add mermaid

greedy52 · greedy52 · commit ff3922566406 · 2025-02-24T12:52:41.000-05:00
diff --git a/rfd/0202-db-multi-session-mfa.md b/rfd/0202-db-multi-session-mfa.md
@@ -58,22 +58,28 @@ MFA is required to execute database sessions
 Tap any security key
 Detected security key tap
 
-[mysql-db1] @@hostname
-[mysql-db1] mysql-db1-hostname
-[mysql-db2] @@hostname
-[mysql-db2] mysql-db2-hostname
+Executing command for 'mysql-db1':
+@@hostname
+mysql-db1-hostname
+
+Executing command for 'mysql-db2':
+@@hostname
+mysql-db2-hostname
 ```
 
 I would like to search databases by labels, run the sql scripts in parallel, and
 record the outputs to a directory:
 ```bash
-$ tsh db exec --search-by-labels env=dev --db-user mysql --exec-query "source my_script.sql" --output-dir exec-logs --max-connections 3
+$ tsh db exec --search-by-labels env=dev --db-user mysql --exec-query "source my_script.sql" --log-dir exec-logs --max-connections 3
 Found 5 databases:
-- mysql-db1
-- mysql-db2
-- mysql-db3
-- mysql-db4
-- mysql-db5
+
+Name      Protocol Description Labels
+--------- -------- ----------- -------
+mysql-db1 mysql    instance 1  env=dev
+mysql-db2 mysql    instance 2  env=dev
+mysql-db3 mysql    instance 3  env=dev
+mysql-db4 mysql    instance 4  env=dev
+mysql-db5 mysql    instance 5  env=dev
 
 Tip: use --skip-confirm to skip this confirmation.
 Do you want to continue? (Press any key to proceed or Ctrl+C to exit): <enter>
@@ -82,21 +88,38 @@ MFA is required to execute database sessions
 Tap any security key
 Detected security key tap
 
-Executing command for 'mysql-db1'
-Executing command for 'mysql-db2'
-Executing command for 'mysql-db3'
-Executing command for 'mysql-db4'
-Executing command for 'mysql-db5'
-
-$ ls exec-logs/
-mysql-db1.output mysql-db2.output mysql-db3.output mysql-db4.output mysql-db5.output
+Executing command for 'mysql-db1'. Outputs will be saved at 'exec-logs/mysql-db1.log'.
+Executing command for 'mysql-db2'. Outputs will be saved at 'exec-logs/mysql-db2.log'.
+Executing command for 'mysql-db3'. Outputs will be saved at 'exec-logs/mysql-db3.log'.
+Executing command for 'mysql-db4'. Outputs will be saved at 'exec-logs/mysql-db4.log'.
+Executing command for 'mysql-db5'. Outputs will be saved at 'exec-logs/mysql-db5.log'.
 ```
+(where you can expect the first 3 connections happen right away, and the other 2
+connections happen after the previous ones finish.)
 
 ### Multi-session MFA
 
-TODO(greedy52) add a diagram.
+Overview:
+```mermaid
+sequenceDiagram
+    participant user
+    participant tsh
+    participant Teleport
+    
+    user -> tsh: tsh db exec
+    tsh -> Teleport: CreateAuthenticateChallengeRequest<br/>Scope: SCOPE_DATABASE_MULTI_SESSION<br/>Reuse: true
+    Teleport -> tsh: challenge
+    tsh -> user: prompt
+    user -> tsh: tap
+    tsh -> Teleport: WebAuthn login
+    Teleport -> tsh: MFA Response
+    loop
+        tsh -> Teleport: GenerateUserCerts with MFA response
+        Teleport -> tsh: User cert with database route
+    end
+```
 
-A new role option is added to preserve existing behavior if not set:
+A new role option is added to decide the mode for session MFA:
 ```diff
 kind: role
 version: v7
@@ -109,6 +132,9 @@ spec:
 +    #    supported for `tsh db exec` command with WebAuthn as the second factor.
 +    requie_session_mfa_mode: "multi-session"
 ```
+Mode defaults to `per-session` if not set. If a resource matches a role set with
+some roles on `per-session` but others on `multi-session`, the stricter mode
+`per-session` should be applied.
 
 The multi-session MFA extends [RFD 155 Scoped Webauthn
 Credentials](https://github.com/gravitational/teleport/blob/master/rfd/0155-scoped-webauthn-credentials.md)
@@ -122,59 +148,71 @@ enum ChallengeScope {
 }
 ```
 
-Similar to `SCOPE_ADMIN_ACTION`, the new scope will allow reuse of the MFA
-session data until it expires (5 minutes for WebAuthn).
+Similar to `SCOPE_ADMIN_ACTION`, the new scope `SCOPE_DATABASE_MULTI_SESSION`
+will allow reuse of the MFA session data until it expires (5 minutes for
+WebAuthn).
 
 The MFA response will be checked upon auth call of `GenerateUserCerts` where
 user requests a TLS user cert with database route. New logic is added to
 `GenerateUserCerts` where the new scope with reuse is allowed only if the role
 set matching the requested database has `roleset.option.requie_session_mfa_mode`
 option set to `multi-session`.
 
-If MFA response is validated with existing non-reusable `SCOPE_SESSION`, the
-action should be allowed regardless of `roleset.option.requie_session_mfa_mode`.
+The new scope cannot be used for `GenerateUserCerts` for non-database targets.
+And if the MFA response is validated with existing non-reusable `SCOPE_SESSION`,
+the action should be allowed regardless of
+`roleset.option.requie_session_mfa_mode`.
 
 Here is a quick matrix:
 
-| `session_mfa_mode` | MFA response scope | Access |
-| ------------------ | ------------------ | ------ |
-| `multi-session`    | `SCOPE_SESSION`    | allow  |
-| `multi-session`    | `SCOPE_DATABASE_MULTI_SESSION` | allow  |
-| `per-session`      | `SCOPE_SESSION`    | allow  |
-| `per-session`      | `SCOPE_DATABASE_MULTI_SESSION` | denied  |
+| `session_mfa_mode` | MFA response scope             | Requested Target | Access |
+|--------------------|--------------------------------|------------------|--------|
+| `multi-session`    | `SCOPE_SESSION`                | Database         | Allow  |
+| `multi-session`    | `SCOPE_DATABASE_MULTI_SESSION` | Database         | Allow  |
+| `multi-session`    | `SCOPE_DATABASE_MULTI_SESSION` | Non-Database     | Denied |
+| `per-session`      | `SCOPE_SESSION`                | Database         | Allow  |
+| `per-session`      | `SCOPE_DATABASE_MULTI_SESSION` | Database         | Denied |
+| `per-session`      | `SCOPE_DATABASE_MULTI_SESSION` | Non-Database     | Denied |
 
 ### The `tsh db exec` command
 
 General flow of the command:
 - Fetch databases (either specified directly or through search).
-- Fetch roles and use access checker to pre-determine MFA requirement.
-- For each database
-  - Prompt MFA if necessary
-  - Starts a local proxy in tunnel mode for this database
-  - Craft a command and `os.exec`.
-
-For MVP, only PostgreSQL and MySQL databases will be supported.
-
-#### `tsh db exec` search
-`tsh db exec` supports searching database by specifying one the following flags:
+- Fetch roles and use access checker to determine MFA requirement.
+- For each database:
+  - Prompt MFA if necessary.
+  - Starts a local proxy in tunnel mode for this database.
+  - Craft a command for `os.exec`. The command is not interactive (e.g. does not
+    take in `stdin` input). Outputs are printed to `stdout` unless `--log-dir`
+    is specified.
+  - Execute the command.
+ 
+The command supports searching database by specifying one the following flags:
 - `--search`: List of comma separated search keywords or phrases enclosed in quotations, e.g. `--search=foo,bar`
 - `--search-by-labels`: List of comma separated labels to filter by labels, e.g. `key1=value1,key2=value2`
 - `--search-by-query`: Query by predicate language enclosed in single quotes.
 
 The command presents the search results then asks user to confirm before
 proceeding. `--skip-confirm` can be used to skip the confirmation.
 
+Some other details:
+- If the multi-session MFA response is expired, the command should ask for MFA
+  again.
+- For MVP implementation, only PostgreSQL and MySQL databases will be supported.
+- A warning will be printed if the target databases have different protocols
+  (e.g. `postgres` vs `mysql`).
+- For databases that require per-session MFA, a prompt will still be presented
+  per database.
+ 
+#### Possible enhancements for `tsh db exec`
+- `tsh db exec --exec-config` to support a config file which allows specifying
+  different flags like `--db-user`, `--db-name`, `--exec-query` per target
+  database or per search.
+- `tsh db exec --exec-command` to support custom command template like `$ tsh
+  db exec --exec-command "bash -c './myscript {{.DB_SERVICE}} {{.DB_USER}}
+  {{.DB_LOCAL_PORT}}'"`. An env var `TSH_UNSTABLE_DB_EXEC_COMMAND` can be
+  supported for the initial MVP.
+
 ### Security
 
 TODO
-
-### Possible enhancements
-#### `tsh db exec --exec-config`
-To support a config file which allows specifying different flags like
-`--db-user`, `--db-name`, `--exec-query` per target database.
-
-#### `tsh db exec --exec-command`
-To support custom command template like:
-```
-$ tsh db exec --exec-command "bash -c './myscript {{.DB_SERVICE}} {{.DB_LOCAL_PORT}}'
-```
