teleport icon indicating copy to clipboard operation
teleport copied to clipboard

Published 20 hours ago verified publisher icon gravitational

Document DynamoDB compatible backend for non-AWS Teleport clusters

Open balpert89 opened this issue 5 years ago • 2 comments

What happened: DynamoDB is currently limited to AWS instances only. This reduces the capability to deploy Teleport in non-AWS related environments. Noteworthy projects are:

  • https://github.com/dwmkerr/docker-dynamodb
  • https://github.com/scylladb/scylla -> https://www.scylladb.com/2019/09/11/scylla-alternator-the-open-source-dynamodb-compatible-api/

What you expected to happen: Configuring an endpoint for DynamoDB allows it to send audit events to a non-AWS instance (similar to #3054).

Environment:

  • Teleport version (use teleport version): v4.2.2
  • OS (e.g. from /etc/os-release): RHEL, CoreOS, CentOS, ...

balpert89 avatar Feb 06 '20 19:02 balpert89

Looks like the PR was merged, I'm going to add a docs label to this.

benarent avatar Apr 14 '20 21:04 benarent

Hello,

I'm trying to configure teleport with DynamoDB compatible backend. But could not find it - is it possible to configure it not only for audit events but to keep cluster state in DynamoDB compatible backend?

And I can not find in docs or issues some example of configuration even for audit events.

I'm trying to configure settings in our cloud provider Yandex.Cloud, they have a service Yandex Database which provides DynamoDB compatible API. And they have an article - how to configure aws cli to use their service: https://cloud.yandex.ru/docs/ydb/quickstart/aws-instrument/setup (sorry, that page in Russian, but they have no yet this page in English). And to connect and use DynamoDB API I need to setup the endpoint in such format: https://docapi.serverless.yandexcloud.net/ru-central1/b1ggien8hdc5b5t22k9i/etn00c82270oiq8atqbc

In a case with aws cli I can use it like: aws dynamodb list-tables --endpoint https://docapi.serverless.yandexcloud.net/ru-central1/b1g4ej5ju4rf5kelpk4b/etn03ubijq52j860kvgj

And I've tried to setup config:

teleport:
  data_dir: /var/lib/teleport
  insecure_skip_verify: true
  auth_servers:
    - 127.0.0.1:3025
  log:
    output: stderr
    severity: DEBUG
  storage:
    audit_events_uri: 
      - dynamodb://teleport?endpoint=docapi.serverless.yandexcloud.net/ru-central1/b1ggien8hdc5b5t22k9i/etn00c82270oiq8atqbc
    region: ru-central1

But if I'm trying to run with this configuration, I'm receiving an error:

teleport start --config=/etc/teleport.yaml -d
DEBU [SQLITE]    Connected to: file:/var/lib/teleport/proc/sqlite.db?_busy_timeout=10000&_sync=OFF, poll stream period: 1s lite/lite.go:173
DEBU [SQLITE]    Synchronous: 0, busy timeout: 10000 lite/lite.go:218
DEBU [KEYGEN]    SSH cert authority is going to pre-compute 25 keys. native/native.go:104
DEBU [PROC:1]    Using sqlite backend. service/service.go:2913
DEBU [SQLITE]    Connected to: file:/var/lib/teleport/backend/sqlite.db?_busy_timeout=10000&_sync=OFF, poll stream period: 1s lite/lite.go:173
DEBU [SQLITE]    Synchronous: 0, busy timeout: 10000 lite/lite.go:218
INFO [S3]        Setting up bucket "staging-dns-teleport", sessions path "/records" in region "ru-central1". s3sessions/s3handler.go:143
INFO [S3]        Setup bucket "staging-dns-teleport" completed. duration:36.982326ms s3sessions/s3handler.go:147
INFO [DYNAMODB]  Initializing event backend. dynamoevents/dynamoevents.go:182

ERROR REPORT:
Original Error: *awserr.requestError ValidationException: Attribute GlobalSecondaryIndexes not supported
	status code: 400, request id:
Stack Trace:
	/go/src/github.com/gravitational/teleport/lib/events/dynamoevents/dynamoevents.go:664 github.com/gravitational/teleport/lib/events/dynamoevents.(*Log).createTable
	/go/src/github.com/gravitational/teleport/lib/events/dynamoevents/dynamoevents.go:222 github.com/gravitational/teleport/lib/events/dynamoevents.New
	/go/src/github.com/gravitational/teleport/lib/service/service.go:942 github.com/gravitational/teleport/lib/service.initExternalLog
	/go/src/github.com/gravitational/teleport/lib/service/service.go:1048 github.com/gravitational/teleport/lib/service.(*TeleportProcess).initAuthService
	/go/src/github.com/gravitational/teleport/lib/service/service.go:689 github.com/gravitational/teleport/lib/service.NewTeleport
	/go/src/github.com/gravitational/teleport/lib/service/service.go:423 github.com/gravitational/teleport/lib/service.newTeleportProcess
	/go/src/github.com/gravitational/teleport/lib/service/service.go:433 github.com/gravitational/teleport/lib/service.Run
	/go/src/github.com/gravitational/teleport/tool/teleport/common/teleport.go:197 github.com/gravitational/teleport/tool/teleport/common.OnStart
	/go/src/github.com/gravitational/teleport/tool/teleport/common/teleport.go:174 github.com/gravitational/teleport/tool/teleport/common.Run
	/go/src/github.com/gravitational/teleport/tool/teleport/main.go:29 main.main
	/opt/go/src/runtime/proc.go:213 runtime.main
	/opt/go/src/runtime/asm_amd64.s:1375 runtime.goexit
User Message: initialization failed

How can I properly configure saving audit events and is it possible to keep the state in DynamoDB compatible backend for HA configuration?

Environment: Teleport version (use teleport version): Teleport v5.1.0 git:v5.1.0-0-g46679fb34 go1.15.5 OS (e.g. from /etc/os-release): CentOS 8

asterix201 avatar Feb 16 '21 13:02 asterix201

We do not support DynamoDB-compatible backends, but we do document all of the supported backends for non-AWS use cases here: https://goteleport.com/docs/reference/backends/

zmb3 avatar Jun 11 '23 16:06 zmb3