Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Oracle connections without wallet #49753

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Support Oracle connections without wallet #49753

wants to merge 4 commits into from

Conversation

Tener
Copy link
Contributor

@Tener Tener commented Dec 4, 2024
edited
Loading

Overview

The change is backwards compatible. Depends on https://github.com/gravitational/teleport.e/pull/5623 on the db agent side.

The functional changes:

  • Oracle proxy will accept both TLS and non-TLS connections and discriminate between the two based on the first byte sent.
  • If every db agent for given database instance is at least 17.2.0 (where https://github.com/gravitational/teleport.e/pull/5623 is planned to land), then tsh will show connection instructions that don't depend on Oracle wallet.
  • Otherwise, if there are any pre-17.2.0 agents in the mix, the wallet-based instructions will be in effect, but with a message suggesting an upgrade
  • Alternative connection strings and other details are printed in debug logs
  • Teleport Connect ad is dropped; the Oracle support has known problems there, which should be addressed first.

UX

All new agents:

Started authenticated tunnel for the Oracle database "oracle-dlagon" in cluster "boson.tener.io" on 127.0.0.1:11555.

Use the following command to connect to the Oracle database server using CLI:
  $ sql -L /@localhost:11555/XE

Other clients can use:
  - a direct connection to 127.0.0.1:11555 without a username and password
  - a custom JDBC connection string: 'jdbc:oracle:thin:@tcps://localhost:11555/XE?TNS_ADMIN=/Users/tener/.tsh/keys/boson.tener.io/tener-db/boson.tener.io/oracle-dlagon-wallet'

Some or all old agents:

Started authenticated tunnel for the Oracle database "oracle-dlagon" in cluster "boson.tener.io" on 127.0.0.1:11555.

Use the following command to connect to the Oracle database server using CLI:
  $ sql -L 'jdbc:oracle:thin:@tcps://localhost:11555/XE?TNS_ADMIN=/Users/tener/.tsh/keys/boson.tener.io/tener-db/boson.tener.io/oracle-dlagon-wallet'

You can also connect using Oracle JDBC connection string:
  'jdbc:oracle:thin:@tcps://localhost:11555/XE?TNS_ADMIN=/Users/tener/.tsh/keys/boson.tener.io/tener-db/boson.tener.io/oracle-dlagon-wallet'

Note: for improved client compatibility, upgrade your Teleport cluster. For details rerun this command with --debug.

The --debug messages will show agent counts and alternative connection strings:

2024-12-10T13:40:11+01:00 DEBU [TSH]       Agents for database "oracle-dlagon" with Oracle support: total 2, old 1, new 1. common/proxy.go:392
2024-12-10T13:40:11+01:00 WARN [TSH]       Detected database agents older than 17.2.0. For improved client support upgrade all database agents in your cluster to a newer version. common/proxy.go:395
2024-12-10T13:40:11+01:00 DEBU [TSH]       Building Oracle commands. dbcmd/dbcmd.go:818
2024-12-10T13:40:11+01:00 DEBU [TSH]       Found servers with TCP support: true. dbcmd/dbcmd.go:819
2024-12-10T13:40:11+01:00 DEBU [TSH]       All servers support TCP: false. dbcmd/dbcmd.go:820
2024-12-10T13:40:11+01:00 DEBU [TSH]       Connection strings: dbcmd/dbcmd.go:822
2024-12-10T13:40:11+01:00 DEBU [TSH]       - JDBC: 'jdbc:oracle:thin:@tcps://localhost:11555/XE?TNS_ADMIN=/Users/tener/.tsh/keys/boson.tener.io/tener-db/boson.tener.io/oracle-dlagon-wallet' dbcmd/dbcmd.go:823
2024-12-10T13:40:11+01:00 DEBU [TSH]       - TNS descriptor: /@(DESCRIPTION=(SDU=8000)(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=11555)))(CONNECT_DATA=(SERVICE_NAME=XE))) dbcmd/dbcmd.go:825
2024-12-10T13:40:11+01:00 DEBU [TSH]       - Direct: /@localhost:11555/XE dbcmd/dbcmd.go:826
Started authenticated tunnel for the Oracle database "oracle-dlagon" in cluster "boson.tener.io" on 127.0.0.1:11555.

changelog: Support wider range of Oracle clients and simplified configuration.

@Tener Tener requested review from greedy52 and smallinsky December 4, 2024 09:11
@github-actions github-actions bot added size/md tsh tsh - Teleport's command line tool for logging into nodes running Teleport. labels Dec 4, 2024
@github-actions github-actions bot requested a review from gzdunek December 4, 2024 09:12
@aws-amplify-us-west-2 AWS Amplify (us-west-2)
Copy link

This pull request is automatically being deployed by Amplify Hosting (learn more).

Access this pull request here: https://pr-49753.d3pp5qlev8mo18.amplifyapp.com

@Tener Tener requested a review from gabrielcorado December 4, 2024 10:55
@greedy52 greedy52 requested a review from GavinFrazar December 4, 2024 15:27
greedy52
greedy52 reviewed Dec 4, 2024
View reviewed changes
lib/client/db/dbcmd/dbcmd.go Show resolved Hide resolved
tool/tsh/common/proxy.go Show resolved Hide resolved
tool/tsh/common/tlsmuxlistener.go Show resolved Hide resolved
tool/tsh/common/tlsmuxlistener.go Outdated Show resolved Hide resolved
@Tener Tener requested a review from greedy52 December 10, 2024 12:44
@Tener
Copy link
Contributor Author

Tener commented Dec 10, 2024

Turns out some clients are surprisingly difficult to configure without the JDBC connection string. I've updated the PR to always show that as an option, even when all agents are new enough to support TCP-only mode.

@Tener Tener mentioned this pull request Dec 10, 2024
Open
GavinFrazar
GavinFrazar approved these changes Dec 11, 2024
View reviewed changes
Copy link
Contributor

@GavinFrazar GavinFrazar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

I tested these combos manually with oracle db [Agent v16.4.0, v17.0.2, v17.0.0-dev] x [tsh v16.4.0, v17.0.0-dev]
where the dev builds were made with this PR + the e update.

All combos worked 👍

smallinsky
smallinsky reviewed Dec 11, 2024
View reviewed changes
tool/tsh/common/tlsmuxlistener.go Outdated Show resolved Hide resolved
tool/tsh/common/tlsmuxlistener.go Show resolved Hide resolved
tool/tsh/common/proxy.go Show resolved Hide resolved
tool/tsh/common/proxy.go Show resolved Hide resolved
tool/tsh/common/db.go Show resolved Hide resolved
@Tener
Copy link
Contributor Author

Tener commented Dec 12, 2024

Thanks for approvals folks!

Adding 'do-not-merge' for now, we need to time this PR well to ensure the version checks do the right thing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smallinsky smallinsky smallinsky approved these changes

@GavinFrazar GavinFrazar GavinFrazar approved these changes

@greedy52 greedy52 Awaiting requested review from greedy52

Assignees
No one assigned
Labels
do-not-merge size/md tsh tsh - Teleport's command line tool for logging into nodes running Teleport.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Tener @greedy52 @GavinFrazar @smallinsky