Fork me on GitHub
Teleport

Database Access with Self-Hosted MongoDB

Improve
Setting up Teleport Database Access for MongoDB

Setting up Teleport Database Access for MongoDB

Length: 12:54

Self-Hosted MongoDB

In this guide you will:

  1. Install and configure Teleport for Database Access.
  2. Configure mutual TLS authentication between Teleport and your MongoDB cluster.
  3. Connect to your MongoDB instance via Teleport.

Prerequisites

  • Teleport version 7.0 or newer.
  • MongoDB cluster (standalone or replica set) version 3.6 or newer.
Note

Teleport Database Access supports MongoDB 3.6 and newer. Older versions have not been tested and are not guaranteed to work. MongoDB 3.6 was released in November 2017 and reached EOL in April 2021 so if you're still using an older version, consider upgrading.

Step 1/3. Install & configure Teleport

Setup Teleport Auth and Proxy services

Download the latest version of Teleport for your platform from our downloads page and follow the installation instructions.

Teleport requires a valid TLS certificate to operate and can fetch one automatically using Let's Encrypt ACME protocol. We will assume that you have configured DNS records for teleport.example.com and *.teleport.example.com to point to the Teleport node.

Generate Teleport config with ACME enabled:

$ teleport configure --cluster-name=teleport.example.com --acme [email protected] -o file
Web Proxy Port

Teleport uses TLS-ALPN-01 ACME challenge to validate certificate requests which only works on port 443. As such, in order to use ACME for certificate management, web proxy needs to be accessible on port 443.

Start Teleport Auth and Proxy services:

$ sudo teleport start

Setup Teleport Database service

Database agent requires a valid auth token to connect to the cluster. Generate one by running the following command against your Teleport auth server and save it in /tmp/token on the node which will be running the database agent:

$ tctl tokens add --type=db

Start Teleport Database service:

teleport db start \ --token=/tmp/token \ --auth-server=teleport.example.com:3080 \ --name=example-mongo \ --protocol=mongodb \ --uri=mongo.example.com:27017 \ --labels=env=dev
Note

The --auth-server flag must point to the Teleport cluster's proxy endpoint because database service always connects back to the cluster over a reverse tunnel.

You can specify either a single connection address or a MongoDB connection string as a URI. For example, when connecting to a replica set:

--uri="mongodb://mongo1.example.com:27017,mongo2.example.com:27017/?replicaSet=rs0"

By default, Teleport will connect to the primary replica set member. If you'd like to connect to a secondary instead, Teleport will respect readPreference connection string setting:

--uri="mongodb://mongo1.example.com:27017,mongo2.example.com:27017/?replicaSet=rs0&readPreference=secondary"
Tip

You can start Database service using configuration file instead of CLI flags. See YAML reference.

Create Teleport user

Create a local Teleport user with the built-in access role:

$ tctl users add --roles=access alice

The access role allows users to see all connected database servers, but database names and accounts are restricted to the user's db_names and db_users traits. Normally, these traits come from the identity provider. For the local user you've just created you can update them manually to allow it to connect to any database as any database user.

First, export the user resource:

$ tctl get users/alice > alice.yaml

Update the resource to include the following traits:

traits:
  db_users:
  - "*"
  db_names:
  - "*"
Note

The db_names property only has effect on PostgreSQL and MongoDB database engines.

Update the user:

$ tctl create alice.yaml -f

For more detailed information about database access controls and how to restricted access see RBAC documentation.

Step 2/3. Configure MongoDB

Create MongoDB user

Teleport will use X.509 authentication when connecting to a MongoDB instance. Users authenticating with client certificates must be created in the $external MongoDB authentication database.

MongoDB treats the entire Subject line of the client certificate as a username. When connecting to a MongoDB server, say as a user alice, Teleport will sign an ephemeral certificate with CN=alice subject.

To create this user in the database, connect to it using mongo shell and run the following command:

db.getSiblingDB("$external").runCommand(
  {
    createUser: "CN=alice",
    roles: [
      { role: "readWriteAnyDatabase", db: "admin" }
    ]
  }
)

Update the roles accordingly to grant the user appropriate database permissions.

Setup mutual TLS

Teleport uses mutual TLS authentication with self-hosted databases. As such, they must be configured with Teleport's certificate authority to be able to verify client certificates and a certificate/key pair that Teleport can verify.

With self-hosted version of Teleport use tctl auth sign command locally on the Teleport Auth server to produce the secrets

With Teleport Cloud use tctl auth sign command on your client machine after logging in with tsh login.

Your Teleport Cloud user must be allowed to impersonate the system role Db in order to be able to generate the database certificate, by having the following allow rule in their role:

allow:
  impersonate:
    users: ["Db"]
    roles: ["Db"]

Create the secrets:

When connecting to standalone MongoDB, sign certificate for the hostname over which Teleport will be connecting to it.

For example, if your MongoDB server is accessible at mongo.example.com hostname, run:

tctl auth sign --format=mongodb --host=mongo.example.com --out=mongo --ttl=2190h
TTL

We recommend using shorter TTL but keep mind that you'll need to update the database server certificate before it expires to not lose the ability to connect, so pick the TTL value that best fits your use-case.

The command will create 2 files: mongo.cas with Teleport's certificate authority and mongo.crt with generated certificate and key pair. You will need these files to enable mutual TLS on your MongoDB server.

When connecting to a MongoDB replica set, sign certificates for each member using the hostnames they're accessible at.

For example, if the first member is accessible at mongo1.example.com and the second at mongo2.example.com, run:

tctl auth sign --format=mongodb --host=mongo1.example.com --out=mongo1 --ttl=2190h
tctl auth sign --format=mongodb --host=mongo2.example.com --out=mongo2 --ttl=2190h
TTL

We recommend using shorter TTL but keep mind that you'll need to update the database server certificate before it expires to not lose the ability to connect, so pick the TTL value that best fits your use-case.

Each command will create 2 files: mongo1.cas/mongo2.cas with Teleport's certificate authority and mongo1.crt/mongo2.crt with generated certificate and key pair. You will need these files to enable mutual TLS on your MongoDB servers.

Certificate Rotation

Teleport signs database certificates with the host authority. As such, when performing host certificates rotation, the database certificates must be updated as well.

Use the generated secrets to enable mutual TLS in your mongod.conf configuration file and restart the database:

net:
  ssl:
    mode: requireSSL
    PEMKeyFile: /etc/certs/mongo.crt
    CAFile: /etc/certs/mongo.cas
net:
  tls:
    mode: requireTLS
    certificateKeyFile: /etc/certs/mongo.crt
    CAFile: /etc/certs/mongo.cas

When configuring a replica set, make sure to do it for each member and use secrets generated for the particular server.

Once mutual TLS has been enabled, you will no longer be able to connect to the cluster without providing a valid client certificate. You can use net.tls.allowConnectionsWithoutCertificates setting to allow connections from clients that do not present a certificate.

See Configure TLS/SSL in MongoDB documentation for more details.

Step 3/3. Connect

Log into your Teleport cluster and see available databases:

tsh login --proxy=teleport.example.com --user=alice
tsh db ls

Name Description Labels

------------- --------------- --------

example-mongo Example MongoDB env=dev

To connect to a particular database instance, first retrieve its certificate using tsh db login command:

tsh db login example-mongo
Tip

You can be logged into multiple databases simultaneously.

You can optionally specify the database name and the user to use by default when connecting to the database instance:

tsh db login --db-user=alice example-mongo

Once logged in, connect to the database:

tsh db connect example-mongo
Note

The mongo command-line client should be available in PATH in order to be able to connect.

To log out of the database and remove credentials:

Remove credentials for a particular database instance.

tsh db logout example-mongo

Remove credentials for all database instances.

tsh db logout

Next steps

Have a suggestion or can’t find something?
IMPROVE THE DOCS