db

package
v0.0.0-...-5c79d48 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 15, 2024 License: AGPL-3.0 Imports: 69 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func SetShuffleFunc 

func SetShuffleFunc(fn ShuffleFunc)

SetShuffleFunc sets the shuffle behavior when proxying to multiple agents.

func ShuffleRandom 

func ShuffleRandom(servers []types.DatabaseServer) []types.DatabaseServer

ShuffleRandom is a ShuffleFunc that randomizes the order of database servers. Used to provide load balancing behavior when proxying to multiple agents.

func ShuffleSort 

func ShuffleSort(servers []types.DatabaseServer) []types.DatabaseServer

ShuffleSort is a ShuffleFunc that sorts database servers by name and host ID. Used to provide predictable behavior in tests.

Types

type CADownloader 

type CADownloader interface {
	// Download downloads CA certificate for the provided database instance.
	Download(context.Context, types.Database, string) ([]byte, []byte, error)
	// GetVersion returns the CA version for the provided database.
	GetVersion(context.Context, types.Database, string) ([]byte, error)
}

CADownloader defines interface for cloud databases CA cert downloaders.

func NewRealDownloader 

func NewRealDownloader() CADownloader

NewRealDownloader returns real cloud database CA downloader.

type Config 

type Config struct {
	// Clock used to control time.
	Clock clockwork.Clock
	// DataDir is the path to the data directory for the server.
	DataDir string
	// AuthClient is a client directly connected to the Auth server.
	AuthClient *auth.Client
	// AccessPoint is a caching client connected to the Auth Server.
	AccessPoint auth.DatabaseAccessPoint
	// Emitter is used to emit audit events.
	Emitter apievents.Emitter
	// NewAudit allows to override audit logger in tests.
	NewAudit NewAuditFn
	// TLSConfig is the *tls.Config for this server.
	TLSConfig *tls.Config
	// Limiter limits the number of connections per client IP.
	Limiter *limiter.Limiter
	// Authorizer is used to authorize requests coming from proxy.
	Authorizer authz.Authorizer
	// GetRotation returns the certificate rotation state.
	GetRotation func(role types.SystemRole) (*types.Rotation, error)
	// GetServerInfoFn returns function that returns database info for heartbeats.
	GetServerInfoFn func(database types.Database) func() (types.Resource, error)
	// Hostname is the hostname where this database server is running.
	Hostname string
	// HostID is the id of the host where this database server is running.
	HostID string
	// ResourceMatchers is a list of database resource matchers.
	ResourceMatchers []services.ResourceMatcher
	// AWSMatchers is a list of AWS databases matchers.
	AWSMatchers []types.AWSMatcher
	// AzureMatchers is a list of Azure databases matchers.
	AzureMatchers []types.AzureMatcher
	// Databases is a list of proxied databases from static configuration.
	Databases types.Databases
	// CloudLabels is a service that imports labels from a cloud provider. The labels are shared
	// between all databases.
	CloudLabels labels.Importer
	// OnHeartbeat is called after every heartbeat. Used to update process state.
	OnHeartbeat func(error)
	// OnReconcile is called after each database resource reconciliation.
	OnReconcile func(types.Databases)
	// Auth is responsible for generating database auth tokens.
	Auth common.Auth
	// CADownloader automatically downloads root certs for cloud hosted databases.
	CADownloader CADownloader
	// CloudClients creates cloud API clients.
	CloudClients clients.Clients
	// CloudMeta fetches cloud metadata for cloud hosted databases.
	CloudMeta *cloud.Metadata
	// CloudIAM configures IAM for cloud hosted databases.
	CloudIAM *cloud.IAM
	// ConnectedProxyGetter gets the proxies teleport is connected to.
	ConnectedProxyGetter *reversetunnel.ConnectedProxyGetter
	// CloudUsers manage users for cloud hosted databases.
	CloudUsers *users.Users
	// ConnectionMonitor monitors and closes connections if session controls
	// prevent the connections.
	ConnectionMonitor ConnMonitor
	// ShutdownPollPeriod defines the shutdown poll period.
	ShutdownPollPeriod time.Duration
	// contains filtered or unexported fields
}

Config is the configuration for a database proxy server.

func (*Config) CheckAndSetDefaults 

func (c *Config) CheckAndSetDefaults(ctx context.Context) (err error)

CheckAndSetDefaults makes sure the configuration has the minimum required to function.

type ConnMonitor 

type ConnMonitor interface {
	MonitorConn(ctx context.Context, authzCtx *authz.Context, conn net.Conn) (context.Context, net.Conn, error)
}

ConnMonitor monitors authorized connections and terminates them when session controls dictate so.

type NewAuditFn 

type NewAuditFn func(common.AuditConfig) (common.Audit, error)

NewAuditFn defines a function that creates an audit logger.

type ProxyServer 

type ProxyServer struct {
	// contains filtered or unexported fields
}

ProxyServer runs inside Teleport proxy and is responsible to accepting connections coming from the database clients (via a multiplexer) and dispatching them to appropriate database services over reverse tunnel.

func NewProxyServer 

func NewProxyServer(ctx context.Context, config ProxyServerConfig) (*ProxyServer, error)

NewProxyServer creates a new instance of the database proxy server.

func (*ProxyServer) Authorize 

func (s *ProxyServer) Authorize(ctx context.Context, tlsConn utils.TLSConn, params common.ConnectParams) (*common.ProxyContext, error)

Authorize authorizes the provided client TLS connection.

func (*ProxyServer) Connect 

func (s *ProxyServer) Connect(ctx context.Context, proxyCtx *common.ProxyContext, clientSrcAddr, clientDstAddr net.Addr) (net.Conn, error)

Connect connects to the database server running on a remote cluster over reverse tunnel and upgrades this end of the connection to TLS so the identity can be passed over it.

The passed in context is expected to contain the identity information decoded from the client certificate by auth.Middleware.

Implements common.Service.

func (*ProxyServer) MySQLProxy 

func (s *ProxyServer) MySQLProxy() *mysql.Proxy

MySQLProxy returns a new instance of the MySQL protocol aware proxy.

func (*ProxyServer) MySQLProxyNoTLS 

func (s *ProxyServer) MySQLProxyNoTLS() *mysql.Proxy

MySQLProxyNoTLS returns a new instance of the non-TLS MySQL proxy.

func (*ProxyServer) PostgresProxy 

func (s *ProxyServer) PostgresProxy() *postgres.Proxy

PostgresProxy returns a new instance of the Postgres protocol aware proxy.

func (*ProxyServer) PostgresProxyNoTLS 

func (s *ProxyServer) PostgresProxyNoTLS() *postgres.Proxy

PostgresProxyNoTLS returns a new instance of the non-TLS Postgres proxy.

func (*ProxyServer) Proxy 

func (s *ProxyServer) Proxy(ctx context.Context, proxyCtx *common.ProxyContext, clientConn, serviceConn net.Conn) error

Proxy starts proxying all traffic received from database client between this proxy and Teleport database service over reverse tunnel.

Implements common.Service.

func (*ProxyServer) SQLServerProxy 

func (s *ProxyServer) SQLServerProxy() *sqlserver.Proxy

SQLServerProxy returns a new instance of the SQL Server protocol aware proxy.

func (*ProxyServer) ServeMongo 

func (s *ProxyServer) ServeMongo(listener net.Listener, tlsConfig *tls.Config) error

ServeMongo starts accepting Mongo client connections.

func (*ProxyServer) ServeMySQL 

func (s *ProxyServer) ServeMySQL(listener net.Listener) error

ServeMySQL starts accepting MySQL client connections.

func (*ProxyServer) ServePostgres 

func (s *ProxyServer) ServePostgres(listener net.Listener) error

ServePostgres starts accepting Postgres connections from the provided listener.

func (*ProxyServer) ServeTLS 

func (s *ProxyServer) ServeTLS(listener net.Listener) error

ServeTLS starts accepting database connections that use plain TLS connection.

type ProxyServerConfig 

type ProxyServerConfig struct {
	// AuthClient is the authenticated client to the auth server.
	AuthClient *auth.Client
	// AccessPoint is the caching client connected to the auth server.
	AccessPoint auth.ReadDatabaseAccessPoint
	// Authorizer is responsible for authorizing user identities.
	Authorizer authz.Authorizer
	// Tunnel is the reverse tunnel server.
	Tunnel reversetunnelclient.Server
	// TLSConfig is the proxy server TLS configuration.
	TLSConfig *tls.Config
	// Limiter is the connection/rate limiter.
	Limiter *limiter.Limiter
	// IngressReporter reports new and active connections.
	IngressReporter *ingress.Reporter
	// ConnectionMonitor monitors and closes connections if session controls
	// prevent the connections.
	ConnectionMonitor ConnMonitor
	// MySQLServerVersion  allows to override the default MySQL Engine Version propagated by Teleport Proxy.
	MySQLServerVersion string
}

ProxyServerConfig is the proxy configuration.

func (*ProxyServerConfig) CheckAndSetDefaults 

func (c *ProxyServerConfig) CheckAndSetDefaults() error

CheckAndSetDefaults validates the config and sets default values.

type Server 

type Server struct {
	// contains filtered or unexported fields
}

Server is a database server. It accepts database client requests coming over reverse tunnel from Teleport proxy and proxies them to databases.

func New 

func New(ctx context.Context, config Config) (*Server, error)

New returns a new database server.

func (*Server) Close 

func (s *Server) Close() error

Close stops proxying all server's databases, drops active connections, and frees up other resources.

func (*Server) ForceHeartbeat 

func (s *Server) ForceHeartbeat() error

ForceHeartbeat is used by tests to force-heartbeat all registered databases.

func (*Server) HandleConnection 

func (s *Server) HandleConnection(conn net.Conn)

HandleConnection accepts the connection coming over reverse tunnel, upgrades it to TLS, extracts identity information from it, performs authorization and dispatches to the appropriate database engine.

func (*Server) Shutdown 

func (s *Server) Shutdown(ctx context.Context) error

Shutdown performs a graceful shutdown.

func (*Server) Start 

func (s *Server) Start(ctx context.Context) (err error)

Start starts proxying all server's registered databases.

func (*Server) Wait 

func (s *Server) Wait() error

Wait will block while the server is running.

type ShuffleFunc 

type ShuffleFunc func([]types.DatabaseServer) []types.DatabaseServer

ShuffleFunc defines a function that shuffles a list of database servers.

Source Files

View all Source files

Directories

Path Synopsis
protocol
users
Package common provides common utilities used by all supported database implementations.
 Package common provides common utilities used by all supported database implementations.
enterprise
iam
role
Package mongodb implements database access proxy that handles authentication, authorization and protocol parsing of connections from MongoDB clients to MongoDB clusters.
 Package mongodb implements database access proxy that handles authentication, authorization and protocol parsing of connections from MongoDB clients to MongoDB clusters.
protocol
Package protocol implements reading/writing MongoDB wire protocol messages from/to client/server and converting them into parsed data structures.
 Package protocol implements reading/writing MongoDB wire protocol messages from/to client/server and converting them into parsed data structures.
Package mysql implements MySQL protocol support for the database access.
 Package mysql implements MySQL protocol support for the database access.
protocol
Package protocol implements parts of MySQL wire protocol which are needed for the service to be able to interpret the protocol messages but are not readily available in the convenient form in the vendored MySQL library.
 Package protocol implements parts of MySQL wire protocol which are needed for the service to be able to interpret the protocol messages but are not readily available in the convenient form in the vendored MySQL library.
Package postgres implements components of the database access subsystem that proxy connections between Postgres clients (like, psql or pgAdmin) and Postgres database servers with full protocol awareness.
 Package postgres implements components of the database access subsystem that proxy connections between Postgres clients (like, psql or pgAdmin) and Postgres database servers with full protocol awareness.
Package redis implements database access proxy that handles authentication, authorization and protocol parsing of connections from Redis clients to Redis standalone or Redis clusters.
 Package redis implements database access proxy that handles authentication, authorization and protocol parsing of connections from Redis clients to Redis standalone or Redis clusters.
connection
protocol
Package secrets implements clients for managing secret values using secret management tools like AWS Secrets Manager.
 Package secrets implements clients for managing secret values using secret management tools like AWS Secrets Manager.
kinit
Package kinit provides utilities for interacting with a KDC (Key Distribution Center) for Kerberos5
 Package kinit provides utilities for interacting with a KDC (Key Distribution Center) for Kerberos5
protocol
protocol/fixtures

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.