mirror of
https://github.com/gravitational/teleport
synced 2024-10-20 01:03:40 +00:00
Elasticsearch: explicitly require --db-user
. (#20695)
* Elasticsearch: require `--db-user`. * Review: improve error message, cleanup.
This commit is contained in:
parent
978fd03a22
commit
f00f35bfc8
|
@ -118,6 +118,10 @@ func (e *Engine) HandleConnection(ctx context.Context, sessionCtx *common.Sessio
|
|||
|
||||
clientConnReader := bufio.NewReader(e.clientConn)
|
||||
|
||||
if sessionCtx.Identity.RouteToDatabase.Username == "" {
|
||||
return trace.BadParameter("database username required for Elasticsearch")
|
||||
}
|
||||
|
||||
tlsConfig, err := e.Auth.GetTLSConfig(ctx, sessionCtx)
|
||||
if err != nil {
|
||||
return trace.Wrap(err)
|
||||
|
|
|
@ -265,9 +265,10 @@ func checkAndSetDBRouteDefaults(r *tlsca.RouteToDatabase) error {
|
|||
// When generating certificate for MongoDB access, database username must
|
||||
// be encoded into it. This is required to be able to tell which database
|
||||
// user to authenticate the connection as.
|
||||
// Elasticsearch needs database username too.
|
||||
if r.Username == "" {
|
||||
switch r.Protocol {
|
||||
case defaults.ProtocolMongoDB:
|
||||
case defaults.ProtocolMongoDB, defaults.ProtocolElasticsearch:
|
||||
return trace.BadParameter("please provide the database user name using the --db-user flag")
|
||||
case defaults.ProtocolRedis:
|
||||
// Default to "default" in the same way as Redis does. We need the username to check access on our side.
|
||||
|
|
Loading…
Reference in a new issue