MySQL/MariaDB: Custom callback/trigger support on user activation/deactivation

[disc]

The problem

The Teleport server is unable to authenticate users with a TLS proxy, such as Maxscale, between the Teleport server and the MariaDB/MySQL database. This is because the TLS proxy terminates the original TLS connection and creates a new one with a different TLS certificate, causing a mismatch in the CN attribute. As a result, users created by Teleport in the database with a specific CN attribute cannot log in.

The communication schema is:
Teleport server [Teleport client TLS certificate] -> Maxscale (TLS proxy) [Maxscale TLS certificate] -> MariaDB/MySQL server.

The suggested solution

Updated SQL procedures to call a callback user-created procedure upon user activation or deactivation if exists (a custom trigger on user activation/deactivation) . This allows for customizable actions to be triggered when a user's status changes.

The result I would like to achieve with such changes is updating database users before a login.

Teleport successfully creates users in the MariaDB/MySQL database with REQUIRE SUBJECT /cn={username}, but the TLS proxy creates a new TLS connection and uses another TLS certificate with a different CN attribute and the Teleport users can't login into a database.

The solution is the optional creation of one or two stored procedures by the Teleport administrator in the teleport database:

• teleport_user_activated_callback(username) with a signature

-- MariaDB:
CREATE PROCEDURE teleport_user_activated_callback(IN username VARCHAR(80))
-- MySQL:
CREATE PROCEDURE teleport_user_activated_callback(IN username VARCHAR(32))

• teleport_user_deactivated_callback(username) with a signature

-- MariaDB:
CREATE PROCEDURE teleport_user_deactivated_callback(IN username VARCHAR(80)) 
-- MySQL:
CREATE PROCEDURE teleport_user_deactivated_callback(IN username VARCHAR(32)) 

The suggested stored procedures allow database administrators to react to these actions and update the teleport user in a database by changing REQUIRE SUBJECT /CN={username} to another method of authentication, for example:

• change a REQUIRE SUBJECT
• replace it with a custom auth plugin IDENTIFIED WITH own_auth_plugin
• or do something else

Expected workflow:

1. The teleport user logs into a database.
2. The database user activates by calling a teleport_activate_user(username) MariaDB/MySQL stored procedure.
3. The procedure teleport_activate_user calls the client's own teleport_user_activated_callback(username) procedure if it exists and executes the client's business logic on this action.

The same approach is used when the user deactivates in a database:

1. The database user deactivates by calling a teleport_deactivate_user(username) MariaDB/MySQL stored procedure.
2. The procedure teleport_deactivate_user(username) calls the client's own teleport_user_deactivated_callback(username) procedure if it exists and executes the client's business logic on this action.

What do you think about such an approach?

[CLAassistant]

All committers have signed the CLA.

[github-actions]

Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

---

I have read the CLA Document and I hereby sign the CLA

---

_{You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.}

[disc]

Hello @jimbishopp @r0mant. Could you look into the suggested improvement and share your opinion on this matter?