self-hosted/teleport
self-hosted/teleport
1
0
Fork 0
mirror of https://github.com/gravitational/teleport synced 2024-10-20 01:03:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add SQL Server guide (#10293)

Browse source
This commit is contained in:
Roman Tkachenko 2022-02-18 14:37:29 -08:00 committed by GitHub
parent 172d7ed4c0
commit 8ea2c70996
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 569 additions and 265 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
docs/config.json
View file

@ -195,6 +195,7 @@
{ "title": "Self-Hosted MySQL/MariaDB", "slug": "/database-access/guides/mysql-self-hosted/" },
{ "title": "Self-Hosted MongoDB", "slug": "/database-access/guides/mongodb-self-hosted/" },
{ "title": "Self-Hosted CockroachDB", "slug": "/database-access/guides/cockroachdb-self-hosted/" },
{ "title": "SQL Server (Preview)", "slug": "/database-access/guides/sql-server-ad/" },
{ "title": "Database GUI Clients", "slug": "/database-access/guides/gui-clients/" },
{ "title": "Dynamic Registration", "slug": "/database-access/guides/dynamic-registration/" },
{ "title": "High Availability", "slug": "/database-access/guides/ha/" }

BIN
docs/img/database-access/guides/sqlserver/datagrip-connection@2x.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 216 KiB

BIN
docs/img/database-access/guides/sqlserver/dbeaver-connection@2x.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 234 KiB

BIN
docs/img/database-access/guides/sqlserver/spn@2x.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 597 KiB

54
docs/pages/database-access/guides.mdx
View file

@ -6,56 +6,4 @@ layout: tocless-doc
# Database Access Guides
## Cloud-hosted guides
<TileSet>
<Tile icon="cloud" title="AWS RDS & Aurora" href="./guides/rds.mdx">
Connect AWS RDS or Aurora PostgreSQL or MySQL database.
</Tile>
<Tile icon="cloud" title="AWS Redshift" href="./guides/postgres-redshift.mdx">
Connect AWS Redshift database.
</Tile>
<Tile icon="cloud" title="GCP Cloud SQL PostgreSQL" href="./guides/postgres-cloudsql.mdx">
Connect GCP Cloud SQL PostgreSQL database.
</Tile>
<Tile icon="cloud" title="GCP Cloud SQL MySQL" href="./guides/mysql-cloudsql.mdx">
Connect GCP Cloud SQL MySQL database.
</Tile>
<Tile icon="cloud" title="Azure PostgreSQL & MySQL" href="./guides/azure-postgres-mysql.mdx">
Connect Azure PostgreSQL or MySQL.
</Tile>
<Tile icon="cloud" title="MongoDB Atlas" href="./guides/mongodb-atlas.mdx">
Connect MongoDB Atlas cluster.
</Tile>
</TileSet>
## Self-hosted guides
<TileSet>
<Tile icon="database" title="Self-hosted PostgreSQL" href="./guides/postgres-self-hosted.mdx">
Connect self-hosted PostgreSQL database.
</Tile>
<Tile icon="database" title="Self-hosted MySQL/MariaDB" href="./guides/mysql-self-hosted.mdx">
Connect self-hosted MySQL/MariaDB database.
</Tile>
<Tile icon="database" title="Self-hosted MongoDB" href="./guides/mongodb-self-hosted.mdx">
Connect self-hosted MongoDB database.
</Tile>
<Tile icon="database" title="Self-hosted CockroachDB" href="./guides/cockroachdb-self-hosted.mdx">
Connect self-hosted CockroachDB database.
</Tile>
</TileSet>
## General guides
<TileSet>
<Tile icon="window" title="GUI clients" href="./guides/gui-clients.mdx">
Configure database graphical clients.
</Tile>
<Tile icon="wrench" title="Dynamic Registration" href="./guides/dynamic-registration.mdx">
Register/unregister databases without restarting Teleport.
</Tile>
<Tile icon="integrations" title="High Availability" href="./guides/ha.mdx">
Deploy database access in HA configuration.
</Tile>
</TileSet>
(!docs/pages/includes/database-access/guides.mdx!)

75
docs/pages/database-access/guides/gui-clients.mdx
View file

@ -110,34 +110,7 @@ Optionally, click "Test Connection" to verify connectivity:
Save the connection, and connect to the database.
## MongoDB Compass
[Compass](https://www.mongodb.com/products/compass) is the official MongoDB
graphical client.
On the "New Connection" panel, click on "Fill in connection fields individually".
![MongoDB Compass new connection](../../../img/database-access/compass-new-connection@2x.png)
On the "Hostname" tab, enter your Teleport proxy's hostname and port shown
by `tsh db config`. Leave "Authentication" as None.
![MongoDB Compass hostname](../../../img/database-access/compass-hostname@2x.png)
On the "More Options" tab set SSL to "Client and Server Validation" and set
CA as well as client key and certificate. Note the CA path must be provided
and be able to validate certificate presented by your Teleport proxy's web
endpoint. Client key and certificate locations are shown by `tsh db config`.
![MongoDB Compass more options](../../../img/database-access/compass-more-options@2x.png)
Click on the "Connect" button.
## DBeaver
DBeaver is a SQL client software application and database administration tool.
### MySQL
## MySQL DBeaver
<Admonition type="note">
Teleport's DBeaver MySQL integration only supports MySQL server (=mysql.dbeaver_min_ver=) or older.
@ -173,3 +146,49 @@ Navigate to the "SSL" tab, check the "Use SSL" box, uncheck the "Verify Server C
Click "Ok" to finish and DBeaver should connect to the remote MySQL server automatically.
## MongoDB Compass
[Compass](https://www.mongodb.com/products/compass) is the official MongoDB
graphical client.
On the "New Connection" panel, click on "Fill in connection fields individually".
![MongoDB Compass new connection](../../../img/database-access/compass-new-connection@2x.png)
On the "Hostname" tab, enter your Teleport proxy's hostname and port shown
by `tsh db config`. Leave "Authentication" as None.
![MongoDB Compass hostname](../../../img/database-access/compass-hostname@2x.png)
On the "More Options" tab set SSL to "Client and Server Validation" and set
CA as well as client key and certificate. Note the CA path must be provided
and be able to validate certificate presented by your Teleport proxy's web
endpoint. Client key and certificate locations are shown by `tsh db config`.
![MongoDB Compass more options](../../../img/database-access/compass-more-options@2x.png)
Click on the "Connect" button.
## SQL Server DBeaver
(!docs/pages/includes/database-access/sql-server-local-proxy.mdx!)
In DBeaver connection configuration use the local proxy's endpoint (`localhost:4242`
in the example above) as host/port. Use SQL Server Authentication option and keep
the Password field empty:
![DBeaver connection options](../../../img/database-access/guides/sqlserver/dbeaver-connection@2x.png)
Click OK to connect.
## SQL Server DataGrip
(!docs/pages/includes/database-access/sql-server-local-proxy.mdx!)
In DataGrip connection configuration use the local proxy's endpoint (`localhost:4242`
in the example above) as host/port. Use Use & Password authentication option and
keep the Password field empty:
![DataGrip connection options](../../../img/database-access/guides/sqlserver/datagrip-connection@2x.png)
Click OK to connect.

337
docs/pages/database-access/guides/sql-server-ad.mdx Normal file
View file

@ -0,0 +1,337 @@
---
title: Database Access with Microsoft SQL Server with Active Directory authentication (Preview)
description: How to configure Teleport Database Access with Microsoft SQL Server with Active Directory authentication.
---
<Details
title="Version warning"
opened={true}
scope={["oss", "enterprise"]}
scopeOnly={true}
min="9.0"
>
Database access for Microsoft SQL Server with Active Directory authentication
is available starting from Teleport `9.0`.
</Details>
<Admonition type="warning" title="Preview">
Database access for Microsoft SQL Server is currently in a Preview mode and
does not include audit logging of database query activity.
</Admonition>
This guide will help you to:
- Install and configure Teleport.
- Set up access to SQL Server using Active Directory authentication.
- Connect to SQL Server through Teleport.
This guide will focus on Amazon RDS for SQL Server using AWS-managed Active
Directory authentication.
## Prerequisites
- Teleport version >= `9.0`.
- A SQL Server database with Active Directory authentication enabled.
- A Windows machine joined to the same Active Directory domain as the database.
- A Linux node joined to the same Active Directory domain as the database. This
guide will walk you through the joining steps if you don't have one.
## Step 1/7. Set up Teleport Auth and Proxy
(!docs/pages/includes/database-access/start-auth-proxy.mdx!)
## Step 2/7. Create a Teleport user
(!docs/pages/includes/database-access/create-user.mdx!)
## Step 3/7. Join the Linux node to Active Directory
<Admonition type="note">
You can skip this step if you already have a Linux node joined to the same
Active Directory domain as your SQL Server.
</Admonition>
The Linux node where the Database Service will run must be joined to the same
Active Directory domain as the SQL Server database.
Note that in order to be able to join, the Linux node must be able to resolve
your Active Directory fully-qualified domain name. For example, for AWS-managed
AD, use nameservers provided under "Networking details" on the directory's
overview page.
Install necessary packages:
<Tabs>
<TabItem label="Ubuntu">
```bash
$ sudo apt-get update
$ sudo apt-get -y install sssd realmd krb5-user samba-common packagekit adcli
```
</TabItem>
<TabItem label="RHEL / CentOS 7">
```bash
$ sudo yum -y update
$ sudo yum -y install sssd realmd krb5-workstation samba-common-tools
```
</TabItem>
</Tabs>
Edit `/etc/krb5.conf` to disable reverse DNS resolution and set the default
realm. Make sure that the `[realms]` section contains your domain definition
and has `admin_server` and `kdc` fields set pointing to the domain controllers:
```ini
[libdefaults]
default_realm = EXAMPLE.COM
rdns = false
[realms]
EXAMPLE.COM = {
kdc = example.com
admin_server = example.com
}
```
Join the realm:
```bash
$ sudo realm join -v -U admin@EXAMPLE.COM example.com
...
* Successfully enrolled machine in realm
```
<Admonition type="warning">
Note that the realm name in `admin@EXAMPLE.COM` **must** be capital case,
otherwise the node might not be able to join.
</Admonition>
To confirm the node has joined the realm, use the `realm list` command:
```bash
$ sudo realm list
example.com
type: kerberos
realm-name: EXAMPLE.COM
domain-name: example.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
...
```
## Step 4/7. Create keytab file
Teleport requires a keytab file to obtain Kerberos service tickets from your
Active Directory for authentication with SQL Server. The easiest way to generate
it is to use the `adutil` Linux CLI utility.
Install `adutil` on the Linux node you have joined to your Active Directory
domain:
<Tabs>
<TabItem label="Ubuntu 18.04">
```bash
$ curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
$ sudo curl https://packages.microsoft.com/config/ubuntu/18.04/prod.list | sudo tee /etc/apt/sources.list.d/msprod.list
$ sudo apt-get update
$ sudo ACCEPT_EULA=Y apt-get install -y adutil
```
</TabItem>
<TabItem label="Ubuntu 20.04">
```bash
$ sudo wget -qO /etc/apt/trusted.gpg.d/microsoft.asc https://packages.microsoft.com/keys/microsoft.asc
$ sudo curl https://packages.microsoft.com/config/ubuntu/20.04/prod.list | sudo tee /etc/apt/sources.list.d/msprod.list
$ sudo apt-get update
$ sudo ACCEPT_EULA=Y apt-get install -y adutil
```
</TabItem>
<TabItem label="RHEL / CentOS 7">
```bash
$ sudo curl -o /etc/yum.repos.d/msprod.repo https://packages.microsoft.com/config/rhel/8/prod.repo
$ sudo ACCEPT_EULA=Y yum install -y adutil
```
</TabItem>
</Tabs>
Log into your Active Directory using the `kinit` command:
```bash
$ kinit admin@EXAMPLE.COM
```
Use the `adutil keytab create` command to generate keytab entries for each
Active Directory user that will be connecting to the SQL Server database:
```bash
$ adutil keytab create teleport.keytab alice
$ adutil keytab create teleport.keytab bob
```
You will be prompted to enter each user's password. All keytab entries will
be merged into the same `teleport.keytab` file.
<Admonition type="note" title="Assign Service Principal Names">
For the `adutil keytab create` command to work, each user account must be
assigned a Service Principal Name, otherwise the command will not be able
to determine its `kvno` (key version number).
To check if the user has any SPNs assigned, run the following command on the
Windows machine joined to your Active Directory domain:
```code
$ setspn -L alice
```
To assign an SPN to a user account, use the following command:
```code
$ setspn -s user/alice alice
```
</Admonition>
You can verify entries in the keytab file using `klist` command:
```bash
$ klist -ke teleport.keytab
Keytab name: FILE:teleport.keytab
KVNO Principal
---- --------------------------------------------------------------------------
5 alice@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 bob@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
```
<Admonition type="warning">
You must update the keytab file after updating a user's password to avoid
authentication failures.
</Admonition>
## Step 5/7. Set up Teleport Database Service
(!docs/pages/includes/database-access/token.mdx!)
<Admonition type="note">
Teleport Database Service must run on a Linux server joined to the same
Active Directory domain as the SQL Server.
</Admonition>
Start Teleport Database Service. Make sure to update `--auth-server` to point to
your Teleport Proxy Service address and `--uri` to the SQL Server endpoint.
```bash
$ teleport db start \
--token=/tmp/token \
--auth-server=teleport.example.com:3080 \
--name=sqlserver \
--protocol=sqlserver \
--uri=sqlserver.example.com:1433 \
--ad-keytab=/path/to/teleport.keytab \
--ad-domain=EXAMPLE.COM \
--ad-spn=MSSQLSvc/sqlserver.example.com:1433 \
--labels=env=dev
```
Provide Active Directory parameters:
| Flag | Description |
| ---- | ----------- |
| `--ad-keytab` | Path to Kerberos keytab file generated above. |
| `--ad-domain` | Active Directory domain (Kerberos realm) that SQL Server is joined. |
| `--ad-spn` | Service Principal Name for SQL Server to fetch Kerberos tickets for. |
<Admonition type="tip">
You can start Teleport Database Service using a configuration file instead of
CLI flags. See [YAML reference](../reference/configuration.mdx).
</Admonition>
### Service Principal Name
You can use `ldapsearch` command to see the SPNs registered for your SQL
Server. Typically, they take a form of `MSSQLSvc/<name>.<ad-domain>:<port>`.
For example, an AWS RDS SQL Server named `sqlserver` and joined to an AWS managed
Active Directory domain `EXAMPLE.COM` will have the following SPNs registered:
```bash
$ ldapsearch -x -h example.com -D admin -W -b DC=example,DC=com servicePrincipalName
...
# EC2AMAZ-4KN05DU, RDS, AWS Reserved, example.com
dn: CN=EC2AMAZ-4KN05DU,OU=RDS,OU=AWS Reserved,DC=example,DC=com
servicePrincipalName: MSSQLSvc/sqlserver-rds.example.com:1433
servicePrincipalName: MSSQLSvc/EC2AMAZ-4KN05DU.example.com:1433
servicePrincipalName: MSSQLSvc/EC2AMAZ-4KN05DU.example.com
...
```
Alternatively, you can look SPNs up in the Attribute Editor of the Active Directory
Users and Computers dialog on your AD-joined Windows machine. The RDS SQL Server
object typically resides under the AWS Reserved / RDS path:
![SPN](../../../img/database-access/guides/sqlserver/spn@2x.png)
<Admonition type="tip">
If you don't see Attribute Editor tab, make sure that "View > Advanced Features"
toggle is enabled.
</Admonition>
## Step 6/7. Create SQL Server AD users
<Admonition type="note">
You can skip this step if you already have Active Directory logins in your
SQL Server.
</Admonition>
Connect to your SQL Server as an administrative account (e.g. `sa`) and create
logins that will use Active Directory authentication:
```sql
master> CREATE LOGIN [EXAMPLE\alice] FROM WINDOWS WITH DEFAULT_DATABASE = [master], DEFAULT_LANGUAGE = [us_english];
```
## Step 7/7. Connect
Log into your Teleport cluster. Your SQL Server database should appear in the
list of available databases:
```code
$ tsh login --proxy=teleport.example.com --user=alice
$ tsh db ls
# Name Description Labels
# --------- ------------------- -------
# sqlserver env=dev
```
Fetch the short-lived client certificate for it using the `tsh db login` command:
```code
$ tsh db login --db-user=teleport sqlserver
```
<Admonition type="tip">
You can be logged into multiple databases simultaneously.
</Admonition>
Now connect to the database:
```code
$ tsh db connect sqlserver
```
<Admonition type="note">
The `mssql-cli` command-line client should be available in PATH of the machine
you're running `tsh db connect` from.
</Admonition>
To log out of the database and remove credentials:
```code
$ tsh db logout sqlserver
```
## Next steps
(!docs/pages/includes/database-access/guides-next-steps.mdx!)
## Further reading
- [Manually join a Linux instance](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/join_linux_instance.html) in the AWS documentation.
- [Introduction to `adutil`](https://docs.microsoft.com/en-us/sql/linux/sql-server-linux-ad-auth-adutil-introduction) in the Microsoft documentation.

54
docs/pages/database-access/introduction.mdx
View file

@ -49,59 +49,7 @@ with Github, execute a few SQL queries and observe them in the audit log:
</Tile>
</TileSet>
## Cloud-hosted guides
<TileSet>
<Tile icon="cloud" title="AWS RDS & Aurora" href="./guides/rds.mdx">
Connect AWS RDS or Aurora PostgreSQL or MySQL database.
</Tile>
<Tile icon="cloud" title="AWS Redshift" href="./guides/postgres-redshift.mdx">
Connect AWS Redshift database.
</Tile>
<Tile icon="cloud" title="GCP Cloud SQL PostgreSQL" href="./guides/postgres-cloudsql.mdx">
Connect GCP Cloud SQL PostgreSQL database.
</Tile>
<Tile icon="cloud" title="GCP Cloud SQL MySQL" href="./guides/mysql-cloudsql.mdx">
Connect GCP Cloud SQL MySQL database.
</Tile>
<Tile icon="cloud" title="Azure PostgreSQL & MySQL" href="./guides/azure-postgres-mysql.mdx">
Connect Azure PostgreSQL or MySQL.
</Tile>
<Tile icon="cloud" title="MongoDB Atlas" href="./guides/mongodb-atlas.mdx">
Connect MongoDB Atlas cluster.
</Tile>
</TileSet>
## Self-hosted guides
<TileSet>
<Tile icon="database" title="Self-hosted PostgreSQL" href="./guides/postgres-self-hosted.mdx">
Connect self-hosted PostgreSQL database.
</Tile>
<Tile icon="database" title="Self-hosted MySQL/MariaDB" href="./guides/mysql-self-hosted.mdx">
Connect self-hosted MySQL/MariaDB database.
</Tile>
<Tile icon="database" title="Self-hosted MongoDB" href="./guides/mongodb-self-hosted.mdx">
Connect self-hosted MongoDB database.
</Tile>
<Tile icon="database" title="Self-hosted CockroachDB" href="./guides/cockroachdb-self-hosted.mdx">
Connect self-hosted CockroachDB database.
</Tile>
</TileSet>
## General guides
<TileSet>
<Tile icon="window" title="GUI clients" href="./guides/gui-clients.mdx">
Configure database graphical clients.
</Tile>
<Tile icon="wrench" title="Dynamic Registration" href="./guides/dynamic-registration.mdx">
Register/unregister databases without restarting Teleport.
</Tile>
<Tile icon="integrations" title="High Availability" href="./guides/ha.mdx">
Deploy database access in HA configuration.
</Tile>
</TileSet>
(!docs/pages/includes/database-access/guides.mdx!)
## Resources

86
docs/pages/database-access/reference/configuration.mdx
View file

@ -9,72 +9,7 @@ The following snippet shows full YAML configuration of a Database Service
appearing in `teleport.yaml` configuration file:
```yaml
db_service:
# Enables the Database Service.
enabled: "yes"
# Matchers for database resources created with "tctl create" command.
resources:
- labels:
"*": "*"
# Matchers for registering AWS-hosted databases.
aws:
# Database types. Valid options are:
# 'rds' - discovers and registers AWS RDS and Aurora databases.
# 'redshift' - discovers and registers AWS Redshift databases.
- types: ["rds", "redshift"]
# AWS regions to register databases from.
regions: ["us-west-1", "us-east-2"]
# AWS resource tags to match when registering databases.
tags:
"*": "*"
# Lists statically registered databases proxied by this agent.
databases:
# Name of the database proxy instance, used to reference in CLI.
- name: "prod"
# Free-form description of the database proxy instance.
description: "Production database"
# Database protocol. Can be "postgres", "mysql" or "mongodb".
protocol: "postgres"
# Database connection endpoint. Must be reachable from Database Service.
uri: "postgres.example.com:5432"
# Optional TLS configuration.
tls:
# TLS verification mode. Valid options are:
# 'verify-full' - performs full certificate validation (default).
# 'verify-ca' - the same as `verify-full`, but skips the server name validation.
# 'insecure' - accepts any certificate provided by database (not recommended).
mode: verify-full
# Optional database DNS server name. It allows to override the DNS name on
# a client certificate when connecting to a database.
# Use only with 'verify-full' mode.
server_name: db.example.com
# Optional path to the CA used to validate the database certificate.
ca_cert_file: /path/to/pem
# AWS specific configuration, only required for RDS/Aurora/Redshift.
aws:
# Region the database is deployed in.
region: "us-east-1"
# Redshift specific configuration.
redshift:
# Redshift cluster identifier.
cluster_id: "redshift-cluster-1"
# GCP specific configuration for Cloud SQL databases.
gcp:
# GCP project ID.
project_id: "xxx-1234"
# Cloud SQL instance ID.
instance_id: "example"
# Static labels to assign to the database. Used in RBAC.
static_labels:
env: "prod"
# Dynamic labels ("commands"). Used in RBAC.
dynamic_labels:
- name: "hostname"
command: ["hostname"]
period: 1m0s
(!docs/pages/includes/database-access/database-config.yaml!)
```
## Proxy configuration
@ -126,21 +61,27 @@ version: v3
metadata:
# Database resource name.
name: example
# Database resource description.
description: "Example database"
# Database resource static labels.
labels:
env: example
spec:
# Database protocol.
protocol: "postgres"
# Database connection endpoint.
uri: "localhost:5432"
# Optional CA for validating the database certificate.
ca_cert: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
# Optional AWS configuration for RDS/Aurora/Redshift. Can be auto-detected from the endpoint.
aws:
# Region the database is deployed in.
@ -149,12 +90,25 @@ spec:
redshift:
# Redshift cluster identifier.
cluster_id: "redshift-cluster-1"
# Optional GCP configuration for Cloud SQL.
gcp:
# GCP project ID.
project_id: "xxx-1234"
# Cloud SQL instance ID.
instance_id: "example"
# Settings specific to Active Directory authentication e.g. for SQL Server.
ad:
# Path to Kerberos keytab file.
keytab_file: /path/to/keytab
# Active Directory domain name.
domain: EXAMPLE.COM
# Service Principal Name to obtain Kerberos tickets for.
spn: MSSQLSvc/ec2amaz-4kn05du.dbadir.teleportdemo.net:1433
# Optional path to Kerberos configuration file. Defaults to /etc/krb5.conf.
krb5_file: /etc/krb5.conf
# Optional dynamic labels.
dynamic_labels:
- name: "hostname"

85
docs/pages/includes/database-access/database-config.yaml Normal file
View file

@ -0,0 +1,85 @@
db_service:
# Enables the Database Service.
enabled: "yes"
# Matchers for database resources created with "tctl create" command.
resources:
- labels:
"*": "*"
# Matchers for registering AWS-hosted databases.
aws:
# Database types. Valid options are:
# 'rds' - discovers and registers AWS RDS and Aurora databases.
# 'redshift' - discovers and registers AWS Redshift databases.
- types: ["rds", "redshift"]
# AWS regions to register databases from.
regions: ["us-west-1", "us-east-2"]
# AWS resource tags to match when registering databases.
tags:
"*": "*"
# Lists statically registered databases proxied by this agent.
databases:
# Name of the database proxy instance, used to reference in CLI.
- name: "prod"
# Free-form description of the database proxy instance.
description: "Production database"
# Database protocol. Can be: "postgres", "mysql", "mongodb", "cockroachdb", "sqlserver".
protocol: "postgres"
# Database connection endpoint. Must be reachable from Database Service.
uri: "postgres.example.com:5432"
# Optional TLS configuration.
tls:
# TLS verification mode. Valid options are:
# 'verify-full' - performs full certificate validation (default).
# 'verify-ca' - the same as `verify-full`, but skips the server name validation.
# 'insecure' - accepts any certificate provided by database (not recommended).
mode: verify-full
# Optional database DNS server name. It allows to override the DNS name on
# a client certificate when connecting to a database.
# Use only with 'verify-full' mode.
server_name: db.example.com
# Optional path to the CA used to validate the database certificate.
ca_cert_file: /path/to/pem
# AWS specific configuration, only required for RDS/Aurora/Redshift.
aws:
# Region the database is deployed in.
region: "us-east-1"
# Redshift specific configuration.
redshift:
# Redshift cluster identifier.
cluster_id: "redshift-cluster-1"
# GCP specific configuration for Cloud SQL databases.
gcp:
# GCP project ID.
project_id: "xxx-1234"
# Cloud SQL instance ID.
instance_id: "example"
# Settings specific to Active Directory authentication e.g. for SQL Server.
ad:
# Path to Kerberos keytab file.
keytab_file: /path/to/keytab
# Active Directory domain name.
domain: EXAMPLE.COM
# Service Principal Name to obtain Kerberos tickets for.
spn: MSSQLSvc/ec2amaz-4kn05du.dbadir.teleportdemo.net:1433
# Optional path to Kerberos configuration file. Defaults to /etc/krb5.conf.
krb5_file: /etc/krb5.conf
# Static labels to assign to the database. Used in RBAC.
static_labels:
env: "prod"
# Dynamic labels ("commands"). Used in RBAC.
dynamic_labels:
- name: "hostname"
command: ["hostname"]
period: 1m0s

51
docs/pages/includes/database-access/guides.mdx Normal file
View file

@ -0,0 +1,51 @@
## Database guides
<TileSet>
<Tile icon="cloud" title="AWS RDS & Aurora" href="./guides/rds.mdx">
Connect AWS RDS or Aurora PostgreSQL or MySQL database.
</Tile>
<Tile icon="cloud" title="AWS Redshift" href="./guides/postgres-redshift.mdx">
Connect AWS Redshift database.
</Tile>
<Tile icon="cloud" title="GCP Cloud SQL PostgreSQL" href="./guides/postgres-cloudsql.mdx">
Connect GCP Cloud SQL PostgreSQL database.
</Tile>
<Tile icon="cloud" title="GCP Cloud SQL MySQL" href="./guides/mysql-cloudsql.mdx">
Connect GCP Cloud SQL MySQL database.
</Tile>
<Tile icon="cloud" title="Azure PostgreSQL & MySQL" href="./guides/azure-postgres-mysql.mdx">
Connect Azure PostgreSQL or MySQL.
</Tile>
<Tile icon="cloud" title="MongoDB Atlas" href="./guides/mongodb-atlas.mdx">
Connect MongoDB Atlas cluster.
</Tile>
<Tile icon="database" title="Self-hosted PostgreSQL" href="./guides/postgres-self-hosted.mdx">
Connect self-hosted PostgreSQL database.
</Tile>
<Tile icon="database" title="Self-hosted MySQL & MariaDB" href="./guides/mysql-self-hosted.mdx">
Connect self-hosted MySQL or MariaDB database.
</Tile>
<Tile icon="database" title="Self-hosted MongoDB" href="./guides/mongodb-self-hosted.mdx">
Connect self-hosted MongoDB database.
</Tile>
<Tile icon="database" title="Self-hosted CockroachDB" href="./guides/cockroachdb-self-hosted.mdx">
Connect self-hosted CockroachDB database.
</Tile>
<Tile icon="database" title="Active Directory SQL Server (Preview)" href="./guides/sql-server-ad.mdx">
Connect Microsoft SQL Server with Active Directory authentication.
</Tile>
</TileSet>
## Other guides
<TileSet>
<Tile icon="window" title="GUI clients" href="./guides/gui-clients.mdx">
Configure database graphical clients.
</Tile>
<Tile icon="wrench" title="Dynamic Registration" href="./guides/dynamic-registration.mdx">
Register/unregister databases without restarting Teleport.
</Tile>
<Tile icon="integrations" title="High Availability" href="./guides/ha.mdx">
Deploy database access in HA configuration.
</Tile>
</TileSet>

24
docs/pages/includes/database-access/sql-server-local-proxy.mdx Normal file
View file

@ -0,0 +1,24 @@
SQL Server clients connect to a Teleport cluster via the local proxy in
[TLS Routing](../../architecture/tls-routing.mdx) mode.
Log into your SQL Server database with `tsh db login` and execute `tsh db config`
to locate the paths to the client certificate and key pair:
```bash
$ tsh db config sqlserver
Name: sqlserver
...
Cert: /home/alice/.tsh/keys/teleport.example.com/alice-db/cluster/example-x509.pem
Key: /home/alice/.tsh/keys/teleport.example.com/alice
```
Start the local TLS proxy providing the cert/key paths and, optionally, the port
number to listen on:
```bash
$ tsh proxy db \
--port 4242 \
--cert-file /home/alice/.tsh/keys/teleport.example.com/alice-db/cluster/example-x509.pem \
--key-file /home/alice/.tsh/keys/teleport.example.com/alice \
sqlserver
```

2
docs/pages/index.mdx
View file

@ -25,7 +25,7 @@ Teleport is a Certificate Authority and an Access Plane for your infrastructure.
Single Sign-On, audit and unified access for Kubernetes clusters.
</Tile>
<Tile icon="database" title="Database Access" href="./database-access/introduction.mdx">
Secure access to PostgreSQL, MySQL, MariaDB and MongoDB databases.
Secure access to SQL and NoSQL databases.
</Tile>
<Tile icon="desktop" title="Desktop Access" href="./desktop-access/introduction.mdx">
Secure browser-based access to desktop environments.

65
docs/pages/setup/reference/config.mdx
View file

@ -696,70 +696,7 @@ kubernetes_service:
period: 1m0s
# This section configures the 'database service'.
db_service:
# Enables the database service. Default is "no".
enabled: "yes"
# Matchers for registering AWS-hosted databases.
aws:
# Database types. Valid options are:
# 'rds' - discovers and registers AWS RDS and Aurora databases.
# 'redshift' - discovers and registers AWS Redshift databases.
- types: ["rds", "redshift"]
# AWS regions to register databases from.
regions: ["us-west-1", "us-east-2"]
# AWS resource tags to match when registering databases.
tags:
"*": "*"
# This section contains definitions of all databases proxied by this
# service, it can contain multiple database instances.
databases:
# Name of the database proxy instance used to reference in CLI.
- name: "prod"
# Free-form description of the database proxy instance.
description: "Production database"
# Database protocol. Can be "postgres", "mysql", or "mongodb".
protocol: "postgres"
# Database connection endpoint. Must be reachable from Database Service.
uri: "postgres.example.com:5432"
# Optional TLS configuration.
tls:
# TLS verification mode. Valid options are:
# 'verify-full' - performs full certificate validation (default).
# 'verify-ca' - the same as `verify-full`, but skips the server name
# validation.
# 'insecure' - accepts any certificate provided by database (not
# recommended).
mode: verify-full
# Optional database DNS server name. It allows to override the DNS name
# on a client certificate when connecting to a database.
# Use only with 'verify-full' mode.
server_name: db.example.com
# Optional path to the CA used to validate the database certificate.
ca_cert_file: /path/to/pem
# AWS specific configuration, only required for RDS/Aurora/Redshift.
aws:
# Region the database is deployed in.
region: "us-east-1"
# Redshift specific configuration.
redshift:
# Redshift cluster identifier.
cluster_id: "redshift-cluster-1"
# GCP specific configuration for Cloud SQL databases.
gcp:
# GCP project ID.
project_id: "xxx-1234"
# Cloud SQL instance ID.
instance_id: "example"
# Static labels to assign to the database. Used in RBAC.
static_labels:
env: "prod"
# Dynamic labels ("commands"). Used in RBAC.
dynamic_labels:
- name: "hostname"
command: ["hostname"]
period: 1m0s
(!docs/pages/includes/database-access/database-config.yaml!)
# This section configures the windows desktop service
(!docs/pages/includes/desktop-access/desktop-config.yaml!)