I am exploring the possibility of implementing Zero Trust principles for databases like MySQL and PostgreSQL using OpenZiti. I have a few questions and would appreciate your insights:
Can OpenZiti be used to establish a Zero Trust architecture for MySQL and PostgreSQL? If so, are there any specific configurations I should follow?
After implementing OpenZiti for these databases, is it possible to access and manage MySQL and PostgreSQL using GUI tools like MySQL Workbench and pgAdmin? Or would the access be restricted to CLI tools only?
Thank you in advance for your guidance and suggestions.
I am sure many can give much better answers, but have you seen ZDBC - ziti-sdk-jvm/ziti-jdbc at main · openziti/ziti-sdk-jvm · GitHub. We used the OpenZiti JVM SDK to wrap it around JDBC for a 'clientless' endpoint on the client side. That makes me wonder, is your question related to client or server side of this?
Yes it definitely can. OpenZiti works for any TCP or UDP connection and databases are generally TCP. Another example along the JDBC route is this video that describes a "Totally Private Postgres" https://www.youtube.com/watch?v=7ON6Ybs1s3A with a (if i say so myself) nice little overview of how it all works.
"Maybe". Some SQL clients will allow you to use a JDBC driver of your choice. I use JetBrains Datagrip for example but SQuirrel also allows for this. If that's the case for your sql client, ZDBC will blow your mind! The readme shows you the basics about how that should work. A big benefit of ZDBC is that you won't need to have a tunneler running. If you have a tunneler running on the machine then you might not need ZDBC but since it's a trulyl application-embedded solution, if you use ZDBC it'll work even when your tunneler is off and that's really cool.
Thank you for your response and the resources you shared! I appreciate the suggestion to look into ZDBC and the links to videos and presentations.
Regarding your question, I’m actually trying to better understand which side (client or server) my current focus aligns with. My primary goal is to implement a secure, Zero Trust architecture that allows remote access to MySQL or PostgreSQL databases. Specifically, I’d like clients to be able to connect to the database securely, ideally using GUI tools like MySQL Workbench or pgAdmin.
Based on this, do you think my scenario is more focused on the client side, the server side, or perhaps both?
Thank you for the detailed explanation and the video link! It helped me understand more about how ZDBC works with PostgreSQL.
Based on the cheatsheet provided on GitHub, I’m still trying to grasp the concept of JDBC and how it integrates with OpenZiti.
From what I understand, ZDBC doesn’t modify or bundle the database itself. Instead, it wraps the JDBC connection to make it Zero Trust compatible, securing the connection between the client and the database server. Is that correct?
Also, for a GUI client like MySQL Workbench or pgAdmin, would ZDBC still be applicable, or would I need to rely on tunneler configurations instead?
It's not JDBC per-se, but it's the "ZDBC" driver that knows how to setup the JDBC driver to work/integrate with OpenZiti and whatever JDBC driver is being used.
If these tools allow you to use JDBC drivers, I expect they would work fine with ZDBC. If the tool doesn't leverage JDBC and instead has native drivers, I believe you'll likely need to use a tunneler.
The readme shows you the basics about how that should work. A big benefit of ZDBC is that you won't need to have a tunneler running. If you have a tunneler running on the machine then you might not need ZDBC but since it's a trulyl application-embedded solution, if you use ZDBC it'll work even when your tunneler is off and that's really cool.