mirror of
https://github.com/gravitational/teleport
synced 2024-10-20 01:03:40 +00:00
Add SQL Server guide (#10293)
This commit is contained in:
parent
172d7ed4c0
commit
8ea2c70996
|
@ -195,6 +195,7 @@
|
|||
{ "title": "Self-Hosted MySQL/MariaDB", "slug": "/database-access/guides/mysql-self-hosted/" },
|
||||
{ "title": "Self-Hosted MongoDB", "slug": "/database-access/guides/mongodb-self-hosted/" },
|
||||
{ "title": "Self-Hosted CockroachDB", "slug": "/database-access/guides/cockroachdb-self-hosted/" },
|
||||
{ "title": "SQL Server (Preview)", "slug": "/database-access/guides/sql-server-ad/" },
|
||||
{ "title": "Database GUI Clients", "slug": "/database-access/guides/gui-clients/" },
|
||||
{ "title": "Dynamic Registration", "slug": "/database-access/guides/dynamic-registration/" },
|
||||
{ "title": "High Availability", "slug": "/database-access/guides/ha/" }
|
||||
|
|
Binary file not shown.
After Width: | Height: | Size: 216 KiB |
Binary file not shown.
After Width: | Height: | Size: 234 KiB |
BIN
docs/img/database-access/guides/sqlserver/spn@2x.png
Normal file
BIN
docs/img/database-access/guides/sqlserver/spn@2x.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 597 KiB |
|
@ -6,56 +6,4 @@ layout: tocless-doc
|
|||
|
||||
# Database Access Guides
|
||||
|
||||
## Cloud-hosted guides
|
||||
|
||||
<TileSet>
|
||||
<Tile icon="cloud" title="AWS RDS & Aurora" href="./guides/rds.mdx">
|
||||
Connect AWS RDS or Aurora PostgreSQL or MySQL database.
|
||||
</Tile>
|
||||
<Tile icon="cloud" title="AWS Redshift" href="./guides/postgres-redshift.mdx">
|
||||
Connect AWS Redshift database.
|
||||
</Tile>
|
||||
<Tile icon="cloud" title="GCP Cloud SQL PostgreSQL" href="./guides/postgres-cloudsql.mdx">
|
||||
Connect GCP Cloud SQL PostgreSQL database.
|
||||
</Tile>
|
||||
<Tile icon="cloud" title="GCP Cloud SQL MySQL" href="./guides/mysql-cloudsql.mdx">
|
||||
Connect GCP Cloud SQL MySQL database.
|
||||
</Tile>
|
||||
<Tile icon="cloud" title="Azure PostgreSQL & MySQL" href="./guides/azure-postgres-mysql.mdx">
|
||||
Connect Azure PostgreSQL or MySQL.
|
||||
</Tile>
|
||||
<Tile icon="cloud" title="MongoDB Atlas" href="./guides/mongodb-atlas.mdx">
|
||||
Connect MongoDB Atlas cluster.
|
||||
</Tile>
|
||||
</TileSet>
|
||||
|
||||
## Self-hosted guides
|
||||
|
||||
<TileSet>
|
||||
<Tile icon="database" title="Self-hosted PostgreSQL" href="./guides/postgres-self-hosted.mdx">
|
||||
Connect self-hosted PostgreSQL database.
|
||||
</Tile>
|
||||
<Tile icon="database" title="Self-hosted MySQL/MariaDB" href="./guides/mysql-self-hosted.mdx">
|
||||
Connect self-hosted MySQL/MariaDB database.
|
||||
</Tile>
|
||||
<Tile icon="database" title="Self-hosted MongoDB" href="./guides/mongodb-self-hosted.mdx">
|
||||
Connect self-hosted MongoDB database.
|
||||
</Tile>
|
||||
<Tile icon="database" title="Self-hosted CockroachDB" href="./guides/cockroachdb-self-hosted.mdx">
|
||||
Connect self-hosted CockroachDB database.
|
||||
</Tile>
|
||||
</TileSet>
|
||||
|
||||
## General guides
|
||||
|
||||
<TileSet>
|
||||
<Tile icon="window" title="GUI clients" href="./guides/gui-clients.mdx">
|
||||
Configure database graphical clients.
|
||||
</Tile>
|
||||
<Tile icon="wrench" title="Dynamic Registration" href="./guides/dynamic-registration.mdx">
|
||||
Register/unregister databases without restarting Teleport.
|
||||
</Tile>
|
||||
<Tile icon="integrations" title="High Availability" href="./guides/ha.mdx">
|
||||
Deploy database access in HA configuration.
|
||||
</Tile>
|
||||
</TileSet>
|
||||
(!docs/pages/includes/database-access/guides.mdx!)
|
||||
|
|
|
@ -110,34 +110,7 @@ Optionally, click "Test Connection" to verify connectivity:
|
|||
|
||||
Save the connection, and connect to the database.
|
||||
|
||||
## MongoDB Compass
|
||||
|
||||
[Compass](https://www.mongodb.com/products/compass) is the official MongoDB
|
||||
graphical client.
|
||||
|
||||
On the "New Connection" panel, click on "Fill in connection fields individually".
|
||||
|
||||
![MongoDB Compass new connection](../../../img/database-access/compass-new-connection@2x.png)
|
||||
|
||||
On the "Hostname" tab, enter your Teleport proxy's hostname and port shown
|
||||
by `tsh db config`. Leave "Authentication" as None.
|
||||
|
||||
![MongoDB Compass hostname](../../../img/database-access/compass-hostname@2x.png)
|
||||
|
||||
On the "More Options" tab set SSL to "Client and Server Validation" and set
|
||||
CA as well as client key and certificate. Note the CA path must be provided
|
||||
and be able to validate certificate presented by your Teleport proxy's web
|
||||
endpoint. Client key and certificate locations are shown by `tsh db config`.
|
||||
|
||||
![MongoDB Compass more options](../../../img/database-access/compass-more-options@2x.png)
|
||||
|
||||
Click on the "Connect" button.
|
||||
|
||||
## DBeaver
|
||||
|
||||
DBeaver is a SQL client software application and database administration tool.
|
||||
|
||||
### MySQL
|
||||
## MySQL DBeaver
|
||||
|
||||
<Admonition type="note">
|
||||
Teleport's DBeaver MySQL integration only supports MySQL server (=mysql.dbeaver_min_ver=) or older.
|
||||
|
@ -173,3 +146,49 @@ Navigate to the "SSL" tab, check the "Use SSL" box, uncheck the "Verify Server C
|
|||
|
||||
Click "Ok" to finish and DBeaver should connect to the remote MySQL server automatically.
|
||||
|
||||
## MongoDB Compass
|
||||
|
||||
[Compass](https://www.mongodb.com/products/compass) is the official MongoDB
|
||||
graphical client.
|
||||
|
||||
On the "New Connection" panel, click on "Fill in connection fields individually".
|
||||
|
||||
![MongoDB Compass new connection](../../../img/database-access/compass-new-connection@2x.png)
|
||||
|
||||
On the "Hostname" tab, enter your Teleport proxy's hostname and port shown
|
||||
by `tsh db config`. Leave "Authentication" as None.
|
||||
|
||||
![MongoDB Compass hostname](../../../img/database-access/compass-hostname@2x.png)
|
||||
|
||||
On the "More Options" tab set SSL to "Client and Server Validation" and set
|
||||
CA as well as client key and certificate. Note the CA path must be provided
|
||||
and be able to validate certificate presented by your Teleport proxy's web
|
||||
endpoint. Client key and certificate locations are shown by `tsh db config`.
|
||||
|
||||
![MongoDB Compass more options](../../../img/database-access/compass-more-options@2x.png)
|
||||
|
||||
Click on the "Connect" button.
|
||||
|
||||
## SQL Server DBeaver
|
||||
|
||||
(!docs/pages/includes/database-access/sql-server-local-proxy.mdx!)
|
||||
|
||||
In DBeaver connection configuration use the local proxy's endpoint (`localhost:4242`
|
||||
in the example above) as host/port. Use SQL Server Authentication option and keep
|
||||
the Password field empty:
|
||||
|
||||
![DBeaver connection options](../../../img/database-access/guides/sqlserver/dbeaver-connection@2x.png)
|
||||
|
||||
Click OK to connect.
|
||||
|
||||
## SQL Server DataGrip
|
||||
|
||||
(!docs/pages/includes/database-access/sql-server-local-proxy.mdx!)
|
||||
|
||||
In DataGrip connection configuration use the local proxy's endpoint (`localhost:4242`
|
||||
in the example above) as host/port. Use Use & Password authentication option and
|
||||
keep the Password field empty:
|
||||
|
||||
![DataGrip connection options](../../../img/database-access/guides/sqlserver/datagrip-connection@2x.png)
|
||||
|
||||
Click OK to connect.
|
||||
|
|
337
docs/pages/database-access/guides/sql-server-ad.mdx
Normal file
337
docs/pages/database-access/guides/sql-server-ad.mdx
Normal file
|
@ -0,0 +1,337 @@
|
|||
---
|
||||
title: Database Access with Microsoft SQL Server with Active Directory authentication (Preview)
|
||||
description: How to configure Teleport Database Access with Microsoft SQL Server with Active Directory authentication.
|
||||
---
|
||||
|
||||
<Details
|
||||
title="Version warning"
|
||||
opened={true}
|
||||
scope={["oss", "enterprise"]}
|
||||
scopeOnly={true}
|
||||
min="9.0"
|
||||
>
|
||||
Database access for Microsoft SQL Server with Active Directory authentication
|
||||
is available starting from Teleport `9.0`.
|
||||
</Details>
|
||||
|
||||
<Admonition type="warning" title="Preview">
|
||||
Database access for Microsoft SQL Server is currently in a Preview mode and
|
||||
does not include audit logging of database query activity.
|
||||
</Admonition>
|
||||
|
||||
This guide will help you to:
|
||||
|
||||
- Install and configure Teleport.
|
||||
- Set up access to SQL Server using Active Directory authentication.
|
||||
- Connect to SQL Server through Teleport.
|
||||
|
||||
This guide will focus on Amazon RDS for SQL Server using AWS-managed Active
|
||||
Directory authentication.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Teleport version >= `9.0`.
|
||||
- A SQL Server database with Active Directory authentication enabled.
|
||||
- A Windows machine joined to the same Active Directory domain as the database.
|
||||
- A Linux node joined to the same Active Directory domain as the database. This
|
||||
guide will walk you through the joining steps if you don't have one.
|
||||
|
||||
## Step 1/7. Set up Teleport Auth and Proxy
|
||||
|
||||
(!docs/pages/includes/database-access/start-auth-proxy.mdx!)
|
||||
|
||||
## Step 2/7. Create a Teleport user
|
||||
|
||||
(!docs/pages/includes/database-access/create-user.mdx!)
|
||||
|
||||
## Step 3/7. Join the Linux node to Active Directory
|
||||
|
||||
<Admonition type="note">
|
||||
You can skip this step if you already have a Linux node joined to the same
|
||||
Active Directory domain as your SQL Server.
|
||||
</Admonition>
|
||||
|
||||
The Linux node where the Database Service will run must be joined to the same
|
||||
Active Directory domain as the SQL Server database.
|
||||
|
||||
Note that in order to be able to join, the Linux node must be able to resolve
|
||||
your Active Directory fully-qualified domain name. For example, for AWS-managed
|
||||
AD, use nameservers provided under "Networking details" on the directory's
|
||||
overview page.
|
||||
|
||||
Install necessary packages:
|
||||
|
||||
<Tabs>
|
||||
<TabItem label="Ubuntu">
|
||||
```bash
|
||||
$ sudo apt-get update
|
||||
$ sudo apt-get -y install sssd realmd krb5-user samba-common packagekit adcli
|
||||
```
|
||||
</TabItem>
|
||||
<TabItem label="RHEL / CentOS 7">
|
||||
```bash
|
||||
$ sudo yum -y update
|
||||
$ sudo yum -y install sssd realmd krb5-workstation samba-common-tools
|
||||
```
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
Edit `/etc/krb5.conf` to disable reverse DNS resolution and set the default
|
||||
realm. Make sure that the `[realms]` section contains your domain definition
|
||||
and has `admin_server` and `kdc` fields set pointing to the domain controllers:
|
||||
|
||||
```ini
|
||||
[libdefaults]
|
||||
default_realm = EXAMPLE.COM
|
||||
rdns = false
|
||||
|
||||
[realms]
|
||||
EXAMPLE.COM = {
|
||||
kdc = example.com
|
||||
admin_server = example.com
|
||||
}
|
||||
```
|
||||
|
||||
Join the realm:
|
||||
|
||||
```bash
|
||||
$ sudo realm join -v -U admin@EXAMPLE.COM example.com
|
||||
...
|
||||
* Successfully enrolled machine in realm
|
||||
```
|
||||
|
||||
<Admonition type="warning">
|
||||
Note that the realm name in `admin@EXAMPLE.COM` **must** be capital case,
|
||||
otherwise the node might not be able to join.
|
||||
</Admonition>
|
||||
|
||||
To confirm the node has joined the realm, use the `realm list` command:
|
||||
|
||||
```bash
|
||||
$ sudo realm list
|
||||
example.com
|
||||
type: kerberos
|
||||
realm-name: EXAMPLE.COM
|
||||
domain-name: example.com
|
||||
configured: kerberos-member
|
||||
server-software: active-directory
|
||||
client-software: sssd
|
||||
...
|
||||
```
|
||||
|
||||
## Step 4/7. Create keytab file
|
||||
|
||||
Teleport requires a keytab file to obtain Kerberos service tickets from your
|
||||
Active Directory for authentication with SQL Server. The easiest way to generate
|
||||
it is to use the `adutil` Linux CLI utility.
|
||||
|
||||
Install `adutil` on the Linux node you have joined to your Active Directory
|
||||
domain:
|
||||
|
||||
<Tabs>
|
||||
<TabItem label="Ubuntu 18.04">
|
||||
```bash
|
||||
$ curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
|
||||
$ sudo curl https://packages.microsoft.com/config/ubuntu/18.04/prod.list | sudo tee /etc/apt/sources.list.d/msprod.list
|
||||
$ sudo apt-get update
|
||||
$ sudo ACCEPT_EULA=Y apt-get install -y adutil
|
||||
```
|
||||
</TabItem>
|
||||
<TabItem label="Ubuntu 20.04">
|
||||
```bash
|
||||
$ sudo wget -qO /etc/apt/trusted.gpg.d/microsoft.asc https://packages.microsoft.com/keys/microsoft.asc
|
||||
$ sudo curl https://packages.microsoft.com/config/ubuntu/20.04/prod.list | sudo tee /etc/apt/sources.list.d/msprod.list
|
||||
$ sudo apt-get update
|
||||
$ sudo ACCEPT_EULA=Y apt-get install -y adutil
|
||||
```
|
||||
</TabItem>
|
||||
<TabItem label="RHEL / CentOS 7">
|
||||
```bash
|
||||
$ sudo curl -o /etc/yum.repos.d/msprod.repo https://packages.microsoft.com/config/rhel/8/prod.repo
|
||||
$ sudo ACCEPT_EULA=Y yum install -y adutil
|
||||
```
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
Log into your Active Directory using the `kinit` command:
|
||||
|
||||
```bash
|
||||
$ kinit admin@EXAMPLE.COM
|
||||
```
|
||||
|
||||
Use the `adutil keytab create` command to generate keytab entries for each
|
||||
Active Directory user that will be connecting to the SQL Server database:
|
||||
|
||||
```bash
|
||||
$ adutil keytab create teleport.keytab alice
|
||||
$ adutil keytab create teleport.keytab bob
|
||||
```
|
||||
|
||||
You will be prompted to enter each user's password. All keytab entries will
|
||||
be merged into the same `teleport.keytab` file.
|
||||
|
||||
<Admonition type="note" title="Assign Service Principal Names">
|
||||
For the `adutil keytab create` command to work, each user account must be
|
||||
assigned a Service Principal Name, otherwise the command will not be able
|
||||
to determine its `kvno` (key version number).
|
||||
|
||||
To check if the user has any SPNs assigned, run the following command on the
|
||||
Windows machine joined to your Active Directory domain:
|
||||
|
||||
```code
|
||||
$ setspn -L alice
|
||||
```
|
||||
|
||||
To assign an SPN to a user account, use the following command:
|
||||
|
||||
```code
|
||||
$ setspn -s user/alice alice
|
||||
```
|
||||
</Admonition>
|
||||
|
||||
You can verify entries in the keytab file using `klist` command:
|
||||
|
||||
```bash
|
||||
$ klist -ke teleport.keytab
|
||||
Keytab name: FILE:teleport.keytab
|
||||
KVNO Principal
|
||||
---- --------------------------------------------------------------------------
|
||||
5 alice@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
|
||||
2 bob@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
|
||||
```
|
||||
|
||||
<Admonition type="warning">
|
||||
You must update the keytab file after updating a user's password to avoid
|
||||
authentication failures.
|
||||
</Admonition>
|
||||
|
||||
## Step 5/7. Set up Teleport Database Service
|
||||
|
||||
(!docs/pages/includes/database-access/token.mdx!)
|
||||
|
||||
<Admonition type="note">
|
||||
Teleport Database Service must run on a Linux server joined to the same
|
||||
Active Directory domain as the SQL Server.
|
||||
</Admonition>
|
||||
|
||||
Start Teleport Database Service. Make sure to update `--auth-server` to point to
|
||||
your Teleport Proxy Service address and `--uri` to the SQL Server endpoint.
|
||||
|
||||
```bash
|
||||
$ teleport db start \
|
||||
--token=/tmp/token \
|
||||
--auth-server=teleport.example.com:3080 \
|
||||
--name=sqlserver \
|
||||
--protocol=sqlserver \
|
||||
--uri=sqlserver.example.com:1433 \
|
||||
--ad-keytab=/path/to/teleport.keytab \
|
||||
--ad-domain=EXAMPLE.COM \
|
||||
--ad-spn=MSSQLSvc/sqlserver.example.com:1433 \
|
||||
--labels=env=dev
|
||||
```
|
||||
|
||||
Provide Active Directory parameters:
|
||||
|
||||
| Flag | Description |
|
||||
| ---- | ----------- |
|
||||
| `--ad-keytab` | Path to Kerberos keytab file generated above. |
|
||||
| `--ad-domain` | Active Directory domain (Kerberos realm) that SQL Server is joined. |
|
||||
| `--ad-spn` | Service Principal Name for SQL Server to fetch Kerberos tickets for. |
|
||||
|
||||
<Admonition type="tip">
|
||||
You can start Teleport Database Service using a configuration file instead of
|
||||
CLI flags. See [YAML reference](../reference/configuration.mdx).
|
||||
</Admonition>
|
||||
|
||||
### Service Principal Name
|
||||
|
||||
You can use `ldapsearch` command to see the SPNs registered for your SQL
|
||||
Server. Typically, they take a form of `MSSQLSvc/<name>.<ad-domain>:<port>`.
|
||||
|
||||
For example, an AWS RDS SQL Server named `sqlserver` and joined to an AWS managed
|
||||
Active Directory domain `EXAMPLE.COM` will have the following SPNs registered:
|
||||
|
||||
```bash
|
||||
$ ldapsearch -x -h example.com -D admin -W -b DC=example,DC=com servicePrincipalName
|
||||
...
|
||||
# EC2AMAZ-4KN05DU, RDS, AWS Reserved, example.com
|
||||
dn: CN=EC2AMAZ-4KN05DU,OU=RDS,OU=AWS Reserved,DC=example,DC=com
|
||||
servicePrincipalName: MSSQLSvc/sqlserver-rds.example.com:1433
|
||||
servicePrincipalName: MSSQLSvc/EC2AMAZ-4KN05DU.example.com:1433
|
||||
servicePrincipalName: MSSQLSvc/EC2AMAZ-4KN05DU.example.com
|
||||
...
|
||||
```
|
||||
|
||||
Alternatively, you can look SPNs up in the Attribute Editor of the Active Directory
|
||||
Users and Computers dialog on your AD-joined Windows machine. The RDS SQL Server
|
||||
object typically resides under the AWS Reserved / RDS path:
|
||||
|
||||
![SPN](../../../img/database-access/guides/sqlserver/spn@2x.png)
|
||||
|
||||
<Admonition type="tip">
|
||||
If you don't see Attribute Editor tab, make sure that "View > Advanced Features"
|
||||
toggle is enabled.
|
||||
</Admonition>
|
||||
|
||||
## Step 6/7. Create SQL Server AD users
|
||||
|
||||
<Admonition type="note">
|
||||
You can skip this step if you already have Active Directory logins in your
|
||||
SQL Server.
|
||||
</Admonition>
|
||||
|
||||
Connect to your SQL Server as an administrative account (e.g. `sa`) and create
|
||||
logins that will use Active Directory authentication:
|
||||
|
||||
```sql
|
||||
master> CREATE LOGIN [EXAMPLE\alice] FROM WINDOWS WITH DEFAULT_DATABASE = [master], DEFAULT_LANGUAGE = [us_english];
|
||||
```
|
||||
|
||||
## Step 7/7. Connect
|
||||
|
||||
Log into your Teleport cluster. Your SQL Server database should appear in the
|
||||
list of available databases:
|
||||
|
||||
```code
|
||||
$ tsh login --proxy=teleport.example.com --user=alice
|
||||
$ tsh db ls
|
||||
# Name Description Labels
|
||||
# --------- ------------------- -------
|
||||
# sqlserver env=dev
|
||||
```
|
||||
|
||||
Fetch the short-lived client certificate for it using the `tsh db login` command:
|
||||
|
||||
```code
|
||||
$ tsh db login --db-user=teleport sqlserver
|
||||
```
|
||||
|
||||
<Admonition type="tip">
|
||||
You can be logged into multiple databases simultaneously.
|
||||
</Admonition>
|
||||
|
||||
Now connect to the database:
|
||||
|
||||
```code
|
||||
$ tsh db connect sqlserver
|
||||
```
|
||||
|
||||
<Admonition type="note">
|
||||
The `mssql-cli` command-line client should be available in PATH of the machine
|
||||
you're running `tsh db connect` from.
|
||||
</Admonition>
|
||||
|
||||
To log out of the database and remove credentials:
|
||||
|
||||
```code
|
||||
$ tsh db logout sqlserver
|
||||
```
|
||||
|
||||
## Next steps
|
||||
|
||||
(!docs/pages/includes/database-access/guides-next-steps.mdx!)
|
||||
|
||||
## Further reading
|
||||
|
||||
- [Manually join a Linux instance](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/join_linux_instance.html) in the AWS documentation.
|
||||
- [Introduction to `adutil`](https://docs.microsoft.com/en-us/sql/linux/sql-server-linux-ad-auth-adutil-introduction) in the Microsoft documentation.
|
|
@ -49,59 +49,7 @@ with Github, execute a few SQL queries and observe them in the audit log:
|
|||
</Tile>
|
||||
</TileSet>
|
||||
|
||||
## Cloud-hosted guides
|
||||
|
||||
<TileSet>
|
||||
<Tile icon="cloud" title="AWS RDS & Aurora" href="./guides/rds.mdx">
|
||||
Connect AWS RDS or Aurora PostgreSQL or MySQL database.
|
||||
</Tile>
|
||||
<Tile icon="cloud" title="AWS Redshift" href="./guides/postgres-redshift.mdx">
|
||||
Connect AWS Redshift database.
|
||||
</Tile>
|
||||
<Tile icon="cloud" title="GCP Cloud SQL PostgreSQL" href="./guides/postgres-cloudsql.mdx">
|
||||
Connect GCP Cloud SQL PostgreSQL database.
|
||||
</Tile>
|
||||
<Tile icon="cloud" title="GCP Cloud SQL MySQL" href="./guides/mysql-cloudsql.mdx">
|
||||
Connect GCP Cloud SQL MySQL database.
|
||||
</Tile>
|
||||
<Tile icon="cloud" title="Azure PostgreSQL & MySQL" href="./guides/azure-postgres-mysql.mdx">
|
||||
Connect Azure PostgreSQL or MySQL.
|
||||
</Tile>
|
||||
<Tile icon="cloud" title="MongoDB Atlas" href="./guides/mongodb-atlas.mdx">
|
||||
Connect MongoDB Atlas cluster.
|
||||
</Tile>
|
||||
</TileSet>
|
||||
|
||||
## Self-hosted guides
|
||||
|
||||
<TileSet>
|
||||
<Tile icon="database" title="Self-hosted PostgreSQL" href="./guides/postgres-self-hosted.mdx">
|
||||
Connect self-hosted PostgreSQL database.
|
||||
</Tile>
|
||||
<Tile icon="database" title="Self-hosted MySQL/MariaDB" href="./guides/mysql-self-hosted.mdx">
|
||||
Connect self-hosted MySQL/MariaDB database.
|
||||
</Tile>
|
||||
<Tile icon="database" title="Self-hosted MongoDB" href="./guides/mongodb-self-hosted.mdx">
|
||||
Connect self-hosted MongoDB database.
|
||||
</Tile>
|
||||
<Tile icon="database" title="Self-hosted CockroachDB" href="./guides/cockroachdb-self-hosted.mdx">
|
||||
Connect self-hosted CockroachDB database.
|
||||
</Tile>
|
||||
</TileSet>
|
||||
|
||||
## General guides
|
||||
|
||||
<TileSet>
|
||||
<Tile icon="window" title="GUI clients" href="./guides/gui-clients.mdx">
|
||||
Configure database graphical clients.
|
||||
</Tile>
|
||||
<Tile icon="wrench" title="Dynamic Registration" href="./guides/dynamic-registration.mdx">
|
||||
Register/unregister databases without restarting Teleport.
|
||||
</Tile>
|
||||
<Tile icon="integrations" title="High Availability" href="./guides/ha.mdx">
|
||||
Deploy database access in HA configuration.
|
||||
</Tile>
|
||||
</TileSet>
|
||||
(!docs/pages/includes/database-access/guides.mdx!)
|
||||
|
||||
## Resources
|
||||
|
||||
|
|
|
@ -9,72 +9,7 @@ The following snippet shows full YAML configuration of a Database Service
|
|||
appearing in `teleport.yaml` configuration file:
|
||||
|
||||
```yaml
|
||||
db_service:
|
||||
# Enables the Database Service.
|
||||
enabled: "yes"
|
||||
|
||||
# Matchers for database resources created with "tctl create" command.
|
||||
resources:
|
||||
- labels:
|
||||
"*": "*"
|
||||
|
||||
# Matchers for registering AWS-hosted databases.
|
||||
aws:
|
||||
# Database types. Valid options are:
|
||||
# 'rds' - discovers and registers AWS RDS and Aurora databases.
|
||||
# 'redshift' - discovers and registers AWS Redshift databases.
|
||||
- types: ["rds", "redshift"]
|
||||
# AWS regions to register databases from.
|
||||
regions: ["us-west-1", "us-east-2"]
|
||||
# AWS resource tags to match when registering databases.
|
||||
tags:
|
||||
"*": "*"
|
||||
|
||||
# Lists statically registered databases proxied by this agent.
|
||||
databases:
|
||||
# Name of the database proxy instance, used to reference in CLI.
|
||||
- name: "prod"
|
||||
# Free-form description of the database proxy instance.
|
||||
description: "Production database"
|
||||
# Database protocol. Can be "postgres", "mysql" or "mongodb".
|
||||
protocol: "postgres"
|
||||
# Database connection endpoint. Must be reachable from Database Service.
|
||||
uri: "postgres.example.com:5432"
|
||||
# Optional TLS configuration.
|
||||
tls:
|
||||
# TLS verification mode. Valid options are:
|
||||
# 'verify-full' - performs full certificate validation (default).
|
||||
# 'verify-ca' - the same as `verify-full`, but skips the server name validation.
|
||||
# 'insecure' - accepts any certificate provided by database (not recommended).
|
||||
mode: verify-full
|
||||
# Optional database DNS server name. It allows to override the DNS name on
|
||||
# a client certificate when connecting to a database.
|
||||
# Use only with 'verify-full' mode.
|
||||
server_name: db.example.com
|
||||
# Optional path to the CA used to validate the database certificate.
|
||||
ca_cert_file: /path/to/pem
|
||||
# AWS specific configuration, only required for RDS/Aurora/Redshift.
|
||||
aws:
|
||||
# Region the database is deployed in.
|
||||
region: "us-east-1"
|
||||
# Redshift specific configuration.
|
||||
redshift:
|
||||
# Redshift cluster identifier.
|
||||
cluster_id: "redshift-cluster-1"
|
||||
# GCP specific configuration for Cloud SQL databases.
|
||||
gcp:
|
||||
# GCP project ID.
|
||||
project_id: "xxx-1234"
|
||||
# Cloud SQL instance ID.
|
||||
instance_id: "example"
|
||||
# Static labels to assign to the database. Used in RBAC.
|
||||
static_labels:
|
||||
env: "prod"
|
||||
# Dynamic labels ("commands"). Used in RBAC.
|
||||
dynamic_labels:
|
||||
- name: "hostname"
|
||||
command: ["hostname"]
|
||||
period: 1m0s
|
||||
(!docs/pages/includes/database-access/database-config.yaml!)
|
||||
```
|
||||
|
||||
## Proxy configuration
|
||||
|
@ -126,21 +61,27 @@ version: v3
|
|||
metadata:
|
||||
# Database resource name.
|
||||
name: example
|
||||
|
||||
# Database resource description.
|
||||
description: "Example database"
|
||||
|
||||
# Database resource static labels.
|
||||
labels:
|
||||
env: example
|
||||
|
||||
spec:
|
||||
# Database protocol.
|
||||
protocol: "postgres"
|
||||
|
||||
# Database connection endpoint.
|
||||
uri: "localhost:5432"
|
||||
|
||||
# Optional CA for validating the database certificate.
|
||||
ca_cert: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
...
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
# Optional AWS configuration for RDS/Aurora/Redshift. Can be auto-detected from the endpoint.
|
||||
aws:
|
||||
# Region the database is deployed in.
|
||||
|
@ -149,12 +90,25 @@ spec:
|
|||
redshift:
|
||||
# Redshift cluster identifier.
|
||||
cluster_id: "redshift-cluster-1"
|
||||
|
||||
# Optional GCP configuration for Cloud SQL.
|
||||
gcp:
|
||||
# GCP project ID.
|
||||
project_id: "xxx-1234"
|
||||
# Cloud SQL instance ID.
|
||||
instance_id: "example"
|
||||
|
||||
# Settings specific to Active Directory authentication e.g. for SQL Server.
|
||||
ad:
|
||||
# Path to Kerberos keytab file.
|
||||
keytab_file: /path/to/keytab
|
||||
# Active Directory domain name.
|
||||
domain: EXAMPLE.COM
|
||||
# Service Principal Name to obtain Kerberos tickets for.
|
||||
spn: MSSQLSvc/ec2amaz-4kn05du.dbadir.teleportdemo.net:1433
|
||||
# Optional path to Kerberos configuration file. Defaults to /etc/krb5.conf.
|
||||
krb5_file: /etc/krb5.conf
|
||||
|
||||
# Optional dynamic labels.
|
||||
dynamic_labels:
|
||||
- name: "hostname"
|
||||
|
|
85
docs/pages/includes/database-access/database-config.yaml
Normal file
85
docs/pages/includes/database-access/database-config.yaml
Normal file
|
@ -0,0 +1,85 @@
|
|||
db_service:
|
||||
# Enables the Database Service.
|
||||
enabled: "yes"
|
||||
|
||||
# Matchers for database resources created with "tctl create" command.
|
||||
resources:
|
||||
- labels:
|
||||
"*": "*"
|
||||
|
||||
# Matchers for registering AWS-hosted databases.
|
||||
aws:
|
||||
# Database types. Valid options are:
|
||||
# 'rds' - discovers and registers AWS RDS and Aurora databases.
|
||||
# 'redshift' - discovers and registers AWS Redshift databases.
|
||||
- types: ["rds", "redshift"]
|
||||
# AWS regions to register databases from.
|
||||
regions: ["us-west-1", "us-east-2"]
|
||||
# AWS resource tags to match when registering databases.
|
||||
tags:
|
||||
"*": "*"
|
||||
|
||||
# Lists statically registered databases proxied by this agent.
|
||||
databases:
|
||||
# Name of the database proxy instance, used to reference in CLI.
|
||||
- name: "prod"
|
||||
|
||||
# Free-form description of the database proxy instance.
|
||||
description: "Production database"
|
||||
|
||||
# Database protocol. Can be: "postgres", "mysql", "mongodb", "cockroachdb", "sqlserver".
|
||||
protocol: "postgres"
|
||||
|
||||
# Database connection endpoint. Must be reachable from Database Service.
|
||||
uri: "postgres.example.com:5432"
|
||||
|
||||
# Optional TLS configuration.
|
||||
tls:
|
||||
# TLS verification mode. Valid options are:
|
||||
# 'verify-full' - performs full certificate validation (default).
|
||||
# 'verify-ca' - the same as `verify-full`, but skips the server name validation.
|
||||
# 'insecure' - accepts any certificate provided by database (not recommended).
|
||||
mode: verify-full
|
||||
# Optional database DNS server name. It allows to override the DNS name on
|
||||
# a client certificate when connecting to a database.
|
||||
# Use only with 'verify-full' mode.
|
||||
server_name: db.example.com
|
||||
# Optional path to the CA used to validate the database certificate.
|
||||
ca_cert_file: /path/to/pem
|
||||
|
||||
# AWS specific configuration, only required for RDS/Aurora/Redshift.
|
||||
aws:
|
||||
# Region the database is deployed in.
|
||||
region: "us-east-1"
|
||||
# Redshift specific configuration.
|
||||
redshift:
|
||||
# Redshift cluster identifier.
|
||||
cluster_id: "redshift-cluster-1"
|
||||
|
||||
# GCP specific configuration for Cloud SQL databases.
|
||||
gcp:
|
||||
# GCP project ID.
|
||||
project_id: "xxx-1234"
|
||||
# Cloud SQL instance ID.
|
||||
instance_id: "example"
|
||||
|
||||
# Settings specific to Active Directory authentication e.g. for SQL Server.
|
||||
ad:
|
||||
# Path to Kerberos keytab file.
|
||||
keytab_file: /path/to/keytab
|
||||
# Active Directory domain name.
|
||||
domain: EXAMPLE.COM
|
||||
# Service Principal Name to obtain Kerberos tickets for.
|
||||
spn: MSSQLSvc/ec2amaz-4kn05du.dbadir.teleportdemo.net:1433
|
||||
# Optional path to Kerberos configuration file. Defaults to /etc/krb5.conf.
|
||||
krb5_file: /etc/krb5.conf
|
||||
|
||||
# Static labels to assign to the database. Used in RBAC.
|
||||
static_labels:
|
||||
env: "prod"
|
||||
|
||||
# Dynamic labels ("commands"). Used in RBAC.
|
||||
dynamic_labels:
|
||||
- name: "hostname"
|
||||
command: ["hostname"]
|
||||
period: 1m0s
|
51
docs/pages/includes/database-access/guides.mdx
Normal file
51
docs/pages/includes/database-access/guides.mdx
Normal file
|
@ -0,0 +1,51 @@
|
|||
## Database guides
|
||||
|
||||
<TileSet>
|
||||
<Tile icon="cloud" title="AWS RDS & Aurora" href="./guides/rds.mdx">
|
||||
Connect AWS RDS or Aurora PostgreSQL or MySQL database.
|
||||
</Tile>
|
||||
<Tile icon="cloud" title="AWS Redshift" href="./guides/postgres-redshift.mdx">
|
||||
Connect AWS Redshift database.
|
||||
</Tile>
|
||||
<Tile icon="cloud" title="GCP Cloud SQL PostgreSQL" href="./guides/postgres-cloudsql.mdx">
|
||||
Connect GCP Cloud SQL PostgreSQL database.
|
||||
</Tile>
|
||||
<Tile icon="cloud" title="GCP Cloud SQL MySQL" href="./guides/mysql-cloudsql.mdx">
|
||||
Connect GCP Cloud SQL MySQL database.
|
||||
</Tile>
|
||||
<Tile icon="cloud" title="Azure PostgreSQL & MySQL" href="./guides/azure-postgres-mysql.mdx">
|
||||
Connect Azure PostgreSQL or MySQL.
|
||||
</Tile>
|
||||
<Tile icon="cloud" title="MongoDB Atlas" href="./guides/mongodb-atlas.mdx">
|
||||
Connect MongoDB Atlas cluster.
|
||||
</Tile>
|
||||
<Tile icon="database" title="Self-hosted PostgreSQL" href="./guides/postgres-self-hosted.mdx">
|
||||
Connect self-hosted PostgreSQL database.
|
||||
</Tile>
|
||||
<Tile icon="database" title="Self-hosted MySQL & MariaDB" href="./guides/mysql-self-hosted.mdx">
|
||||
Connect self-hosted MySQL or MariaDB database.
|
||||
</Tile>
|
||||
<Tile icon="database" title="Self-hosted MongoDB" href="./guides/mongodb-self-hosted.mdx">
|
||||
Connect self-hosted MongoDB database.
|
||||
</Tile>
|
||||
<Tile icon="database" title="Self-hosted CockroachDB" href="./guides/cockroachdb-self-hosted.mdx">
|
||||
Connect self-hosted CockroachDB database.
|
||||
</Tile>
|
||||
<Tile icon="database" title="Active Directory SQL Server (Preview)" href="./guides/sql-server-ad.mdx">
|
||||
Connect Microsoft SQL Server with Active Directory authentication.
|
||||
</Tile>
|
||||
</TileSet>
|
||||
|
||||
## Other guides
|
||||
|
||||
<TileSet>
|
||||
<Tile icon="window" title="GUI clients" href="./guides/gui-clients.mdx">
|
||||
Configure database graphical clients.
|
||||
</Tile>
|
||||
<Tile icon="wrench" title="Dynamic Registration" href="./guides/dynamic-registration.mdx">
|
||||
Register/unregister databases without restarting Teleport.
|
||||
</Tile>
|
||||
<Tile icon="integrations" title="High Availability" href="./guides/ha.mdx">
|
||||
Deploy database access in HA configuration.
|
||||
</Tile>
|
||||
</TileSet>
|
|
@ -0,0 +1,24 @@
|
|||
SQL Server clients connect to a Teleport cluster via the local proxy in
|
||||
[TLS Routing](../../architecture/tls-routing.mdx) mode.
|
||||
|
||||
Log into your SQL Server database with `tsh db login` and execute `tsh db config`
|
||||
to locate the paths to the client certificate and key pair:
|
||||
|
||||
```bash
|
||||
$ tsh db config sqlserver
|
||||
Name: sqlserver
|
||||
...
|
||||
Cert: /home/alice/.tsh/keys/teleport.example.com/alice-db/cluster/example-x509.pem
|
||||
Key: /home/alice/.tsh/keys/teleport.example.com/alice
|
||||
```
|
||||
|
||||
Start the local TLS proxy providing the cert/key paths and, optionally, the port
|
||||
number to listen on:
|
||||
|
||||
```bash
|
||||
$ tsh proxy db \
|
||||
--port 4242 \
|
||||
--cert-file /home/alice/.tsh/keys/teleport.example.com/alice-db/cluster/example-x509.pem \
|
||||
--key-file /home/alice/.tsh/keys/teleport.example.com/alice \
|
||||
sqlserver
|
||||
```
|
|
@ -25,7 +25,7 @@ Teleport is a Certificate Authority and an Access Plane for your infrastructure.
|
|||
Single Sign-On, audit and unified access for Kubernetes clusters.
|
||||
</Tile>
|
||||
<Tile icon="database" title="Database Access" href="./database-access/introduction.mdx">
|
||||
Secure access to PostgreSQL, MySQL, MariaDB and MongoDB databases.
|
||||
Secure access to SQL and NoSQL databases.
|
||||
</Tile>
|
||||
<Tile icon="desktop" title="Desktop Access" href="./desktop-access/introduction.mdx">
|
||||
Secure browser-based access to desktop environments.
|
||||
|
|
|
@ -696,70 +696,7 @@ kubernetes_service:
|
|||
period: 1m0s
|
||||
|
||||
# This section configures the 'database service'.
|
||||
db_service:
|
||||
# Enables the database service. Default is "no".
|
||||
enabled: "yes"
|
||||
|
||||
# Matchers for registering AWS-hosted databases.
|
||||
aws:
|
||||
# Database types. Valid options are:
|
||||
# 'rds' - discovers and registers AWS RDS and Aurora databases.
|
||||
# 'redshift' - discovers and registers AWS Redshift databases.
|
||||
- types: ["rds", "redshift"]
|
||||
# AWS regions to register databases from.
|
||||
regions: ["us-west-1", "us-east-2"]
|
||||
# AWS resource tags to match when registering databases.
|
||||
tags:
|
||||
"*": "*"
|
||||
|
||||
# This section contains definitions of all databases proxied by this
|
||||
# service, it can contain multiple database instances.
|
||||
databases:
|
||||
# Name of the database proxy instance used to reference in CLI.
|
||||
- name: "prod"
|
||||
# Free-form description of the database proxy instance.
|
||||
description: "Production database"
|
||||
# Database protocol. Can be "postgres", "mysql", or "mongodb".
|
||||
protocol: "postgres"
|
||||
# Database connection endpoint. Must be reachable from Database Service.
|
||||
uri: "postgres.example.com:5432"
|
||||
# Optional TLS configuration.
|
||||
tls:
|
||||
# TLS verification mode. Valid options are:
|
||||
# 'verify-full' - performs full certificate validation (default).
|
||||
# 'verify-ca' - the same as `verify-full`, but skips the server name
|
||||
# validation.
|
||||
# 'insecure' - accepts any certificate provided by database (not
|
||||
# recommended).
|
||||
mode: verify-full
|
||||
# Optional database DNS server name. It allows to override the DNS name
|
||||
# on a client certificate when connecting to a database.
|
||||
# Use only with 'verify-full' mode.
|
||||
server_name: db.example.com
|
||||
# Optional path to the CA used to validate the database certificate.
|
||||
ca_cert_file: /path/to/pem
|
||||
# AWS specific configuration, only required for RDS/Aurora/Redshift.
|
||||
aws:
|
||||
# Region the database is deployed in.
|
||||
region: "us-east-1"
|
||||
# Redshift specific configuration.
|
||||
redshift:
|
||||
# Redshift cluster identifier.
|
||||
cluster_id: "redshift-cluster-1"
|
||||
# GCP specific configuration for Cloud SQL databases.
|
||||
gcp:
|
||||
# GCP project ID.
|
||||
project_id: "xxx-1234"
|
||||
# Cloud SQL instance ID.
|
||||
instance_id: "example"
|
||||
# Static labels to assign to the database. Used in RBAC.
|
||||
static_labels:
|
||||
env: "prod"
|
||||
# Dynamic labels ("commands"). Used in RBAC.
|
||||
dynamic_labels:
|
||||
- name: "hostname"
|
||||
command: ["hostname"]
|
||||
period: 1m0s
|
||||
(!docs/pages/includes/database-access/database-config.yaml!)
|
||||
|
||||
# This section configures the windows desktop service
|
||||
(!docs/pages/includes/desktop-access/desktop-config.yaml!)
|
||||
|
|
Loading…
Reference in a new issue