[v14] [Docs] Add necessary permission for using auto-provisioned user…

… deletion on MariaDB guide (#35063) * docs(mariadb): add aditional permission for teleport-admin user * docs(database-access): update best_effort_drop mode definition * docs(database-access): add missing permission to self-hosted mariadb
gravitational · Nov 28, 2023 · d1a937e · d1a937e
1 parent ea8481b
commit d1a937e
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 3 deletions.
diff --git a/docs/pages/database-access/auto-user-provisioning/mariadb.mdx b/docs/pages/database-access/auto-user-provisioning/mariadb.mdx
@@ -41,6 +41,7 @@ CREATE USER 'teleport-admin' IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';
 GRANT PROCESS, CREATE USER ON *.* TO 'teleport-admin';
 GRANT SELECT ON mysql.roles_mapping TO 'teleport-admin';
 GRANT UPDATE ON mysql.* TO 'teleport-admin'; -- For SET DEFAULT ROLE FOR
+GRANT SELECT ON *.* TO 'teleport-admin'; -- Required when using best_effort_drop mode for checking if users own resources before dropping them.
 
 CREATE DATABASE IF NOT EXISTS `teleport`;
 GRANT ALL ON `teleport`.* TO 'teleport-admin' WITH GRANT OPTION;
@@ -75,6 +76,7 @@ CREATE USER 'teleport-admin' REQUIRE SUBJECT '/CN=teleport-admin';
 GRANT PROCESS, CREATE USER ON *.* TO 'teleport-admin';
 GRANT SELECT ON mysql.roles_mapping TO 'teleport-admin';
 GRANT UPDATE ON mysql.* TO 'teleport-admin'; -- For SET DEFAULT ROLE FOR
+GRANT SELECT ON *.* TO 'teleport-admin'; -- Required when using best_effort_drop mode for checking if users own resources before dropping them.
 
 CREATE DATABASE IF NOT EXISTS `teleport`;
 GRANT ALL ON `teleport`.* TO 'teleport-admin' WITH GRANT OPTION;

diff --git a/.../pages/includes/database-access/auto-user-provisioning/common-teleport-role.mdx b/.../pages/includes/database-access/auto-user-provisioning/common-teleport-role.mdx
@@ -33,6 +33,7 @@ The available provisioning modes are:
 * `keep`: Enables user provisioning and disables users at session end. The user
   will be stripped of all roles and the user account will be locked.
 
-* `best_effort_drop`: Enables user provisioning and tries to drop user
-  at session end. If the drop fails, fallback to disabling them (same as `keep`
-  mode).
+* `best_effort_drop`: Enables user provisioning and, when the session ends,
+  drops the user if no resources depend on it. In cases where any resource
+  depends on the user, it falls back to disabling the user, mirroring the
+  behavior of `keep` mode.