100644 --- a/docs/pages/enroll-resources/database-access/auto-user-provisioning/postgres.mdx +++ b/docs/pages/enroll-resources/database-access/auto-user-provisioning/postgres.mdx @@ -41,6 +41,12 @@ Note that the RDS database must have IAM authentication enabled. Refer to the [AWS documentation](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.DBAccounts.html) to make sure you are using the `rds_iam` role correctly. for more information. + +If the admin user needs to grant the `rds_superuser` role to auto-provisioned +users, the admin user must also be a `rds_superuser`: +```sql +GRANT rds_superuser TO "teleport-admin" WITH ADMIN OPTION; +``` The self-hosted PostgreSQL admin user must have X.509 authentication configured. @@ -63,7 +69,13 @@ to ensure that your configuration is correct. -When [Database Access Controls](../rbac.mdx) feature is in use, the `teleport-admin` should have permissions to relevant database objects. For example: +When [Database Access Controls](../rbac.mdx) feature is in use, the +`teleport-admin` should have permissions to relevant database objects. You can +grant `teleport-admin` the `SUPERUSER` option for self-hosted databases, or the +`rds_superuser` role for RDS databases. + +For improved security through the principle of least privilege, you can also +assign permissions directly to specific database objects. For example: ```sql GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA schema1, schema2, schema3 TO "teleport-admin"; @@ -75,10 +87,6 @@ the database, which will be created automatically if it doesn't exist. (!docs/pages/includes/database-access/auto-user-provisioning/db-definition-default-dbname.mdx protocol="postgres" uri="localhost:5432" default="the same database that the user is accessing" !) - -(!docs/pages/includes/database-access/auto-user-provisioning/postgres15-grant-create.mdx!) - - ## Step 2/3. Configure a Teleport role Database permissions are associated with a Teleport role, which can either allocate predefined database roles (configured in each database) or define specific database object permissions directly. Teleport grants these permissions for the duration of the connection. @@ -169,10 +177,6 @@ Users created within the database will: ## Troubleshooting -### Permission denied for schema public error - -(!docs/pages/includes/database-access/auto-user-provisioning/postgres15-grant-create.mdx!) - ### User does not have CONNECT privilege error You may encounter the following error when the admin user or the roles assigned diff --git a/docs/pages/includes/database-access/auto-user-provisioning/postgres15-grant-create.mdx b/docs/pages/includes/database-access/auto-user-provisioning/postgres15-grant-create.mdx deleted file mode 100644 index 012fe0e585848..0000000000000 --- a/docs/pages/includes/database-access/auto-user-provisioning/postgres15-grant-create.mdx +++ /dev/null @@ -1,11 +0,0 @@ -PostgreSQL 15 revokes the `CREATE` permission from all users except a database -owner from the public (or default) schema. - -Grant the admin user `CREATE` privilege so the admin user can create procedures: -```sql -GRANT CREATE ON SCHEMA public TO "teleport-admin"; -``` - -If `admin_user.default_database` is specified, the `CREATE` privilege is only -required for the database specified in the `default_database`. Otherwise, you -have to repeat the privilege grant for every database Teleport will access. From 1f82df231c8a403903493458c575bb0376e25d60 Mon Sep 17 00:00:00 2001 From: STeve Huang Date: Wed, 29 Jan 2025 14:16:25 -0500 Subject: [PATCH 2/2] remove admin option from rds_superuser and add note on admin option for each role --- .../auto-user-provisioning/postgres.mdx | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/docs/pages/enroll-resources/database-access/auto-user-provisioning/postgres.mdx b/docs/pages/enroll-resources/database-access/auto-user-provisioning/postgres.mdx index fa402c21a0aaf..46f44bf3306ca 100644 --- a/docs/pages/enroll-resources/database-access/auto-user-provisioning/postgres.mdx +++ b/docs/pages/enroll-resources/database-access/auto-user-provisioning/postgres.mdx @@ -45,7 +45,14 @@ for more information. If the admin user needs to grant the `rds_superuser` role to auto-provisioned users, the admin user must also be a `rds_superuser`: ```sql -GRANT rds_superuser TO "teleport-admin" WITH ADMIN OPTION; +GRANT rds_superuser TO "teleport-admin"; +``` + +For PostgreSQL 16+, you must grant the `ADMIN` option to the admin user for each +PostgreSQL role that Teleport will assign to your Teleport user. For example, to +allow the admin user to grant and revoke role `reader`: +```sql +GRANT reader TO "teleport-admin" WITH ADMIN OPTION; ``` @@ -55,6 +62,13 @@ The self-hosted PostgreSQL admin user must have X.509 authentication configured. CREATE USER "teleport-admin" login createrole; ``` +For PostgreSQL 16+, you must grant the `ADMIN` option to the admin user for each +PostgreSQL role that Teleport will assign to your Teleport user. For example, to +allow the admin user to grant and revoke role `reader`: +```sql +GRANT reader TO "teleport-admin" WITH ADMIN OPTION; +``` + Note that the database must be configured to accept client certificate auth for the admin user by having the following entries in `pg_hba.conf`: