Tribhuwan Phulera created GUACAMOLE-2064:
--------------------------------------------
Summary: Feature Request – Add Guacamole Protocol Module for
Secure CLI-Based Access to Relational Databases with Full Session Logging
Key: GUACAMOLE-2064
URL: https://issues.apache.org/jira/browse/GUACAMOLE-2064
Project: Guacamole
Issue Type: New Feature
Components: guacamole
Affects Versions: 1.5.5
Reporter: Tribhuwan Phulera
I would like to propose the development of a *custom protocol module* within
Apache Guacamole to enable interactive access to various relational database
systems (e.g., MySQL, PostgreSQL, MariaDB) through their respective
command-line clients (e.g., {{{}mysql{}}}, {{{}psql{}}}, etc.), executed inside
a secure pseudo-terminal (PTY) and fully integrated into the Guacamole web
session.
----
h3. {*}Key Objectives{*}:
# Enable users to launch CLI-based database sessions via Guacamole for
operational and administrative access.
# The backend should dynamically spawn the appropriate database client (e.g.,
{{{}mysql{}}}, {{{}psql{}}}) within a PTY session, routed through the Guacamole
protocol.
# All user inputs (SQL commands) and terminal outputs (query results,
messages) must be {*}recorded{*}, with support for file-based or remote logging.
# Support basic protocol parameters such as {{{}hostname{}}}, {{{}port{}}},
{{{}username{}}}, {{{}password{}}}, and {{{}database{}}}.
# Implement protocol identification at runtime or during configuration to
route to the correct CLI binary.
----
h3. {*}Expected Features{*}:
* {*}Supported Clients (initial){*}:
** {{mysql}} (MySQL/MariaDB)
** {{psql}} (PostgreSQL)
** Others (e.g., {{sqlcmd}} for SQL Server) can be considered for later phases.
* {*}Configuration Parameters{*}:
** {{{}protocol{}}}: {{{}mysql{}}}, {{{}postgres{}}}, etc.
** {{{}host{}}}, {{{}port{}}}, {{{}username{}}}, {{{}password{}}},
{{database}} – securely passed, not logged.
* {*}Session Recording{*}:
** Capture full terminal interaction including timestamps.
h3. {*}Acceptance Criteria{*}:
* Users can configure and launch CLI database sessions through Guacamole UI or
via backend DB configuration.
* The correct binary ({{{}mysql{}}}, {{{}psql{}}}) is invoked based on
selected protocol.
* Full interaction (commands and responses) is logged securely.
* Sessions gracefully handle disconnection, resizing, and cleanup.
* Implementation adheres to Guacamole coding and packaging standards and is
deployable via {{{}guacd{}}}.
----
h3. {*}Rationale{*}:
This enhancement will extend Guacamole's capabilities beyond SSH/Telnet to
support *auditable, web-based access to database CLIs* in secure enterprise
environments. It will reduce the need for direct terminal/VPN access while
improving observability for database operations.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
