Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

grant db admin the auto user role with admin option #48949

Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 33 additions & 5 deletions lib/srv/db/postgres/users.go
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ func (e *Engine) ActivateUser(ctx context.Context, sessionCtx *common.Session) e
// bookkeeping group or stored procedures get deleted or changed offband.
logger := e.Log.With("user", sessionCtx.DatabaseUser)
err = withRetry(ctx, logger, func() error {
return trace.Wrap(e.updateAutoUsersRole(ctx, conn))
return trace.Wrap(e.updateAutoUsersRole(ctx, conn, sessionCtx.Database.GetAdminUser().Name))
})
if err != nil {
return trace.Wrap(err)
Expand Down Expand Up @@ -401,17 +401,45 @@ func (e *Engine) deleteUserRedshift(ctx context.Context, sessionCtx *common.Sess

// updateAutoUsersRole ensures the bookkeeping role for auto-provisioned users
// is present.
func (e *Engine) updateAutoUsersRole(ctx context.Context, conn *pgx.Conn) error {
func (e *Engine) updateAutoUsersRole(ctx context.Context, conn *pgx.Conn, adminUser string) error {
_, err := conn.Exec(ctx, fmt.Sprintf("create role %q", teleportAutoUserRole))
GavinFrazar marked this conversation as resolved.
Show resolved Hide resolved
if err != nil {
if !strings.Contains(err.Error(), "already exists") {
return trace.Wrap(err)
}
e.Log.DebugContext(ctx, "PostgreSQL role already exists.", "role", teleportAutoUserRole)
e.Log.DebugContext(ctx, "PostgreSQL role already exists", "role", teleportAutoUserRole)
} else {
e.Log.DebugContext(ctx, "Created PostgreSQL role.", "role", teleportAutoUserRole)
e.Log.DebugContext(ctx, "Created PostgreSQL role", "role", teleportAutoUserRole)
}

// v16 Postgres changed the role grant permissions model such that you can
// no longer grant non-superuser role membership just by having the
// CREATEROLE attribute.
// On v16 Postgres, when a role is created the creator is automatically
// granted that role with "INHERIT FALSE, SET FALSE, ADMIN OPTION" options.
// Prior to v16 Postgres that grant is not automatically made, because
// the CREATEROLE attribute alone was sufficient to grant the role to
// others.
// This is the only role that is created and granted to others by the
// Teleport database admin.
// It grants the auto user role to every role it provisions.
// To avoid breaking user auto-provisioning for customers who upgrade from
// v15 postgres to v16, we should grant this role with the admin option to
// ourselves after creating it.
// Also note that the grant syntax in v15 postgres and below does not
// support WITH INHERIT FALSE or WITH SET FALSE syntax, so we only specify
// WITH ADMIN OPTION.
// See: https://www.postgresql.org/docs/16/release-16.html
stmt := fmt.Sprintf("grant role %q to %q WITH ADMIN OPTION", teleportAutoUserRole, adminUser)
_, err = conn.Exec(ctx, stmt)
if err != nil {
if !strings.Contains(err.Error(), "cannot be granted back") && !strings.Contains(err.Error(), "already") {
e.Log.DebugContext(ctx, "Failed to grant required role to the Teleport database admin, user auto-provisioning may not work until the database admin is granted the role by a superuser",
"role", teleportAutoUserRole,
"database_admin", adminUser,
)
}
}

return nil
}

Expand Down
Loading