Documentation ¶
Index ¶
- func SetShuffleFunc(fn ShuffleFunc)
- func ShuffleRandom(servers []types.DatabaseServer) []types.DatabaseServer
- func ShuffleSort(servers []types.DatabaseServer) []types.DatabaseServer
- type CADownloader
- type Config
- type NewAuditFn
- type ProxyServer
- func (s *ProxyServer) Authorize(ctx context.Context, tlsConn utils.TLSConn, params common.ConnectParams) (*common.ProxyContext, error)
- func (s *ProxyServer) Connect(ctx context.Context, proxyCtx *common.ProxyContext) (net.Conn, error)
- func (s *ProxyServer) MySQLProxy() *mysql.Proxy
- func (s *ProxyServer) MySQLProxyNoTLS() *mysql.Proxy
- func (s *ProxyServer) PostgresProxy() *postgres.Proxy
- func (s *ProxyServer) PostgresProxyNoTLS() *postgres.Proxy
- func (s *ProxyServer) Proxy(ctx context.Context, proxyCtx *common.ProxyContext, ...) error
- func (s *ProxyServer) SQLServerProxy() *sqlserver.Proxy
- func (s *ProxyServer) ServeMongo(listener net.Listener, tlsConfig *tls.Config) error
- func (s *ProxyServer) ServeMySQL(listener net.Listener) error
- func (s *ProxyServer) ServePostgres(listener net.Listener) error
- func (s *ProxyServer) ServeTLS(listener net.Listener) error
- type ProxyServerConfig
- type Server
- type ShuffleFunc
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func SetShuffleFunc ¶
func SetShuffleFunc(fn ShuffleFunc)
SetShuffleFunc sets the shuffle behavior when proxying to multiple agents.
func ShuffleRandom ¶
func ShuffleRandom(servers []types.DatabaseServer) []types.DatabaseServer
ShuffleRandom is a ShuffleFunc that randomizes the order of database servers. Used to provide load balancing behavior when proxying to multiple agents.
func ShuffleSort ¶
func ShuffleSort(servers []types.DatabaseServer) []types.DatabaseServer
ShuffleSort is a ShuffleFunc that sorts database servers by name and host ID. Used to provide predictable behavior in tests.
Types ¶
type CADownloader ¶
type CADownloader interface { // Download downloads CA certificate for the provided database instance. Download(context.Context, types.Database, string) ([]byte, error) }
CADownloader defines interface for cloud databases CA cert downloaders.
func NewRealDownloader ¶
func NewRealDownloader() CADownloader
NewRealDownloader returns real cloud database CA downloader.
type Config ¶
type Config struct { // Clock used to control time. Clock clockwork.Clock // DataDir is the path to the data directory for the server. DataDir string // AuthClient is a client directly connected to the Auth server. AuthClient *auth.Client // AccessPoint is a caching client connected to the Auth Server. AccessPoint auth.DatabaseAccessPoint // Emitter is used to emit audit events. Emitter apievents.Emitter // StreamEmitter is a non-blocking audit events emitter. StreamEmitter events.StreamEmitter // NewAudit allows to override audit logger in tests. NewAudit NewAuditFn // TLSConfig is the *tls.Config for this server. TLSConfig *tls.Config // Limiter limits the number of connections per client IP. Limiter *limiter.Limiter // Authorizer is used to authorize requests coming from proxy. Authorizer auth.Authorizer // GetRotation returns the certificate rotation state. GetRotation func(role types.SystemRole) (*types.Rotation, error) // GetServerInfoFn returns function that returns database info for heartbeats. GetServerInfoFn func(database types.Database) func() (types.Resource, error) // Hostname is the hostname where this database server is running. Hostname string // HostID is the id of the host where this database server is running. HostID string // ResourceMatchers is a list of database resource matchers. ResourceMatchers []services.ResourceMatcher // AWSMatchers is a list of AWS databases matchers. AWSMatchers []services.AWSMatcher // AzureMatchers is a list of Azure databases matchers. AzureMatchers []services.AzureMatcher // Databases is a list of proxied databases from static configuration. Databases types.Databases // CloudLabels is a service that imports labels from a cloud provider. The labels are shared // between all databases. CloudLabels labels.Importer // OnHeartbeat is called after every heartbeat. Used to update process state. OnHeartbeat func(error) // OnReconcile is called after each database resource reconciliation. OnReconcile func(types.Databases) // Auth is responsible for generating database auth tokens. Auth common.Auth // CADownloader automatically downloads root certs for cloud hosted databases. CADownloader CADownloader // LockWatcher is a lock watcher. LockWatcher *services.LockWatcher // CloudClients creates cloud API clients. CloudClients clients.Clients // CloudMeta fetches cloud metadata for cloud hosted databases. CloudMeta *cloud.Metadata // CloudIAM configures IAM for cloud hosted databases. CloudIAM *cloud.IAM // ConnectedProxyGetter gets the proxies teleport is connected to. ConnectedProxyGetter *reversetunnel.ConnectedProxyGetter // CloudUsers manage users for cloud hosted databases. CloudUsers *users.Users }
Config is the configuration for a database proxy server.
type NewAuditFn ¶
type NewAuditFn func(common.AuditConfig) (common.Audit, error)
NewAuditFn defines a function that creates an audit logger.
type ProxyServer ¶
type ProxyServer struct {
// contains filtered or unexported fields
}
ProxyServer runs inside Teleport proxy and is responsible to accepting connections coming from the database clients (via a multiplexer) and dispatching them to appropriate database services over reverse tunnel.
func NewProxyServer ¶
func NewProxyServer(ctx context.Context, config ProxyServerConfig) (*ProxyServer, error)
NewProxyServer creates a new instance of the database proxy server.
func (*ProxyServer) Authorize ¶
func (s *ProxyServer) Authorize(ctx context.Context, tlsConn utils.TLSConn, params common.ConnectParams) (*common.ProxyContext, error)
Authorize authorizes the provided client TLS connection.
func (*ProxyServer) Connect ¶
func (s *ProxyServer) Connect(ctx context.Context, proxyCtx *common.ProxyContext) (net.Conn, error)
Connect connects to the database server running on a remote cluster over reverse tunnel and upgrades this end of the connection to TLS so the identity can be passed over it.
The passed in context is expected to contain the identity information decoded from the client certificate by auth.Middleware.
Implements common.Service.
func (*ProxyServer) MySQLProxy ¶
func (s *ProxyServer) MySQLProxy() *mysql.Proxy
MySQLProxy returns a new instance of the MySQL protocol aware proxy.
func (*ProxyServer) MySQLProxyNoTLS ¶
func (s *ProxyServer) MySQLProxyNoTLS() *mysql.Proxy
MySQLProxyNoTLS returns a new instance of the non-TLS MySQL proxy.
func (*ProxyServer) PostgresProxy ¶
func (s *ProxyServer) PostgresProxy() *postgres.Proxy
PostgresProxy returns a new instance of the Postgres protocol aware proxy.
func (*ProxyServer) PostgresProxyNoTLS ¶
func (s *ProxyServer) PostgresProxyNoTLS() *postgres.Proxy
PostgresProxyNoTLS returns a new instance of the non-TLS Postgres proxy.
func (*ProxyServer) Proxy ¶
func (s *ProxyServer) Proxy(ctx context.Context, proxyCtx *common.ProxyContext, clientConn, serviceConn net.Conn) error
Proxy starts proxying all traffic received from database client between this proxy and Teleport database service over reverse tunnel.
Implements common.Service.
func (*ProxyServer) SQLServerProxy ¶
func (s *ProxyServer) SQLServerProxy() *sqlserver.Proxy
SQLServerProxy returns a new instance of the SQL Server protocol aware proxy.
func (*ProxyServer) ServeMongo ¶
ServeMongo starts accepting Mongo client connections.
func (*ProxyServer) ServeMySQL ¶
func (s *ProxyServer) ServeMySQL(listener net.Listener) error
ServeMySQL starts accepting MySQL client connections.
func (*ProxyServer) ServePostgres ¶
func (s *ProxyServer) ServePostgres(listener net.Listener) error
ServePostgres starts accepting Postgres connections from the provided listener.
type ProxyServerConfig ¶
type ProxyServerConfig struct { // AuthClient is the authenticated client to the auth server. AuthClient *auth.Client // AccessPoint is the caching client connected to the auth server. AccessPoint auth.ReadDatabaseAccessPoint // Authorizer is responsible for authorizing user identities. Authorizer auth.Authorizer // Tunnel is the reverse tunnel server. Tunnel reversetunnel.Server // TLSConfig is the proxy server TLS configuration. TLSConfig *tls.Config // Limiter is the connection/rate limiter. Limiter *limiter.Limiter // Emitter is used to emit audit events. Emitter events.Emitter // Clock to override clock in tests. Clock clockwork.Clock // ServerID is the ID of the audit log server. ServerID string // LockWatcher is a lock watcher. LockWatcher *services.LockWatcher }
ProxyServerConfig is the proxy configuration.
func (*ProxyServerConfig) CheckAndSetDefaults ¶
func (c *ProxyServerConfig) CheckAndSetDefaults() error
CheckAndSetDefaults validates the config and sets default values.
type Server ¶
type Server struct {
// contains filtered or unexported fields
}
Server is a database server. It accepts database client requests coming over reverse tunnel from Teleport proxy and proxies them to databases.
func (*Server) ForceHeartbeat ¶
ForceHeartbeat is used by tests to force-heartbeat all registered databases.
func (*Server) HandleConnection ¶
HandleConnection accepts the connection coming over reverse tunnel, upgrades it to TLS, extracts identity information from it, performs authorization and dispatches to the appropriate database engine.
type ShuffleFunc ¶
type ShuffleFunc func([]types.DatabaseServer) []types.DatabaseServer
ShuffleFunc defines a function that shuffles a list of database servers.
Directories ¶
Path | Synopsis |
---|---|
Package common provides common utilities used by all supported database implementations.
|
Package common provides common utilities used by all supported database implementations. |
Package mongodb implements database access proxy that handles authentication, authorization and protocol parsing of connections from MongoDB clients to MongoDB clusters.
|
Package mongodb implements database access proxy that handles authentication, authorization and protocol parsing of connections from MongoDB clients to MongoDB clusters. |
protocol
Package protocol implements reading/writing MongoDB wire protocol messages from/to client/server and converting them into parsed data structures.
|
Package protocol implements reading/writing MongoDB wire protocol messages from/to client/server and converting them into parsed data structures. |
Package mysql implements MySQL protocol support for the database access.
|
Package mysql implements MySQL protocol support for the database access. |
protocol
Package protocol implements parts of MySQL wire protocol which are needed for the service to be able to interpret the protocol messages but are not readily available in the convenient form in the vendored MySQL library.
|
Package protocol implements parts of MySQL wire protocol which are needed for the service to be able to interpret the protocol messages but are not readily available in the convenient form in the vendored MySQL library. |
Package postgres implements components of the database access subsystem that proxy connections between Postgres clients (like, psql or pgAdmin) and Postgres database servers with full protocol awareness.
|
Package postgres implements components of the database access subsystem that proxy connections between Postgres clients (like, psql or pgAdmin) and Postgres database servers with full protocol awareness. |
Package redis implements database access proxy that handles authentication, authorization and protocol parsing of connections from Redis clients to Redis standalone or Redis clusters.
|
Package redis implements database access proxy that handles authentication, authorization and protocol parsing of connections from Redis clients to Redis standalone or Redis clusters. |
Package secrets implements clients for managing secret values using secret management tools like AWS Secrets Manager.
|
Package secrets implements clients for managing secret values using secret management tools like AWS Secrets Manager. |
kinit
Package kinit provides utilities for interacting with a KDC (Key Distribution Center) for Kerberos5
|
Package kinit provides utilities for interacting with a KDC (Key Distribution Center) for Kerberos5 |