DB auto-user provisioning to support `db_user_options` #48898

greedy52 · 2024-11-13T15:36:42Z

What would you like Teleport to do?
https://goteleport.com/docs/enroll-resources/database-access/auto-user-provisioning/postgres/

spec:
  options:
    create_db_user_mode: best_effort_drop
  allow:
    db_roles:
    - rds_superuser
+   db_user_options:
+   - CREATEDB

What problem does this solve?

Allow auto-provisioned users to have role options like SUPERUSER, CREATEDB, REPLICATION, etc.

(Though we have to think through the consequences when the auto-provisioned users have some of these high privileges.)

If a workaround exists, please include it.

Use keep mode, and login the database as an admin then manually grant the auto-provisioned user these options.

The text was updated successfully, but these errors were encountered:

GavinFrazar · 2024-11-14T23:04:20Z

another use case might be setting NOINHERIT so that a user must SET ROLE <role> to use a role they were granted, i.e role assumption in postgres

greedy52 added database-access Database access related issues and PRs feature-request Used for new features in Teleport, improvements to current should be #enhancements labels Nov 13, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

DB auto-user provisioning to support `db_user_options` #48898

DB auto-user provisioning to support `db_user_options` #48898

greedy52 commented Nov 13, 2024 •

edited

Loading

GavinFrazar commented Nov 14, 2024

DB auto-user provisioning to support db_user_options #48898

DB auto-user provisioning to support db_user_options #48898

Comments

greedy52 commented Nov 13, 2024 • edited Loading

GavinFrazar commented Nov 14, 2024

DB auto-user provisioning to support `db_user_options` #48898

DB auto-user provisioning to support `db_user_options` #48898

greedy52 commented Nov 13, 2024 •

edited

Loading