Skip to main content
Version: v4.7

Manage sidecar-repository bindings

A Cyral sidecar provides protection and access control to the data repositories bound to it. Below we explain how to bind repositories and manage the set of repositories bound to a sidecar.

Bind a repository to a sidecar

To protect a repository and control how users connect to it, you must associate the tracked repository with a Cyral sidecar. We refer to this as binding the data repository to a sidecar. You may bind many repositories to a single sidecar.

Prerequisites

Procedure

When you bind a repository to a sidecar, you're associating the repository with the Cyral interception service that will secure and monitor it, and you're establishing a listener port where data users can safely and easily connect to the repository using the authentication method you specify.

  1. In the Sidecars tab, select the sidecar to which you'd like to bind the repository and click its name to reveal the configuration options for the sidecar.

  2. In the Data Repositories section of the Sidecars tab, click the Bind Data Repo button.

  3. In the Bind Data Repo window, choose the repository you want to protect with this sidecar.

  4. Specify the Sidecar port(s) where data users and applications will connect to this repository. All connections established through the port(s) specified here will be authenticated and monitored by Cyral.

    Note the following, based on your repo type:

    Smart Ports may allow you to re-use a port: On a given sidecar, you may choose to reuse a port number that's already in use for another repository of the same type. Such shared ports are called Smart Ports. A single Smart Port gives users access to as many repositories as you have assigned to that port. If a port has already been created for your repository type on this sidecar, its port number will appear in the drop-down list. For example, you can bind a new MySQL database on a sidecar port that's already bound to one of your other MySQL databases. For some repository types, Cyral does not support the Smart Ports feature. For these, you must choose a port number that's not in use on this sidecar.

    Smart Ports on MySQL and MariaDB: For a MySQL or MariaDB repository that uses a Smart Port, you must specify the version of MySQL/MariaDB that the sidecar will advertise to connecting clients.

    MongoDB replica sets: For a MongoDB replica set, you can set port numbers for all replicas. See Port ranges for MongoDB clusters

    S3 ports: For S3 repositories, you must specify a proxy port and, if the S3 Browser is enabled, an S3 browser port. See Track an S3 or DynamoDB storage location.

    info

    How is the Sidecar port used? Users and applications will connect to the repository at the sidecar host address and this Sidecar port number. Data users can look up the sidecar host address and listener port in the Data Access Portal panel in the Cyral UI.

    Must this Sidecar port match the native port exposed by the repository? No, you can choose a different port here. For information about the repository's native port, see Track a repository.

  5. Click Bind.

tip

If the sidecar is behind a VPN or load balancer, please verify that the port is exposed/open in your VPN or load balancer configuration.

You've configured your data repository to be monitored by a Cyral sidecar.

Next steps

Smart Ports

Smart Ports let you bind as many repositories as you wish to a single Cyral sidecar port. This can help:

  • minimize the amount of infrastructure you need to deploy/manage for sidecars; and
  • avoid the tricky task of aligning the set of ports on your sidecar instance with the ports needed by the repositories it protects.
info

Smart Ports are currently supported on MySQL, MariaDB, PostgreSQL, Denodo, and Redshift repositories. For other repository types, each time you bind a new repository to a given sidecar, that repository must be given a unique port number on the sidecar.

Create a Smart Port

A Smart Port is created automatically when you bind a repository to a port number that's already in use for another repository of the same type (for example, a MySQL database) on this sidecar. This applies only to MySQL, MariaDB, PostgreSQL, Denodo, and Redshift repositories.

Once created, the Smart Port will be available for assignment to any other repository of the same type on this sidecar. You can choose it when you bind a repository to the sidecar.

note

MySQL and MariaDB users: Because a single Smart Port can provide access to multiple repositories whose database patch version numbers may differ, you must specify the advertised server version when assigning Smart Ports for MySQL and MariaDB.

Manage Smart Ports

To view and manage all the Smart Ports on a sidecar, follow these steps:

  1. Click Sidecars ➡️ click the name of your sidecar ➡️ Advanced.

  2. The Smart Ports section contains a tile for each Smart Port that's been created on this sidecar. Each Smart Port tile shows:

    • the port number where data users can connect
    • the repository type associated with this port
    • the number of repository bindings that currently use this port
    • if the Smart Port belongs to a repository type that includes additional properties (such as Advertised Version on MySQL ports), an edit button allows you to view and change those properties.

Ports for MongoDB clusters

For a MongoDB replica set cluster, Cyral's repository tracking page specifies the number of required ports for the cluster, and the Bind Data Repo page shows the list of ports, in the sidecar, that will be used.

The image below shows sidecar port assignments for a MongDB replica set that was configured with 3 replication nodes on the repository tracking page.

Ports for MySQL and MariaDB

Because a single Smart Port can provide access to multiple repositories whose database patch version numbers may differ, you must specify the advertised server version when assigning Smart Ports for the following repository types:

Advertised server version

A Smart Port for a MySQL or MariaDB data repository will propagate an advertised server version in the network protocol. The advertised server version is how the sidecar presents itself to client applications. It is composed of three numbers delimited by dots: for example, 8.0.4 (a MySQL example ) or 10.6.7 (a MariaDB example ).

The version advertised by the sidecar can be the same as the underlying database’s version; however, this is not always the case. Some differences might occur, especially if multiple different databases are put behind the same sidecar Smart Port. For example, take the following configuration:

  • MySQL Database A, running with version 8.0.4.
  • MySQL Database B, running with version 5.7.40.
  • A Cyral sidecar proxying client connections to both databases through the same Smart Port.

In this case, you have the option to configure the sidecar Smart Port to advertise its version as 8.0.4, 5.7.40, or even another version between those two versions. An incorrect configuration can affect the behavior of client applications. For example, some MySQL client drivers rely on the server version to determine which features they will enable and which system variables they will allow to be queried on the database.

See the section below for your repository type:

MySQL Smart Port configuration

  1. Always try to keep the underlying databases behind a single Smart Port at the same version, while also ensuring the advertised server version, present in the Smart Port configuration, matches the same version value.

  2. If your underlying database server versions are different:

    • Different major numbers (first digit), e.g., 8.x.x vs. 5.x.x,: Create individual Smart Ports for each major version.

    • Different minor numbers (second digit), e.g., x.0.x vs. x.1.x: Create individual Smart Ports for each minor version.

    • Different patches (third digit), e.g., 8.0.1 vs 8.0.4: You can share the same Smart Port, with a few observations:

      • Use the lowest value across all database versions to configure the Smart Port advertised version. For example, between the two above example values (8.0.4 and 8.0.1) we would configure the Smart Port with version 8.0.1. This helps prevent the client application from relying on changes only present in the newer version.

      • Refer to the following table that brings together server patch versions that are expected to present similar functionalities and can be multiplexed behind the same Smart Port.

        MySQL versionVersion to advertise on Smart Port
        5.5.40 - 5.5.625.5.40
        5.6.17 - 5.6.515.6.17
        5.7.1 - 5.7.35.7.1
        5.7.4 - 5.7.45.7.4
        5.7.5 - 5.7.165.7.5
        5.7.17 - 5.7.405.7.17
        8.0.0 - 8.0.08.0.0
        8.0.1 - 8.0.28.0.1
        8.0.3 - 8.0.178.0.4
        8.0.18 - 8.0.228.0.18
        8.0.23 - 8.0.268.0.23
        8.0.27 - 8.0.318.0.27
        note

        By default, the Cyral sidecar shows an advertised server version of 8.0.4 for MySQL repos.

MariaDB Smart Port configuration

  1. Similarly to MySQL, always try to keep the underlying databases behind a single Smart Port at the same version, while also ensuring the advertised server version, present in the Smart Port configuration, matches the same version value.

  2. If your underlying database server versions are different:

    • Different major numbers (first digit), e.g., 8.x.x vs. 5.x.x: Create individual Smart Ports for each major version.

    • Different minor or patch numbers (second or third digits): You can share the same Smart Port, with a few observations:

      • Use the lowest value across all database versions to configure the Smart Port advertised version. For example, between the two example values 10.2.5 and 10.4.2, we would configure the Smart Port with the advertised version 10.2.5.

      • Refer to the following table that brings together server minor and patch versions that are expected to present similar functionalities and can be multiplexed behind the same Smart Port.

        MariaDB versionVersion to advertise on Smart Port
        5.5.40 - 5.5.645.5.40
        10.0.15 - 10.1.4810.0.15
        10.2.5 - 10.4.210.2.5
        10.4.3 - 10.5.310.4.3
        10.5.4 - 10.9.310.6.7
        note

        By default, the Cyral sidecar shows an advertised server version of 10.6.7 for MariaDB repos.

Turn sidecar coverage on or off for a repository

You can turn on and turn off the sidecar's coverage for a repository. Once a sidecar's coverage is turned off for a repository, the sidecar stops accepting connections for that repository. This means that the sidecar will not see requests and will not handle authentication or authorization for the repository. (Keep in mind that another sidecar might be providing coverage for the repository.)

tip

Don't confuse turning off coverage with passthrough mode. See Passthrough mode.

To turn a sidecar's coverage on or off for a given repository, you will disable it's binding. Follow these steps:

  1. Click Sidecars ➡️ click the name of your sidecar ➡️ Repositories.

  2. Find your data repository in the list and click the more icon (three stacked dots) on the right side, and choose Edit.

  3. In the Edit Binding window, toggle the Enable binding setting to the desired position.

    warning

    You cannot disable the binding if the sidecar is designated for the Access Gateway. To remove the Access Gateway designation, see the Access Gateway instructions.

  4. Click Save.

Change the sidecar port for a repository

To change a repository's assigned port(s) where the sidecar allows connections, follow these steps:

  1. Click Sidecars ➡️ click the name of your sidecar ➡️ Data Repositories.

  2. Find your data repository in the list and click the more icon (three stacked dots) on the right side, and choose Edit.

  3. In the Edit Binding window, set the Sidecar port to the desired port number. Note the following:

    • You may choose to assign a port number that's already in use for another repository on this sidecar. If you do this, Cyral converts the port into a Smart Port.
    • For a MySQL repository that uses a Smart Port, you must specify the Advertised version of MySQL that the sidecar will offer to connecting clients.
    • For a MongoDB replica set, you can set port numbers for all replicas. See Port ranges for MongoDB clusters