@@ -18,7 +18,7 @@ Teleport today supports per-session MFA for enhanced security. However, when a
1818user needs to run queries on multiple database hosts simultaneously, they have
1919to perform a tap for every connection.
2020
21- A relaxed mode of per-session MFA will be introduced so that a MFA challenge is
21+ A relaxed mode of per-session MFA will be introduced so that an MFA challenge is
2222still required for connecting to target databases but the MFA response can be
2323reused for a short period of time without the need to prompt the user again in
2424that period.
@@ -67,8 +67,7 @@ Executing command for 'mysql-db2':
6767mysql-db2-hostname
6868```
6969
70- I would like to search databases by labels, run the sql scripts in parallel, and
71- record the outputs to a directory:
70+ I would like to search databases by labels and run the sql scripts in parallel:
7271``` bash
7372$ tsh db exec --search-by-labels env=dev --db-user mysql --exec-query " source my_script.sql"
7473Found 5 databases:
@@ -132,6 +131,7 @@ spec:
132131+ # supported for `tsh db exec` command with WebAuthn as the second factor.
133132+ requie_session_mfa_mode: "multi-session"
134133```
134+
135135Mode defaults to ` per-session ` if not set. If a resource matches a role set with
136136some roles on ` per-session ` but others on ` multi-session ` , the stricter mode
137137` per-session ` should be applied.
@@ -181,15 +181,18 @@ General flow of the command:
181181- Fetch roles and use access checker to determine MFA requirement.
182182- For each database:
183183 - Prompt MFA if necessary.
184- - Starts a local proxy in tunnel mode for this database.
184+ - Starts a local proxy in tunnel mode for this database (regardless of cluster
185+ proxy listener mode).
185186 - Craft a command for ` os.exec ` . The command is not interactive (e.g. does not
186- take in ` stdin ` input). Outputs are printed to ` stdout ` unless ` --log-dir `
187+ take in ` stdin ` for input). Outputs are printed to ` stdout ` unless ` --log-dir `
187188 is specified.
188189 - Execute the command.
189190
190191The command supports searching database by specifying one the following flags:
191- - ` --search ` : List of comma separated search keywords or phrases enclosed in quotations, e.g. ` --search=foo,bar `
192- - ` --search-by-labels ` : List of comma separated labels to filter by labels, e.g. ` key1=value1,key2=value2 `
192+ - ` --search ` : List of comma separated search keywords or phrases enclosed in
193+ quotations, e.g. ` --search=foo,bar ` .
194+ - ` --search-by-labels ` : List of comma separated labels to filter by labels, e.g.
195+ ` key1=value1,key2=value2 ` .
193196- ` --search-by-query ` : Query by predicate language enclosed in single quotes.
194197
195198The command presents the search results then asks user to confirm before
@@ -199,7 +202,7 @@ Some other details:
199202- If the multi-session MFA response is expired, the command should ask for MFA
200203 again.
201204- For MVP implementation, only PostgreSQL and MySQL databases will be supported.
202- - A warning will be printed if the target databases have different protocols
205+ And a warning will be printed if the target databases have different protocols
203206 (e.g. ` postgres ` vs ` mysql ` ).
204207- For databases that require per-session MFA, a prompt will still be presented
205208 per database.
@@ -210,9 +213,27 @@ Some other details:
210213 database or per search.
211214- ` tsh db exec --exec-command ` to support custom command template like `$ tsh
212215 db exec --exec-command "bash -c './myscript {{.DB_SERVICE}} {{.DB_USER}}
213- {{.DB_LOCAL_PORT}}'"` . An env var ` TSH_UNSTABLE_DB_EXEC_COMMAND` can be
214- supported for the initial MVP.
216+ {{.DB_NAME}} {{. DB_LOCAL_PORT}}'"` . An env var ` TSH_UNSTABLE_DB_EXEC_COMMAND`
217+ can be supported for the initial MVP.
215218
216219### Security
217220
218- TODO
221+ There is no change regarding security for existing users, unless their Teleport
222+ admins set the ` multi-session ` mode in the role option.
223+
224+ Since the mode is configured at the role level, the mode will only be applied to
225+ the resources that matches the role (e.g. ` role.allow.db_labels ` ). And if
226+ another role matching the resource has the stricter mode ` per-session ` , the
227+ stricter mode will be applied.
228+
229+ The negative implications of the ` multi-session ` is the same as outlined in [ RFD
230+ 155 Scoped Webauthn
231+ Credentials] ( https://github.com/gravitational/teleport/blob/master/rfd/0155-scoped-webauthn-credentials.md ) :
232+
233+ 1 . The webauthn credential's scope is provided by the client
234+ 2 . Reuse is requested by the client
235+ 3 . Reuse is permitted for the action - server enforced
236+ 4 . The expiration of the credentials - server enforced (5 minutes)
237+
238+ However, the new scope ` SCOPE_DATABASE_MULTI_SESSION ` will be limited to only
239+ database sessions.
0 commit comments