self-hosted/teleport
self-hosted/teleport
1
0
Fork 0
mirror of https://github.com/gravitational/teleport synced 2024-10-20 17:23:22 +00:00
Code Issues Packages Projects Releases Wiki Activity
teleport/constants.go

732 lines
23 KiB
Go
Raw Normal View History

Added support for "keep_alive_interval" and "keep_alive_count_max" to control how often the server sends keep-alive messages to clients and after how many missed keep-alive replies the server tears down the connection to the client.
2018-11-07 01:21:44 +00:00
/*
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
Copyright 2018-2019 Gravitational, Inc.
Added support for "keep_alive_interval" and "keep_alive_count_max" to control how often the server sends keep-alive messages to clients and after how many missed keep-alive replies the server tears down the connection to the client.
2018-11-07 01:21:44 +00:00
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
user mappings should be deleted if user is deleted, fixes #116 This commit includes refactoring and cleanup of cert authority sybsystem: * User keys methods are deleted * Authorities CRUD is simplified * Lots of code removed
2016-02-16 17:36:02 +00:00
package teleport
import (
Teleport signal handling and live reload. This commit introduces signal handling. Parent teleport process is now capable of forking the child process and passing listeners file descriptors to the child. Parent process then can gracefully shutdown by tracking the amount of current connections and closing listeners once the amount goes to 0. Here are the signals handled: * USR2 signal will cause the parent to fork a child process and pass listener file descriptors to it. Child process will close unused file descriptors and will bind to the used ones. At this moment two processes - the parent and the forked child process will be serving requests. After looking at the traffic and the log files, administrator can either shut down the parent process or the child process if the child process is not functioning as expected. * TERM, INT signals will trigger graceful process shutdown. Auth, node and proxy processes will wait until the amount of active connections goes down to 0 and will exit after that. * KILL, QUIT signals will cause immediate non-graceful shutdown. * HUP signal combines USR2 and TERM signals in a convenient way: parent process will fork a child process and self-initate graceful shutdown. This is a more convenient than USR2/TERM sequence, but less agile and robust as if the connection to the parent process drops, but the new process exits with error, administrators can lock themselves out of the environment. Additionally, boltdb backend has to be phased out, as it does not support read/writes by two concurrent processes. This had required refactoring of the dir backend to use file locking to allow inter-process collaboration on read/write operations.
2018-02-08 02:32:50 +00:00
"strings"
user mappings should be deleted if user is deleted, fixes #116 This commit includes refactoring and cleanup of cert authority sybsystem: * User keys methods are deleted * Authorities CRUD is simplified * Lots of code removed
2016-02-16 17:36:02 +00:00
"time"
api dependency reduction - utils constants (#5363) Moved constants and utils used in /api into /api/constants and /api/utils respectively.
2021-01-29 17:37:01 +00:00
"github.com/gravitational/teleport/api/constants"
)
// The following constants have been moved to /api/constants/constants.go, and are now
// imported here for backwards compatibility. DELETE IN 7.0.0
const (
Local = constants.Local
OIDC = constants.OIDC
SAML = constants.SAML
Github = constants.Github
HumanDateFormatSeconds = constants.HumanDateFormatSeconds
DefaultImplicitRole = constants.DefaultImplicitRole
APIDomain = constants.APIDomain
CertificateFormatStandard = constants.CertificateFormatStandard
DurationNever = constants.DurationNever
EnhancedRecordingMinKernel = constants.EnhancedRecordingMinKernel
EnhancedRecordingCommand = constants.EnhancedRecordingCommand
EnhancedRecordingDisk = constants.EnhancedRecordingDisk
EnhancedRecordingNetwork = constants.EnhancedRecordingNetwork
KeepAliveNode = constants.KeepAliveNode
KeepAliveApp = constants.KeepAliveApp
KeepAliveDatabase = constants.KeepAliveDatabase
user mappings should be deleted if user is deleted, fixes #116 This commit includes refactoring and cleanup of cert authority sybsystem: * User keys methods are deleted * Authorities CRUD is simplified * Lots of code removed
2016-02-16 17:36:02 +00:00
)
Added TrustedCluster resource.
2017-03-02 19:50:35 +00:00
// WebAPIVersion is a current webapi version
const WebAPIVersion = "v1"
user mappings should be deleted if user is deleted, fixes #116 This commit includes refactoring and cleanup of cert authority sybsystem: * User keys methods are deleted * Authorities CRUD is simplified * Lots of code removed
2016-02-16 17:36:02 +00:00
// ForeverTTL means that object TTL will not expire unless deleted
recover etcd backend support
2016-03-11 01:03:01 +00:00
const ForeverTTL time.Duration = 0
working proto
2017-03-08 05:42:17 +00:00
const (
// SSHAuthSock is the environment variable pointing to the
// Unix socket the SSH agent is running on.
SSHAuthSock = "SSH_AUTH_SOCK"
// SSHAgentPID is the environment variable pointing to the agent
// process ID
SSHAgentPID = "SSH_AGENT_PID"
Corrected the Session URL returned when calling "teleport status".
2017-04-07 00:16:28 +00:00
// SSHTeleportUser is the current Teleport user that is logged in.
SSHTeleportUser = "SSH_TELEPORT_USER"
// SSHSessionWebproxyAddr is the address the web proxy.
SSHSessionWebproxyAddr = "SSH_SESSION_WEBPROXY_ADDR"
// SSHTeleportClusterName is the name of the cluster this node belongs to.
SSHTeleportClusterName = "SSH_TELEPORT_CLUSTER_NAME"
// SSHTeleportHostUUID is the UUID of the host.
SSHTeleportHostUUID = "SSH_TELEPORT_HOST_UUID"
// SSHSessionID is the UUID of the current session.
SSHSessionID = "SSH_SESSION_ID"
working proto
2017-03-08 05:42:17 +00:00
)
Added debug ssh agent to be used in tests so they can run consistently across platforms.
2017-02-13 23:37:08 +00:00
Session streaming This commit introduces GRPC API for streaming sessions. It adds structured events and sync streaming that avoids storing events on disk. You can find design in rfd/0002-streaming.md RFD.
2020-07-15 00:15:01 +00:00
const (
// HTTPNextProtoTLS is the NPN/ALPN protocol negotiated during
// HTTP/1.1.'s TLS setup.
// https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids
HTTPNextProtoTLS = "http/1.1"
)
Added HTTP CONNECT tunneling support for Trusted Clusters.
2017-05-17 00:43:55 +00:00
const (
// HTTPSProxy is an environment variable pointing to a HTTPS proxy.
HTTPSProxy = "HTTPS_PROXY"
// HTTPProxy is an environment variable pointing to a HTTP proxy.
HTTPProxy = "HTTP_PROXY"
Add support for no_proxy environment variable NO_PROXY or no_proxy environment variables can be set to override variable HTTP_PROXY or HTTPS_PROXY. Current implementation is taken from Go standard library.
2018-08-20 21:01:15 +00:00
// NoProxy is an environment variable matching the cases
// when HTTPS_PROXY or HTTP_PROXY is ignored
NoProxy = "NO_PROXY"
Added HTTP CONNECT tunneling support for Trusted Clusters.
2017-05-17 00:43:55 +00:00
)
Use a fake clock in OTP tests.
2017-02-10 22:46:26 +00:00
const (
Added debug ssh agent to be used in tests so they can run consistently across platforms.
2017-02-13 23:37:08 +00:00
// TOTPValidityPeriod is the number of seconds a TOTP token is valid.
TOTPValidityPeriod uint = 30
// TOTPSkew adds that many periods before and after to the validity window.
TOTPSkew uint = 1
Use a fake clock in OTP tests.
2017-02-10 22:46:26 +00:00
)
recover etcd backend support
2016-03-11 01:03:01 +00:00
const (
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
// ComponentMemory is a memory backend
ComponentMemory = "memory"
Mutual TLS Auth server and clients. This commit introduced mutual TLS authentication for auth server API server. Auth server multiplexes HTTP over SSH - existing protocol and HTTP over TLS - new protocol on the same listening socket. Nodes and users authenticate with 2.5.0 Teleport using TLS mutual TLS except backwards-compatibility cases.
2017-11-25 01:09:11 +00:00
// ComponentAuthority is a TLS and an SSH certificate authority
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
ComponentAuthority = "ca"
Mutual TLS Auth server and clients. This commit introduced mutual TLS authentication for auth server API server. Auth server multiplexes HTTP over SSH - existing protocol and HTTP over TLS - new protocol on the same listening socket. Nodes and users authenticate with 2.5.0 Teleport using TLS mutual TLS except backwards-compatibility cases.
2017-11-25 01:09:11 +00:00
// ComponentProcess is a main control process
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
ComponentProcess = "proc"
Mutual TLS Auth server and clients. This commit introduced mutual TLS authentication for auth server API server. Auth server multiplexes HTTP over SSH - existing protocol and HTTP over TLS - new protocol on the same listening socket. Nodes and users authenticate with 2.5.0 Teleport using TLS mutual TLS except backwards-compatibility cases.
2017-11-25 01:09:11 +00:00
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
// ComponentServer is a server subcomponent of some services
ComponentServer = "server"
Adds ACME - auto cert management This commit fixes #5177 Initial implementation uses dir backend as a cache and is OK for small clusters, but will be a problem for many proxies. This implementation uses Go autocert that is quite limited compared to Caddy's certmagic or lego. Autocert has no OCSP stapling and no locking for cache for example. However, it is much simpler and has no dependencies. It will be easier to extend to use Teleport backend as a cert cache. ```yaml proxy_service: public_addr: ['example.com'] # ACME - automatic certificate management environment. # # It provisions certificates for domains and # valid subdomains in public_addr section. # # The sudomains are valid if there is a registered application. # For example, app.example.com will get a cert if app is a regsitered # application access app. The sudomain cookie.example.com is not. # # Teleport acme is using TLS-ALPN-01 challenge: # # https://letsencrypt.org/docs/challenge-types/#tls-alpn-01 # acme: # By default acme is disabled. enabled: true # Use a custom URI, for example staging is # # https://acme-staging-v02.api.letsencrypt.org/directory # # Default is letsencrypt.org production URL: # # https://acme-v02.api.letsencrypt.org/directory uri: '' # Set email to receive alerts and other correspondence # from your certificate authority. email: 'alice@example.com' ```
2020-12-20 03:56:03 +00:00
// ComponentACME is ACME protocol controller
ComponentACME = "acme"
introduce curiosity protocol and fix logs
2017-10-06 22:38:15 +00:00
// ComponentReverseTunnelServer is reverse tunnel server
// that together with agent establish a bi-directional SSH revers tunnel
Minor code cleanup - Replaced hard-coded timeouts with pre-existing teleport.DefaultTimeout constant. - Fixed tests
2016-03-16 02:57:02 +00:00
// to bypass firewall restrictions
introduce curiosity protocol and fix logs
2017-10-06 22:38:15 +00:00
ComponentReverseTunnelServer = "proxy:server"
Minor code cleanup - Replaced hard-coded timeouts with pre-existing teleport.DefaultTimeout constant. - Fixed tests
2016-03-16 02:57:02 +00:00
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
// ComponentReverseTunnelAgent is reverse tunnel agent
introduce curiosity protocol and fix logs
2017-10-06 22:38:15 +00:00
// that together with server establish a bi-directional SSH revers tunnel
Minor code cleanup - Replaced hard-coded timeouts with pre-existing teleport.DefaultTimeout constant. - Fixed tests
2016-03-16 02:57:02 +00:00
// to bypass firewall restrictions
introduce curiosity protocol and fix logs
2017-10-06 22:38:15 +00:00
ComponentReverseTunnelAgent = "proxy:agent"
Minor code cleanup - Replaced hard-coded timeouts with pre-existing teleport.DefaultTimeout constant. - Fixed tests
2016-03-16 02:57:02 +00:00
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
// ComponentLabel is a component label name used in reporting
ComponentLabel = "component"
Implement kubernetes_service registration and startup (#4611) * Implement kubernetes_service registration and sratup The new service now starts, registers (locally or via a join token) and heartbeats its presence to the auth server. This service can handle k8s requests (like a proxy) but not to remote teleport clusters. Proxies will be responsible for routing those. The client (tsh) will not yet go to this service, until proxy routing is implemented. I manually tweaked server addres in kubeconfig to test it. You can also run `tctl get kube_service` to list all registered instances. The self-reported info is currently limited - only listening address is set. * Address review feedback
2020-10-30 17:19:53 +00:00
// ComponentProxyKube is a kubernetes proxy
ComponentProxyKube = "proxy:kube"
Initial implementation of Kubernetes support This issue updates #1986. This is intial, experimental implementation that will be updated with tests and edge cases prior to production 2.7.0 release. Teleport proxy adds support for Kubernetes API protocol. Auth server uses Kubernetes API to receive certificates issued by Kubernetes CA. Proxy intercepts and forwards API requests to the Kubernetes API server and captures live session traffic, making recordings available in the audit log. Tsh login now updates kubeconfig configuration to use Teleport as a proxy server.
2018-05-19 23:58:14 +00:00
Cleaned up Teleport logging * Downgraded many messages from `Debug` to `Info` * Edited messages so they're not verbose and not too short * Added "context" to some * Added logical teleport component as [COMPONENT] at the beginning of many, making logs **vastly** easier to read. * Added one more logging level option when creating Teleport (only Teleconsole uses it for now) The output with 'info' severity now look extremely clean. This is startup, for example: ``` INFO[0000] [AUTH] Auth service is starting on turing:32829 file=utils/cli.go:107 INFO[0000] [SSH:auth] listening socket: 127.0.0.1:32829 file=sshutils/server.go:119 INFO[0000] [SSH:auth] is listening on 127.0.0.1:32829 file=sshutils/server.go:144 INFO[0000] [Proxy] Successfully registered with the cluster file=utils/cli.go:107 INFO[0000] [Node] Successfully registered with the cluster file=utils/cli.go:107 INFO[0000] [AUTH] keyAuth: 127.0.0.1:56886->127.0.0.1:32829, user=turing file=auth/tun.go:370 WARN[0000] unable to load the auth server cache: open /tmp/cluster-teleconsole-client781495771/authservers.json: no such file or directory file=auth/tun.go:594 INFO[0000] [SSH:auth] new connection 127.0.0.1:56886 -> 127.0.0.1:32829 vesion: SSH-2.0-Go file=sshutils/server.go:205 INFO[0000] [AUTH] keyAuth: 127.0.0.1:56888->127.0.0.1:32829, user=turing.teleconsole-client file=auth/tun.go:370 INFO[0000] [AUTH] keyAuth: 127.0.0.1:56890->127.0.0.1:32829, user=turing.teleconsole-client file=auth/tun.go:370 INFO[0000] [Node] turing connected to the cluster 'teleconsole-client' file=service/service.go:158 INFO[0000] [AUTH] keyAuth: 127.0.0.1:56892->127.0.0.1:32829, user=turing file=auth/tun.go:370 INFO[0000] [SSH:auth] new connection 127.0.0.1:56890 -> 127.0.0.1:32829 vesion: SSH-2.0-Go file=sshutils/server.go:205 INFO[0000] [SSH:auth] new connection 127.0.0.1:56888 -> 127.0.0.1:32829 vesion: SSH-2.0-Go file=sshutils/server.go:205 INFO[0000] [Node] turing.teleconsole-client connected to the cluster 'teleconsole-client' file=service/service.go:158 INFO[0000] [Node] turing.teleconsole-client connected to the cluster 'teleconsole-client' file=service/service.go:158 INFO[0000] [SSH] received event(SSHIdentity) file=service/service.go:436 INFO[0000] [SSH] received event(ProxyIdentity) file=service/service.go:563 ``` You can easily tell that auth, ssh node and proxy have successfully started.
2016-09-02 23:04:05 +00:00
// ComponentAuth is the cluster CA node (auth server API)
ComponentAuth = "auth"
Events and GRPC API This commit introduces several key changes to Teleport backend and API infrastructure in order to achieve scalability improvements on 10K+ node deployments. Events and plain keyspace -------------------------- New backend interface supports events, pagination and range queries and moves away from buckets to plain keyspace, what better aligns with DynamoDB and Etcd featuring similar interfaces. All backend implementations are exposing Events API, allowing multiple subscribers to consume the same event stream and avoid polling database. Replacing BoltDB, Dir with SQLite ------------------------------- BoltDB backend does not support having two processes access the database at the same time. This prevented Teleport using BoltDB backend to be live reloaded. SQLite supports reads/writes by multiple processes and makes Dir backend obsolete as SQLite is more efficient on larger collections, supports transactions and can detect data corruption. Teleport automatically migrates data from Bolt and Dir backends into SQLite. GRPC API and protobuf resources ------------------------------- GRPC API has been introduced for the auth server. The auth server now serves both GRPC and JSON-HTTP API on the same TLS socket and uses the same client certificate authentication. All future API methods should use GRPC and HTTP-JSON API is considered obsolete. In addition to that some resources like Server and CertificateAuthority are now generated from protobuf service specifications in a way that is fully backward compatible with original JSON spec and schema, so the same resource can be encoded and decoded from JSON, YAML and protobuf. All models should be refactored into new proto specification over time. Streaming presence service -------------------------- In order to cut bandwidth, nodes are sending full updates only when changes to labels or spec have occured, otherwise new light-weight GRPC keep alive updates are sent over to the presence service, reducing bandwidth usage on multi-node deployments. In addition to that nodes are no longer polling auth server for certificate authority rotation updates, instead they subscribe to event updates to detect updates as soon as they happen. This is a new API, so the errors are inevitable, that's why polling is still done, but on a way slower rate.
2018-11-07 23:33:38 +00:00
// ComponentGRPC is grpc server
ComponentGRPC = "grpc"
// ComponentMigrate is responsible for data migrations
ComponentMigrate = "migrate"
Minor code cleanup - Replaced hard-coded timeouts with pre-existing teleport.DefaultTimeout constant. - Fixed tests
2016-03-16 02:57:02 +00:00
// ComponentNode is SSH node (SSH server serving requests)
ComponentNode = "node"
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
// ComponentForwardingNode is SSH node (SSH server serving requests)
Added forwarding SSH server.
2017-11-29 00:15:46 +00:00
ComponentForwardingNode = "node:forward"
Minor code cleanup - Replaced hard-coded timeouts with pre-existing teleport.DefaultTimeout constant. - Fixed tests
2016-03-16 02:57:02 +00:00
// ComponentProxy is SSH proxy (SSH server forwarding connections)
ComponentProxy = "proxy"
Added Application Access. Added support for an identity aware, RBAC enforcing, mutually authenticated, web application proxy to Teleport. * Updated services.Server to support an application servers. * Updated services.WebSession to support application sessions. * Added CRUD RPCs for "AppServers". * Added CRUD RPCs for "AppSessions". * Added RBAC support using labels for applications. * Added JWT signer as a services.CertAuthority type. * Added support for signing and verifying JWT tokens. * Refactored dynamic label and heartbeat code into standalone packages. * Added application support to web proxies and new "app_service" to proxy mutually authenticated connections from proxy to an internal application.
2020-10-19 00:09:29 +00:00
// ComponentApp is the application proxy service.
ComponentApp = "app:service"
Database access (#5005)
2021-01-15 02:21:38 +00:00
// ComponentDatabase is the database proxy service.
ComponentDatabase = "db:service"
Added Application Access. Added support for an identity aware, RBAC enforcing, mutually authenticated, web application proxy to Teleport. * Updated services.Server to support an application servers. * Updated services.WebSession to support application sessions. * Added CRUD RPCs for "AppServers". * Added CRUD RPCs for "AppSessions". * Added RBAC support using labels for applications. * Added JWT signer as a services.CertAuthority type. * Added support for signing and verifying JWT tokens. * Refactored dynamic label and heartbeat code into standalone packages. * Added application support to web proxies and new "app_service" to proxy mutually authenticated connections from proxy to an internal application.
2020-10-19 00:09:29 +00:00
// ComponentAppProxy is the application handler within the web proxy service.
ComponentAppProxy = "app:web"
Web UI disconnects (#5276) * Use fake clock consistently in units tests. * Split web session management into two interfaces and implement them separately for clear separation * Split session management into New/Validate to make it aparent where the sessions are created and where existing sessions are managed. Remove ttlmap in favor of a simple map and handle expirations explicitly. Add web session management to gRPC server for the cache. * Reintroduce web sessions APIs under a getter interface. * Add SubKind to WatchKind for gRPC and add conversions from/to protobuf. Fix web sessions unit tests. * lib/web: create/insert session context in ValidateSession if the session has not yet been added to session cache. lib/cache: add event filter for web session in auth cache. lib/auth: propagate web session subkind in gRPC event. * Add implicit migrations for legacy web session key path for queries. * Integrate web token in lib/web * Add a bearer token when upserting a web session * Fix tests. Use fake clock wherever possible. * Converge session cache handling in lib/web * Clean up and add doc comments where necessary * Use correct form of sessions/tokens controller for ServerWithRoles. Use fake time in web tests * Converge the web sessions/tokens handling in lib/auth to match the old behavior w.r.t access checking (e.g. implicit handling of the local user identity). * Use cached reads and waiters only when necessary. Query sessions/tokens using best-effort - first looking in the cache and falling back to a proxy client * Properly propagate events about deletes for values with subkind. * Update to retrofit changes after recent teleport API refactorings * Update comment on removing legacy code to move the deadline to 7.x * Do not close the resources on the session when it expires - this beats the purpose of this PR. Also avoid a race between closing the cached clients and an existing reference to the session by letting the session linger for longer before removing it. * Move web session/token request structs to the api client proto package * Only set HTTP fs on the web handler if the UI is enabled * Properly tear down web session test by releasing resources at the end. Fix the web UI assets configuration by removing DisableUI and instead use the presence of assets (HTTP file system) as an indicator that the web UI has been enabled. * Decrease the expired session cache clean up threshold to 2m. Only log the expiration error message for errors other than not found * Add test for terminal disconnect when using two proxies in HA mode
2021-02-04 15:50:18 +00:00
// ComponentWebProxy is the web handler within the web proxy service.
ComponentWebProxy = "web"
Teleport signal handling and live reload. This commit introduces signal handling. Parent teleport process is now capable of forking the child process and passing listeners file descriptors to the child. Parent process then can gracefully shutdown by tracking the amount of current connections and closing listeners once the amount goes to 0. Here are the signals handled: * USR2 signal will cause the parent to fork a child process and pass listener file descriptors to it. Child process will close unused file descriptors and will bind to the used ones. At this moment two processes - the parent and the forked child process will be serving requests. After looking at the traffic and the log files, administrator can either shut down the parent process or the child process if the child process is not functioning as expected. * TERM, INT signals will trigger graceful process shutdown. Auth, node and proxy processes will wait until the amount of active connections goes down to 0 and will exit after that. * KILL, QUIT signals will cause immediate non-graceful shutdown. * HUP signal combines USR2 and TERM signals in a convenient way: parent process will fork a child process and self-initate graceful shutdown. This is a more convenient than USR2/TERM sequence, but less agile and robust as if the connection to the parent process drops, but the new process exits with error, administrators can lock themselves out of the environment. Additionally, boltdb backend has to be phased out, as it does not support read/writes by two concurrent processes. This had required refactoring of the dir backend to use file locking to allow inter-process collaboration on read/write operations.
2018-02-08 02:32:50 +00:00
// ComponentDiagnostic is a diagnostic service
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
ComponentDiagnostic = "diag"
Teleport signal handling and live reload. This commit introduces signal handling. Parent teleport process is now capable of forking the child process and passing listeners file descriptors to the child. Parent process then can gracefully shutdown by tracking the amount of current connections and closing listeners once the amount goes to 0. Here are the signals handled: * USR2 signal will cause the parent to fork a child process and pass listener file descriptors to it. Child process will close unused file descriptors and will bind to the used ones. At this moment two processes - the parent and the forked child process will be serving requests. After looking at the traffic and the log files, administrator can either shut down the parent process or the child process if the child process is not functioning as expected. * TERM, INT signals will trigger graceful process shutdown. Auth, node and proxy processes will wait until the amount of active connections goes down to 0 and will exit after that. * KILL, QUIT signals will cause immediate non-graceful shutdown. * HUP signal combines USR2 and TERM signals in a convenient way: parent process will fork a child process and self-initate graceful shutdown. This is a more convenient than USR2/TERM sequence, but less agile and robust as if the connection to the parent process drops, but the new process exits with error, administrators can lock themselves out of the environment. Additionally, boltdb backend has to be phased out, as it does not support read/writes by two concurrent processes. This had required refactoring of the dir backend to use file locking to allow inter-process collaboration on read/write operations.
2018-02-08 02:32:50 +00:00
Fix logging, collect status of forked processes fixes #1785, fixes #1776 This commit fixes several issues with output: First teleport start now prints output matching quickstart guide and sets default console logging to ERROR. SIGCHLD handler now only collects processes PID forked during live restart to avoid confusing other wait calls that have no process status to collect any more.
2018-03-18 02:47:06 +00:00
// ComponentClient is a client
ComponentClient = "client"
Minor code cleanup - Replaced hard-coded timeouts with pre-existing teleport.DefaultTimeout constant. - Fixed tests
2016-03-16 02:57:02 +00:00
// ComponentTunClient is a tunnel client
more work, discovery works
2017-10-08 01:11:03 +00:00
ComponentTunClient = "client:tunnel"
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
// ComponentCache is a cache component
ComponentCache = "cache"
// ComponentBackend is a backend component
ComponentBackend = "backend"
more work, discovery works
2017-10-08 01:11:03 +00:00
// ComponentCachingClient is a caching auth client
ComponentCachingClient = "client:cache"
Minor code cleanup - Replaced hard-coded timeouts with pre-existing teleport.DefaultTimeout constant. - Fixed tests
2016-03-16 02:57:02 +00:00
Refactored lib/srv to support multiple servers.
2017-11-09 00:41:52 +00:00
// ComponentSubsystemProxy is the proxy subsystem.
ComponentSubsystemProxy = "subsystem:proxy"
Added forwarding SSH server.
2017-11-29 00:15:46 +00:00
// ComponentLocalTerm is a terminal on a regular SSH node.
ComponentLocalTerm = "term:local"
// ComponentRemoteTerm is a terminal on a forwarding SSH node.
ComponentRemoteTerm = "term:remote"
// ComponentRemoteSubsystem is subsystem on a forwarding SSH node.
ComponentRemoteSubsystem = "subsystem:remote"
fix audit log file leak, fixes #1433 This is a fix for file leak in audit log server caused by design issue: Session file descriptors in audit log were opened on demand when the session event or byte stream chunk was reported. AuditLog server relied on SessionEnd event to close the file descriptors associated with the session. However, when SessionEnd event does not arrive (e.g. there is a timeout or disconnect), the file descriptors were not closed. This commit adds periodic clean up of inactive sessions. SessionEnd is now used as an optimization measure to close the files, but is not used as the only trigger to close files. Now, inactive idle sessions, will close file descriptors after periods of inactivity and will reopen the file descriptors when the session activity resumes. SessionLogger was not designed to open/close files multiple times as it was reseting offsets every time the session files were opened. This change fixes this condition as well.
2017-11-16 02:26:35 +00:00
// ComponentAuditLog is audit log component
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
ComponentAuditLog = "audit"
fix audit log file leak, fixes #1433 This is a fix for file leak in audit log server caused by design issue: Session file descriptors in audit log were opened on demand when the session event or byte stream chunk was reported. AuditLog server relied on SessionEnd event to close the file descriptors associated with the session. However, when SessionEnd event does not arrive (e.g. there is a timeout or disconnect), the file descriptors were not closed. This commit adds periodic clean up of inactive sessions. SessionEnd is now used as an optimization measure to close the files, but is not used as the only trigger to close files. Now, inactive idle sessions, will close file descriptors after periods of inactivity and will reopen the file descriptors when the session activity resumes. SessionLogger was not designed to open/close files multiple times as it was reseting offsets every time the session files were opened. This change fixes this condition as well.
2017-11-16 02:26:35 +00:00
LocalKeyAgent only loads keys for a user logged into a proxy.
2018-01-19 02:30:02 +00:00
// ComponentKeyAgent is an agent that has loaded the sessions keys and
// certificates for a user connected to a proxy.
ComponentKeyAgent = "keyagent"
// ComponentKeyStore is all sessions keys and certificates a user has on disk
// for all proxies.
ComponentKeyStore = "keystore"
Wrap connection used in HTTP CONNECT proxy to first read any buffered data then ready from the underlying connection.
2018-02-09 00:33:48 +00:00
// ComponentConnectProxy is the HTTP CONNECT proxy used to tunnel connection.
ComponentConnectProxy = "http:proxy"
Refactoring of SOCKS5 server.
2018-09-28 01:22:51 +00:00
// ComponentSOCKS is a SOCKS5 proxy.
ComponentSOCKS = "socks"
Create single instance of keygen per process. Use cache of precomputed certificates when using recording proxy.
2018-02-14 22:55:01 +00:00
// ComponentKeyGen is the public/private keypair generator.
ComponentKeyGen = "keygen"
adds support for GCP HA environments with gcs recording storage, firestore-backed events, and firestore backend storage
2019-06-18 20:35:21 +00:00
// ComponentFirestore represents firestore clients
ComponentFirestore = "firestore"
Migrate to structured logging in session handling code.
2018-02-20 01:59:08 +00:00
// ComponentSession is an active session.
ComponentSession = "session"
External events and sessions storage. Updates #1755 Design ------ This commit adds support for pluggable events and sessions recordings and adds several plugins. In case if external sessions recording storage is used, nodes or proxies depending on configuration store the session recordings locally and then upload the recordings in the background. Non-print session events are always sent to the remote auth server as usual. In case if remote events storage is used, auth servers download recordings from it during playbacks. DynamoDB event backend ---------------------- Transient DynamoDB backend is added for events storage. Events are stored with default TTL of 1 year. External lambda functions should be used to forward events from DynamoDB. Parameter audit_table_name in storage section turns on dynamodb backend. The table will be auto created. S3 sessions backend ------------------- If audit_sessions_uri is specified to s3://bucket-name node or proxy depending on recording mode will start uploading the recorded sessions to the bucket. If the bucket does not exist, teleport will attempt to create a bucket with versioning and encryption turned on by default. Teleport will turn on bucket-side encryption for the tarballs using aws:kms key. File sessions backend --------------------- If audit_sessions_uri is specified to file:///folder teleport will start writing tarballs to this folder instead of sending records to the file server. This is helpful for plugin writers who can use fuse or NFS mounted storage to handle the data. Working dynamic configuration.
2018-03-04 02:26:44 +00:00
// ComponentDynamoDB represents dynamodb clients
ComponentDynamoDB = "dynamodb"
Added PAM support to Teleport.
2018-02-24 01:23:09 +00:00
// Component pluggable authentication module (PAM)
ComponentPAM = "pam"
Introduce new upload API. This PR improves session recording: * Nodes and proxies always buffer recorded sessions to disk during the session what improves performance and makes the recording more resilient to network failures. * Async uploader running on proxy or node always uploads the session tarball to the audit log server. * Audit log server is the only component uploading to the S3 or any other API.
2018-03-29 20:47:53 +00:00
// ComponentUpload is a session recording upload server
ComponentUpload = "upload"
better user errors
2018-08-17 20:53:49 +00:00
// ComponentWeb is a web server
ComponentWeb = "web"
Use protobufs to communicate between proxy and web client.
2018-07-16 21:39:50 +00:00
// ComponentWebsocket is websocket server that the web client connects to.
ComponentWebsocket = "websocket"
Made GetNodes identity aware to only return nodes which that user has access to. In debug mode, made RBAC failures more verbose.
2018-08-11 00:50:06 +00:00
// ComponentRBAC is role-based access control.
ComponentRBAC = "rbac"
Added support for "keep_alive_interval" and "keep_alive_count_max" to control how often the server sends keep-alive messages to clients and after how many missed keep-alive replies the server tears down the connection to the client.
2018-11-07 01:21:44 +00:00
// ComponentKeepAlive is keep-alive messages sent from clients to servers
// and vice versa.
ComponentKeepAlive = "keepalive"
Remove Teleport related entries from kubeconfig upon "tsh logout".
2018-11-15 22:36:11 +00:00
// ComponentTSH is the "tsh" binary.
ComponentTSH = "tsh"
Split kubeconfig path after extracting from environment.
2018-11-16 20:23:08 +00:00
// ComponentKubeClient is the Kubernetes client.
ComponentKubeClient = "client:kube"
Events and GRPC API This commit introduces several key changes to Teleport backend and API infrastructure in order to achieve scalability improvements on 10K+ node deployments. Events and plain keyspace -------------------------- New backend interface supports events, pagination and range queries and moves away from buckets to plain keyspace, what better aligns with DynamoDB and Etcd featuring similar interfaces. All backend implementations are exposing Events API, allowing multiple subscribers to consume the same event stream and avoid polling database. Replacing BoltDB, Dir with SQLite ------------------------------- BoltDB backend does not support having two processes access the database at the same time. This prevented Teleport using BoltDB backend to be live reloaded. SQLite supports reads/writes by multiple processes and makes Dir backend obsolete as SQLite is more efficient on larger collections, supports transactions and can detect data corruption. Teleport automatically migrates data from Bolt and Dir backends into SQLite. GRPC API and protobuf resources ------------------------------- GRPC API has been introduced for the auth server. The auth server now serves both GRPC and JSON-HTTP API on the same TLS socket and uses the same client certificate authentication. All future API methods should use GRPC and HTTP-JSON API is considered obsolete. In addition to that some resources like Server and CertificateAuthority are now generated from protobuf service specifications in a way that is fully backward compatible with original JSON spec and schema, so the same resource can be encoded and decoded from JSON, YAML and protobuf. All models should be refactored into new proto specification over time. Streaming presence service -------------------------- In order to cut bandwidth, nodes are sending full updates only when changes to labels or spec have occured, otherwise new light-weight GRPC keep alive updates are sent over to the presence service, reducing bandwidth usage on multi-node deployments. In addition to that nodes are no longer polling auth server for certificate authority rotation updates, instead they subscribe to event updates to detect updates as soon as they happen. This is a new API, so the errors are inevitable, that's why polling is still done, but on a way slower rate.
2018-11-07 23:33:38 +00:00
// ComponentBuffer is in-memory event circular buffer
// used to broadcast events to subscribers.
ComponentBuffer = "buffer"
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
// ComponentBPF is the eBPF packagae.
ComponentBPF = "bpf"
// ComponentCgroup is the cgroup package.
ComponentCgroup = "cgroups"
Implement kubernetes_service registration and startup (#4611) * Implement kubernetes_service registration and sratup The new service now starts, registers (locally or via a join token) and heartbeats its presence to the auth server. This service can handle k8s requests (like a proxy) but not to remote teleport clusters. Proxies will be responsible for routing those. The client (tsh) will not yet go to this service, until proxy routing is implemented. I manually tweaked server addres in kubeconfig to test it. You can also run `tctl get kube_service` to list all registered instances. The self-reported info is currently limited - only listening address is set. * Address review feedback
2020-10-30 17:19:53 +00:00
// ComponentKube is an Kubernetes API gateway.
ComponentKube = "kubernetes"
Fix ADFS provider and add debug message.
2021-03-05 19:09:02 +00:00
// ComponentSAML is a SAML service provider.
ComponentSAML = "saml"
Addressed PR comments - Comments - Error creation - Moved from Mailgun's frozen time to clockwork - Made tests more reliable
2016-12-26 06:12:23 +00:00
// DebugEnvVar tells tests to use verbose debug output
DebugEnvVar = "DEBUG"
// VerboseLogEnvVar forces all logs to be verbose (down to DEBUG level)
VerboseLogsEnvVar = "TELEPORT_DEBUG"
Proper handling of attached/detached terminals Also Teleport now will try to get the type of terminal you're already on, looking at $TERM
2016-09-10 04:44:04 +00:00
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
// IterationsEnvVar sets tests iterations to run
IterationsEnvVar = "ITERATIONS"
Proper handling of attached/detached terminals Also Teleport now will try to get the type of terminal you're already on, looking at $TERM
2016-09-10 04:44:04 +00:00
// DefaultTerminalWidth defines the default width of a server-side allocated
// pseudo TTY
DefaultTerminalWidth = 80
// DefaultTerminalHeight defines the default height of a server-side allocated
// pseudo TTY
DefaultTerminalHeight = 25
// SafeTerminalType is the fall-back TTY type to fall back to (when $TERM
// is not defined)
SafeTerminalType = "xterm"
map OIDC scopes to roles, implements #620
2016-12-24 03:02:59 +00:00
Converted boltbk to the new format BoltDB backend is now compatible with how all backends should initialize. Also all BoltDB-specific code/constants have been consolidated inside of `backend.boltbk` package.
2017-01-13 00:04:00 +00:00
// DataDirParameterName is the name of the data dir configuration parameter passed
// to all backends during initialization
DataDirParameterName = "data_dir"
Added TOTP support and deprecated HOTP support. New users are created with TOTP as the second factor, but HOTP backward compatibility is maintained by allowing users created before this commit to continue to log in with HOTP tokens.
2017-01-17 19:24:17 +00:00
SSH keepalive implementation + refactoring The base SSH server implementation now sends SSH keepalive at ta rate of 1/4 of "idle timeout" constant. The client properly responds to keepalive pings. The SSH client, instead of creating 2 goroutines for handling SSH requests and SSH channels now uses the same (existing) goroutine with for-loop + select statement.
2017-01-30 19:31:37 +00:00
// SSH request type to keep the connection alive. A client and a server keep
// pining each other with it:
KeepAliveReqType = "keepalive@openssh.com"
Forwarding to proxy is controlled by a global out-of-band request. Always forward Teleport agent to node in Web UI. Support the -A flag in tsh to optionally forward agent to node in CLI.
2017-11-13 22:55:21 +00:00
// RecordingProxyReqType is the name of a global request which returns if
// the proxy is recording sessions or not.
RecordingProxyReqType = "recording-proxy@teleport.com"
scaffolding for rules matchers
2017-08-25 03:24:47 +00:00
// JSON means JSON serialization format
JSON = "json"
make audit accessible by admin group members If user running teleport is a member of adm group create the directory and all subdirectories accessible to admins. Remove obsolete migrations required for pre 2.3 releases.
2017-11-18 00:40:41 +00:00
tctl: users add/ls and tokens ls json output
2019-02-21 09:46:50 +00:00
// YAML means YAML serialization format
YAML = "yaml"
// Text means text serialization format
Text = "text"
Add --format=json playback option This commit fixes #4577, updates #1580 ```bash $ tsh play --format=json ~/play/0c0b81ed-91a9-4a2a-8d7c-7495891a6ca0.tar | jq '.event "print" "print" "session.disk" ```
2020-10-17 22:01:45 +00:00
// PTY is a raw pty session capture format
PTY = "pty"
Add output options and minor refactors for tsh ls.
2020-10-01 19:12:25 +00:00
// Names is for formatting node names in plain text
Names = "names"
make audit accessible by admin group members If user running teleport is a member of adm group create the directory and all subdirectories accessible to admins. Remove obsolete migrations required for pre 2.3 releases.
2017-11-18 00:40:41 +00:00
// LinuxAdminGID is the ID of the standard adm group on linux
LinuxAdminGID = 4
Added tsh for Windows.
2018-07-25 20:56:14 +00:00
// LinuxOS is the GOOS constant used for Linux.
make audit accessible by admin group members If user running teleport is a member of adm group create the directory and all subdirectories accessible to admins. Remove obsolete migrations required for pre 2.3 releases.
2017-11-18 00:40:41 +00:00
LinuxOS = "linux"
Added tsh for Windows.
2018-07-25 20:56:14 +00:00
// WindowsOS is the GOOS constant used for Microsoft Windows.
WindowsOS = "windows"
// DarwinOS is the GOOS constant for Apple macOS/darwin.
DarwinOS = "darwin"
make audit accessible by admin group members If user running teleport is a member of adm group create the directory and all subdirectories accessible to admins. Remove obsolete migrations required for pre 2.3 releases.
2017-11-18 00:40:41 +00:00
// DirMaskSharedGroup is the mask for a directory accessible
// by the owner and group
DirMaskSharedGroup = 0770
Mutual TLS Auth server and clients. This commit introduced mutual TLS authentication for auth server API server. Auth server multiplexes HTTP over SSH - existing protocol and HTTP over TLS - new protocol on the same listening socket. Nodes and users authenticate with 2.5.0 Teleport using TLS mutual TLS except backwards-compatibility cases.
2017-11-25 01:09:11 +00:00
// FileMaskOwnerOnly is the file mask that allows read write access
// to owers only
FileMaskOwnerOnly = 0600
// On means mode is on
On = "on"
// Off means mode is off
Off = "off"
External events and sessions storage. Updates #1755 Design ------ This commit adds support for pluggable events and sessions recordings and adds several plugins. In case if external sessions recording storage is used, nodes or proxies depending on configuration store the session recordings locally and then upload the recordings in the background. Non-print session events are always sent to the remote auth server as usual. In case if remote events storage is used, auth servers download recordings from it during playbacks. DynamoDB event backend ---------------------- Transient DynamoDB backend is added for events storage. Events are stored with default TTL of 1 year. External lambda functions should be used to forward events from DynamoDB. Parameter audit_table_name in storage section turns on dynamodb backend. The table will be auto created. S3 sessions backend ------------------- If audit_sessions_uri is specified to s3://bucket-name node or proxy depending on recording mode will start uploading the recorded sessions to the bucket. If the bucket does not exist, teleport will attempt to create a bucket with versioning and encryption turned on by default. Teleport will turn on bucket-side encryption for the tarballs using aws:kms key. File sessions backend --------------------- If audit_sessions_uri is specified to file:///folder teleport will start writing tarballs to this folder instead of sending records to the file server. This is helpful for plugin writers who can use fuse or NFS mounted storage to handle the data. Working dynamic configuration.
2018-03-04 02:26:44 +00:00
// SchemeS3 is S3 file scheme, means upload or download to S3 like object
// storage
SchemeS3 = "s3"
adds support for GCP HA environments with gcs recording storage, firestore-backed events, and firestore backend storage
2019-06-18 20:35:21 +00:00
// SchemeGCS is GCS file scheme, means upload or download to GCS like object
// storage
SchemeGCS = "gs"
Session streaming This commit introduces GRPC API for streaming sessions. It adds structured events and sync streaming that avoids storing events on disk. You can find design in rfd/0002-streaming.md RFD.
2020-07-15 00:15:01 +00:00
// GCSTestURI turns on GCS tests
GCSTestURI = "TEST_GCS_URI"
// AWSRunTests turns on tests executed against AWS directly
AWSRunTests = "TEST_AWS"
Allow S3 buckets in different regions, implements #2007 This commit allows additional configuration for the `audit_sessions_uri` parameter: `audit_sessions_uri: s3://example.com/path?region=us-east-1` Additional query parameter `region` will override default `audit` section `region` if set.
2019-02-09 22:39:18 +00:00
// Region is AWS region parameter
Region = "region"
Added S3 third party support (#3054)
2019-10-09 18:58:18 +00:00
// Endpoint is an optional Host for non-AWS S3
Endpoint = "endpoint"
// Insecure is an optional switch to use HTTP instead of HTTPS
Insecure = "insecure"
// DisableServerSideEncryption is an optional switch to opt out of SSE in case the provider does not support it
DisableServerSideEncryption = "disablesse"
External events and sessions storage. Updates #1755 Design ------ This commit adds support for pluggable events and sessions recordings and adds several plugins. In case if external sessions recording storage is used, nodes or proxies depending on configuration store the session recordings locally and then upload the recordings in the background. Non-print session events are always sent to the remote auth server as usual. In case if remote events storage is used, auth servers download recordings from it during playbacks. DynamoDB event backend ---------------------- Transient DynamoDB backend is added for events storage. Events are stored with default TTL of 1 year. External lambda functions should be used to forward events from DynamoDB. Parameter audit_table_name in storage section turns on dynamodb backend. The table will be auto created. S3 sessions backend ------------------- If audit_sessions_uri is specified to s3://bucket-name node or proxy depending on recording mode will start uploading the recorded sessions to the bucket. If the bucket does not exist, teleport will attempt to create a bucket with versioning and encryption turned on by default. Teleport will turn on bucket-side encryption for the tarballs using aws:kms key. File sessions backend --------------------- If audit_sessions_uri is specified to file:///folder teleport will start writing tarballs to this folder instead of sending records to the file server. This is helpful for plugin writers who can use fuse or NFS mounted storage to handle the data. Working dynamic configuration.
2018-03-04 02:26:44 +00:00
// SchemeFile is a local disk file storage
SchemeFile = "file"
Add ability to output audit logs to stdout. This commit implements #2872. Similarly to file://, the scheme `stdout://` could be used complimentary to the existing external scheme to logs audit logs: to stdout: ```yaml audit_events_uri: ['dynamodb://events', 'stdout://',] ``` Just like `file://` scheme it is only possible to use 'stdout://' scheme when external events and session uploader are defined, so all audit upload and search features of teleport could work.
2019-07-24 22:04:13 +00:00
// SchemeStdout outputs audit log entries to stdout
SchemeStdout = "stdout"
External events and sessions storage. Updates #1755 Design ------ This commit adds support for pluggable events and sessions recordings and adds several plugins. In case if external sessions recording storage is used, nodes or proxies depending on configuration store the session recordings locally and then upload the recordings in the background. Non-print session events are always sent to the remote auth server as usual. In case if remote events storage is used, auth servers download recordings from it during playbacks. DynamoDB event backend ---------------------- Transient DynamoDB backend is added for events storage. Events are stored with default TTL of 1 year. External lambda functions should be used to forward events from DynamoDB. Parameter audit_table_name in storage section turns on dynamodb backend. The table will be auto created. S3 sessions backend ------------------- If audit_sessions_uri is specified to s3://bucket-name node or proxy depending on recording mode will start uploading the recorded sessions to the bucket. If the bucket does not exist, teleport will attempt to create a bucket with versioning and encryption turned on by default. Teleport will turn on bucket-side encryption for the tarballs using aws:kms key. File sessions backend --------------------- If audit_sessions_uri is specified to file:///folder teleport will start writing tarballs to this folder instead of sending records to the file server. This is helpful for plugin writers who can use fuse or NFS mounted storage to handle the data. Working dynamic configuration.
2018-03-04 02:26:44 +00:00
// LogsDir is a log subdirectory for events and logs
LogsDir = "log"
Use signal pipe to make live reload better. This commit allows teleport parent process to track the status of the forked child process using os.Pipe. Child process signals success to parent process by writing to Pipe. This allows HUP and USR2 to be more intelligent as they can now detect the failure or success of the process.
2018-04-03 22:41:12 +00:00
// Syslog is a mode for syslog logging
Syslog = "syslog"
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// HumanDateFormat is a human readable date formatting
HumanDateFormat = "Jan _2 15:04 UTC"
// HumanDateFormatMilli is a human readable date formatting with milliseconds
HumanDateFormatMilli = "Jan _2 15:04:05.000 UTC"
Do not override syslog target, fixes #2550 (#2551) Whenever teleport was started with -d flag, output target was always overwritten to stderr. This commit makes sure that target supplied in the configuration is not overwritten even in case when -d flag is set.
2019-02-10 01:43:59 +00:00
// DebugLevel is a debug logging level name
DebugLevel = "debug"
Add check and error when starting teleport with an outdated etcd node. (#4481)
2020-10-08 21:02:50 +00:00
// MinimumEtcdVersion is the minimum version of etcd supported by Teleport
MinimumEtcdVersion = "3.3.0"
add support for TELEPORT_DEBUG_TESTS environment variable turning on verbose testing
2016-03-14 21:07:45 +00:00
)
add optional agent forward cert extension
2017-03-21 20:56:05 +00:00
mfa: add new second_factor options "on" and "optional" (#5508) * mfa: add new second_factor options "on" and "optional" "on" means that 2FA is required for all users, either TOTP or U2F. "optional" means that 2FA is supported for all users, but not required. Only users with MFA devices registered will be prompted for 2FA on login. The login with both supported methods is using the same API as the U2F login. It just now supports TOTP in addition. The API endpoints are still named after "u2f", I'll rename those in a future PR (in a backwards-compatible way). * Apply suggestions from code review Co-authored-by: Gus Luxton <gus@gravitational.com> Co-authored-by: a-palchikov <deemok@gmail.com> * Address reivew feedback Co-authored-by: Gus Luxton <gus@gravitational.com> Co-authored-by: a-palchikov <deemok@gmail.com>
2021-02-17 00:24:23 +00:00
// OTPType is the type of the One-time Password Algorithm.
type OTPType string
const (
// TOTP means Time-based One-time Password Algorithm (for Two-Factor Authentication)
TOTP = OTPType("totp")
// HOTP means HMAC-based One-time Password Algorithm (for Two-Factor Authentication)
HOTP = OTPType("hotp")
)
Adds support for custom OIDC prompts (#3409) This commit adds support for custom OIDC prompt values. Read about possible prompt values here: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest Three cases are possible: * Prompt value is not set, this defaults to OIDC prompt value to select_account value to preserve backwards compatibility. ```yaml kind: oidc version: v2 metadata: name: connector spec: prompt: 'login consent' ``` * Prompt value is set to empty string, it will be omitted from the auth request. ```yaml kind: oidc version: v2 metadata: name: connector spec: prompt: '' ``` * Prompt value is set to non empty string, it will be included in the auth request as is. ```yaml kind: oidc version: v2 metadata: name: connector spec: prompt: 'login consent' ``` Tested with Auth0 OIDC connector on teleport 4.2 enterprise.
2020-03-07 01:50:16 +00:00
const (
// These values are from https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
// OIDCPromptSelectAccount instructs the Authorization Server to
// prompt the End-User to select a user account.
OIDCPromptSelectAccount = "select_account"
// OIDCAccessTypeOnline indicates that OIDC flow should be performed
// with Authorization server and user connected online
OIDCAccessTypeOnline = "online"
)
Teleport signal handling and live reload. This commit introduces signal handling. Parent teleport process is now capable of forking the child process and passing listeners file descriptors to the child. Parent process then can gracefully shutdown by tracking the amount of current connections and closing listeners once the amount goes to 0. Here are the signals handled: * USR2 signal will cause the parent to fork a child process and pass listener file descriptors to it. Child process will close unused file descriptors and will bind to the used ones. At this moment two processes - the parent and the forked child process will be serving requests. After looking at the traffic and the log files, administrator can either shut down the parent process or the child process if the child process is not functioning as expected. * TERM, INT signals will trigger graceful process shutdown. Auth, node and proxy processes will wait until the amount of active connections goes down to 0 and will exit after that. * KILL, QUIT signals will cause immediate non-graceful shutdown. * HUP signal combines USR2 and TERM signals in a convenient way: parent process will fork a child process and self-initate graceful shutdown. This is a more convenient than USR2/TERM sequence, but less agile and robust as if the connection to the parent process drops, but the new process exits with error, administrators can lock themselves out of the environment. Additionally, boltdb backend has to be phased out, as it does not support read/writes by two concurrent processes. This had required refactoring of the dir backend to use file locking to allow inter-process collaboration on read/write operations.
2018-02-08 02:32:50 +00:00
// Component generates "component:subcomponent1:subcomponent2" strings used
// in debugging
func Component(components ...string) string {
return strings.Join(components, ":")
}
Fixed User CA export and parsing and added --compat=1.0 flag to tctl.
2017-04-05 21:43:42 +00:00
const (
// AuthorizedKeys are public keys that check against User CAs.
AuthorizedKeys = "authorized_keys"
// KnownHosts are public keys that check against Host CAs.
KnownHosts = "known_hosts"
)
add optional agent forward cert extension
2017-03-21 20:56:05 +00:00
const (
proxy X11 forwarding support - Role options now include a `permit_x11_forwarding` bool which is set to `false` by default. - Recording proxies now forward X11 requests and channels when when permitted by RBAC. - User certs will now include the `permit-X11-forwarding` extension when permitted by RBAC. - If X11 forwarding is requested for a session a new `x11` audit event is emitted by recording proxies.
2020-06-12 00:07:45 +00:00
// CertExtensionPermitX11Forwarding allows X11 forwarding for certificate
CertExtensionPermitX11Forwarding = "permit-X11-forwarding"
add optional agent forward cert extension
2017-03-21 20:56:05 +00:00
// CertExtensionPermitAgentForwarding allows agent forwarding for certificate
CertExtensionPermitAgentForwarding = "permit-agent-forwarding"
// CertExtensionPermitPTY allows user to request PTY
CertExtensionPermitPTY = "permit-pty"
// CertExtensionPermitPortForwarding allows user to request port forwarding
CertExtensionPermitPortForwarding = "permit-port-forwarding"
work on trust
2017-05-17 17:36:25 +00:00
// CertExtensionTeleportRoles is used to propagate teleport roles
CertExtensionTeleportRoles = "teleport-roles"
Add support for ProxyJump. This commit implements #2543 In SSH terms ProxyJump is a shortcut for SSH client connecting the proxy/jumphost and requesting .port forwarding to the target node. This commit adds support for direct-tcpip request support in teleport proxy service that is an alias to the existing proxy subsystem and reuses most of the code. This commit also adds support to "route to cluster" metadata encoded in SSH certificate making it possible to have client SSH certificates to include the metadata that will cause the proxy to route the client requests to a specific cluster. `tsh ssh -J proxy:port ` is supported in a limited way: Only one jump host is supported (-J supports chaining that teleport does not utilise) and tsh will return with error in case of two jumphosts: -J a,b will not work. In case if `tsh ssh -J user@proxy` is used, it overrides the SSH proxy coming from the tsh profile and port-forwarding is used instead of the existing teleport proxy subsystem
2019-07-22 23:58:38 +00:00
// CertExtensionTeleportRouteToCluster is used to encode
// the target cluster to route to in the certificate
CertExtensionTeleportRouteToCluster = "teleport-route-to-cluster"
Use roles and traits in certificate for RBAC. If an attacker can force a username change at an IdP, upon second login, the services.User object of the original user can be updated with new roles and traits. If these new roles and traits differ, the original user can have their privileges raised (or lowered). To mitigate this, encode roles and traits within the certificate and use these when fetching roles to make RBAC decisions. If roles and traits are not encoded within an certificate (for example for old style SSH certificates then fallback to using the services.User object and log a warning.
2019-08-02 00:19:49 +00:00
// CertExtensionTeleportTraits is used to propagate traits about the user.
CertExtensionTeleportTraits = "teleport-traits"
Implment access-request system (workflow API)
2019-11-07 05:00:32 +00:00
// CertExtensionTeleportActiveRequests is used to track which privilege
// escalation requests were used to construct the certificate.
CertExtensionTeleportActiveRequests = "teleport-active-requests"
auth: API for requesting per-connection certificates (#5527) * auth: API for requesting per-connection certificates See https://github.com/gravitational/teleport/blob/master/rfd/0014-session-2FA.md#api This API is a wrapper around GenerateUserCerts with a few differences: - performs an MFA check before generating a cert - enforces a single usage (ssh/k8s/db for now) - embeds client IP in the cert - marks a cert to distinguish from regular user certs - enforces a 1min TTL * Apply suggestions from code review Co-authored-by: a-palchikov <deemok@gmail.com> Co-authored-by: a-palchikov <deemok@gmail.com>
2021-02-11 04:29:00 +00:00
// CertExtensionMFAVerified is used to mark certificates issued after an MFA
// check.
CertExtensionMFAVerified = "mfa-verified"
// CertExtensionClientIP is used to embed the IP of the client that created
// the certificate.
CertExtensionClientIP = "client-ip"
add optional agent forward cert extension
2017-03-21 20:56:05 +00:00
)
Added support for ACR values for OIDC connectors.
2017-04-13 00:04:51 +00:00
const (
// NetIQ is an identity provider.
NetIQ = "netiq"
SAML 2.0 and AD FS integration.
2017-05-12 19:14:44 +00:00
// ADFS is Microsoft Active Directory Federation Services
ADFS = "adfs"
Added support for ACR values for OIDC connectors.
2017-04-13 00:04:51 +00:00
)
Patch for TLP-01-006 and TLP-01-007: Validate Session ID.
2017-04-25 21:57:48 +00:00
const (
// RemoteCommandSuccess is returned when a command has successfully executed.
RemoteCommandSuccess = 0
// RemoteCommandFailure is returned when a command has failed to execute and
// we don't have another status code for it.
RemoteCommandFailure = 255
)
Added support for allowing the reading of a users environment when creating a new child session from ~/.tsh/environment.
2017-05-26 19:28:46 +00:00
// MaxEnvironmentFileLines is the maximum number of lines in a environment file.
const MaxEnvironmentFileLines = 1000
Added --compat=oldssh flag to generate user certificates without roles.
2017-06-20 00:20:21 +00:00
Implement per-resource PluginData storage (#3286) - Also addresses #3282 by adding retries for CompareAndSwap on SetAccessRequestState and UpdatePluginData.
2020-01-30 21:18:43 +00:00
// MaxResourceSize is the maximum size (in bytes) of a serialized resource. This limit is
Fix common misspellings detected by `misspell` linter
2020-05-06 17:11:06 +00:00
// typically only enforced against resources that are likely to arbitrarily grow (e.g. PluginData).
Implement per-resource PluginData storage (#3286) - Also addresses #3282 by adding retries for CompareAndSwap on SetAccessRequestState and UpdatePluginData.
2020-01-30 21:18:43 +00:00
const MaxResourceSize = 1000000
Introduce utils.ReadAtMost to prevent resource exhaustion
2021-03-01 14:24:22 +00:00
// MaxHTTPRequestSize is the maximum accepted size (in bytes) of the body of
// a received HTTP request. This limit is meant to be used with utils.ReadAtMost
// to prevent resource exhaustion attacks.
const MaxHTTPRequestSize = 10 * 1024 * 1024
// MaxHTTPResponseSize is the maximum accepted size (in bytes) of the body of
// a received HTTP response. This limit is meant to be used with utils.ReadAtMost
// to prevent resource exhaustion attacks.
const MaxHTTPResponseSize = 10 * 1024 * 1024
Added --compat=oldssh flag to generate user certificates without roles.
2017-06-20 00:20:21 +00:00
const (
Added cert_format to role as well as tsh to control how a certificate is generated.
2018-01-06 02:28:31 +00:00
// CertificateFormatOldSSH is used to make Teleport interoperate with older
Added --compat=oldssh flag to generate user certificates without roles.
2017-06-20 00:20:21 +00:00
// versions of OpenSSH.
Added cert_format to role as well as tsh to control how a certificate is generated.
2018-01-06 02:28:31 +00:00
CertificateFormatOldSSH = "oldssh"
Added --compat=oldssh flag to generate user certificates without roles.
2017-06-20 00:20:21 +00:00
Added cert_format to role as well as tsh to control how a certificate is generated.
2018-01-06 02:28:31 +00:00
// CertificateFormatUnspecified is used to check if the format was specified
// or not.
CertificateFormatUnspecified = ""
Added --compat=oldssh flag to generate user certificates without roles.
2017-06-20 00:20:21 +00:00
)
Added support for default roles.
2017-07-24 22:18:46 +00:00
const (
// TraitInternalPrefix is the role variable prefix that indicates it's for
// local accounts.
TraitInternalPrefix = "internal"
// TraitLogins is the name the role variable used to store
// allowed logins.
TraitLogins = "logins"
Add OSS support for kubernetes groups * Add k8s-groups flag for tctl users add * Add kubernetes_groups field in github connector
2018-08-06 23:46:19 +00:00
// TraitKubeGroups is the name the role variable used to store
// allowed kubernetes groups
TraitKubeGroups = "kubernetes_groups"
Adds support for kubernetes_users, extend interpolation (#3404) (#3418) This commit fixes #3369, refs #3374 It adds support for kuberenetes_users section in roles, allowing Teleport proxy to impersonate user identities. It also extends variable interpolation syntax by adding suffix and prefix to variables and function `email.local`: Example: ```yaml kind: role version: v3 metadata: name: admin spec: allow: # extract email local part from the email claim logins: ['{{email.local(external.email)}}'] # impersonate a kubernetes user with IAM prefix kubernetes_users: ['IAM#{{external.email}}'] # the deny section uses the identical format as the 'allow' section. # the deny rules always override allow rules. deny: {} ``` Some notes on email.local behavior: * This is the only function supported in the template variables for now * In case if the email.local will encounter invalid email address, it will interpolate to empty value, will be removed from resulting output. Changes in impersonation behavior: * By default, if no kubernetes_users is set, which is a majority of cases, user will impersonate themselves, which is the backwards-compatible behavior. * As long as at least one `kubernetes_users` is set, the forwarder will start limiting the list of users allowed by the client to impersonate. * If the users' role set does not include actual user name, it will be rejected, otherwise there will be no way to exclude the user from the list). * If the `kuberentes_users` role set includes only one user (quite frequently that's the real intent), teleport will default to it, otherwise it will refuse to select. This will enable the use case when `kubernetes_users` has just one field to link the user identity with the IAM role, for example `IAM#{{external.email}}` * Previous versions of the forwarding proxy were denying all external impersonation headers, this commit allows 'Impesrsonate-User' and 'Impersonate-Group' header values that are allowed by role set. * Previous versions of the forwarding proxy ignored 'Deny' section of the roles when applied to impersonation, this commit fixes that - roles with deny kubernetes_users and kubernetes_groups section will not allow impersonation of those users and groups.
2020-03-08 00:32:37 +00:00
// TraitKubeUsers is the name the role variable used to store
// allowed kubernetes users
TraitKubeUsers = "kubernetes_users"
Database access (#5005)
2021-01-15 02:21:38 +00:00
// TraitDBNames is the name of the role variable used to store
// allowed database names.
TraitDBNames = "db_names"
// TraitDBUsers is the name of the role variable used to store
// allowed database users.
TraitDBUsers = "db_users"
Add OSS support for kubernetes groups * Add k8s-groups flag for tctl users add * Add kubernetes_groups field in github connector
2018-08-06 23:46:19 +00:00
// TraitInternalLoginsVariable is the variable used to store allowed
Added support for default roles.
2017-07-24 22:18:46 +00:00
// logins for local accounts.
Add OSS support for kubernetes groups * Add k8s-groups flag for tctl users add * Add kubernetes_groups field in github connector
2018-08-06 23:46:19 +00:00
TraitInternalLoginsVariable = "{{internal.logins}}"
// TraitInternalKubeGroupsVariable is the variable used to store allowed
// kubernetes groups for local accounts.
TraitInternalKubeGroupsVariable = "{{internal.kubernetes_groups}}"
Add `internal.kubernetes_users` to `kubernetes_users` on admin role With OSS version and without using the github connector (only local auth), logged in user won't have any `kubernetes_groups`. Without usernames too, user can login but can't use kubectl.
2020-04-16 00:04:46 +00:00
// TraitInternalKubeUsersVariable is the variable used to store allowed
// kubernetes users for local accounts.
TraitInternalKubeUsersVariable = "{{internal.kubernetes_users}}"
Database access (#5005)
2021-01-15 02:21:38 +00:00
// TraitInternalDBNamesVariable is the variable used to store allowed
// database names for local accounts.
TraitInternalDBNamesVariable = "{{internal.db_names}}"
// TraitInternalDBUsersVariable is the variable used to store allowed
// database users for local accounts.
TraitInternalDBUsersVariable = "{{internal.db_users}}"
Added support for default roles.
2017-07-24 22:18:46 +00:00
)
Sasha/forward ports (#2491) * Fetch groups for GSuite SSO. (#2456) Fixes #2455 This commit adds support for fetching groups for GSuite SSO logins via OIDC connector interface. If OIDC connector has a special scope: `https://www.googleapis.com/auth/admin.directory.group.readonly` teleport will fetch user's group membership and populate groups claim. * Pass kubernetes groups to the remote cluster. (#2484) This commit allows remote cluster to reference the kubernetes groups coming from the roles of the main cluster in the trusted clusters configuration. For example, main cluster can have a user with a role 'main' and kubernetes groups: kube_groups: ['system:masters'] and SSH logins: logins: ['root'] Remote cluster can choose to map this 'main' cluster to it's own: 'remote-admin' cluster in the trusted cluster config: role_map: - remote: 'main' local: 'remote-admin' The role 'remote-admin' of the remote cluster can now be templated to use the main cluster role main logins and kubernetes_groups using variables: logins: ['{{internal.logins}}'] kubernetes_groups: ['{{internal.kubernetes_groups}}'] This is possible because teleport now encodes both values in X509 certificate metadata and remote cluster passes these values as 'internal' traits to the template engine.
2019-01-17 02:55:59 +00:00
const (
// GSuiteIssuerURL is issuer URL used for GSuite provider
GSuiteIssuerURL = "https://accounts.google.com"
// GSuiteGroupsEndpoint is gsuite API endpoint
GSuiteGroupsEndpoint = "https://www.googleapis.com/admin/directory/v1/groups"
// GSuiteGroupsScope is a scope to get access to admin groups API
GSuiteGroupsScope = "https://www.googleapis.com/auth/admin.directory.group.readonly"
Fix support for GSuite logins This commit fixes support for GSuite logins by using service accounts for access purposes. The resulting connector now looks like: ```yaml kind: oidc version: v2 metadata: name: gsuite spec: redirect_url: https://example.com/v1/webapi/oidc/callback client_id: exampleclientid.apps.googleusercontent.com client_secret: exampleclientsecret issuer_url: https://accounts.google.com # Notice that scope here is not requiested from OIDC exchange anymore, this scope # # https://www.googleapis.com/auth/admin.directory.group.readonly # # is now implicitly requested by the client # scope: ['openid', 'email'] # The setup below is involved and requires careful following of the guides: # # https://developers.google.com/admin-sdk/directory/v1/guides/delegation # https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority # # The service account scopes have to be set to # # https://www.googleapis.com/auth/admin.directory.group.readonly # https://www.googleapis.com/auth/admin.directory.group.member.readonly # # the following paths are supported: # 1. plain path # /var/lib/secrets/gsuite-creds.json # # 2. explicit scheme file:// # file:///var/lib/secrets/gsuite-creds.json # # other schemes are not supported at the moment # google_service_account_file: "/var/lib/secrets/gsuite-creds.json" google_admin_email: "admin@example.com" claims_to_roles: - {claim: "groups", value: "admin@example.com", roles: ["clusteradmin"]} ```
2019-11-03 20:55:03 +00:00
// GSuiteDomainClaim is the domain name claim for GSuite
GSuiteDomainClaim = "hd"
Sasha/forward ports (#2491) * Fetch groups for GSuite SSO. (#2456) Fixes #2455 This commit adds support for fetching groups for GSuite SSO logins via OIDC connector interface. If OIDC connector has a special scope: `https://www.googleapis.com/auth/admin.directory.group.readonly` teleport will fetch user's group membership and populate groups claim. * Pass kubernetes groups to the remote cluster. (#2484) This commit allows remote cluster to reference the kubernetes groups coming from the roles of the main cluster in the trusted clusters configuration. For example, main cluster can have a user with a role 'main' and kubernetes groups: kube_groups: ['system:masters'] and SSH logins: logins: ['root'] Remote cluster can choose to map this 'main' cluster to it's own: 'remote-admin' cluster in the trusted cluster config: role_map: - remote: 'main' local: 'remote-admin' The role 'remote-admin' of the remote cluster can now be templated to use the main cluster role main logins and kubernetes_groups using variables: logins: ['{{internal.logins}}'] kubernetes_groups: ['{{internal.kubernetes_groups}}'] This is possible because teleport now encodes both values in X509 certificate metadata and remote cluster passes these values as 'internal' traits to the template engine.
2019-01-17 02:55:59 +00:00
)
Added forwarding SSH server.
2017-11-29 00:15:46 +00:00
// SCP is Secure Copy.
const SCP = "scp"
Add root to the list of logins for an Enterprise role.
2017-09-08 00:35:05 +00:00
// Root is *nix system administrator account name.
const Root = "root"
api dependency reduction - utils constants (#5363) Moved constants and utils used in /api into /api/constants and /api/utils respectively.
2021-01-29 17:37:01 +00:00
// AdminRoleName is the name of the default admin role for all local users if
Creates preset roles (#5960) Fixes #5917 Preset roles are helpful for users who are getting started with teleport. This commit introduces auditor, editor and access roles. These roles will get created by the system if they don't exist, but won't be updated if they already exist.
2021-03-12 04:23:06 +00:00
// another role is not explicitly assigned
Renamed default role to admin role.
2017-09-05 19:20:57 +00:00
const AdminRoleName = "admin"
Added support for role rules.
2017-08-16 00:27:51 +00:00
Creates preset roles (#5960) Fixes #5917 Preset roles are helpful for users who are getting started with teleport. This commit introduces auditor, editor and access roles. These roles will get created by the system if they don't exist, but won't be updated if they already exist.
2021-03-12 04:23:06 +00:00
const (
// PresetEditorRoleName is a name of a preset role that allows
// editing cluster configuration.
PresetEditorRoleName = "editor"
// PresetAccessRoleName is a name of a preset role that allows
// accessing cluster resources.
PresetAccessRoleName = "access"
// PresetAuditorRoleName is a name of a preset role that allows
// reading cluster events and playing back session records.
PresetAuditorRoleName = "auditor"
)
OSS RBAC Implements RFD #7 https://github.com/gravitational/teleport/blob/master/rfd/0007-rbac-oss.md OSS users can use roles. Some FedRamp related role options are limited to enterprise. All users are migrated to a new role "ossuser". This role is a limited access role downgrading all users from OSS role "admin". All trusted clusters are mapped to "ossuser" as well. Github connector maps teams to generated roles. For transition period, format `tctl users add alice` works alongside with `tctl users add alice --roles=admin`, but prints a warning.
2021-01-27 18:20:16 +00:00
// OSSMigratedV6 is a label to mark migrated OSS users and resources
const OSSMigratedV6 = "migrate-v6.0"
Advertise a minimum version for clients.
2018-11-08 22:34:44 +00:00
// MinClientVersion is the minimum client version required by the server.
const MinClientVersion = "3.0.0"
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
const (
// RemoteClusterStatusOffline indicates that cluster is considered as
// offline, since it has missed a series of heartbeats
RemoteClusterStatusOffline = "offline"
// RemoteClusterStatusOnline indicates that cluster is sending heartbeats
// at expected interval
RemoteClusterStatusOnline = "online"
)
UX and performance changes * Do not log EOF errors, avoid polluting logs * Trim space from tokens when reading from file * Do not use dir based caching The caching problem deserves a separate explanation. Directory backend is not concurrent friendly - it has a fundamental design flaw - multiple gorotuines writing to the same file corrupt cache data. This requires either redesign of the backend or switching to boltdb backend for caching. Boltdb backend uses transactions and is safe for concurrent access. This PR changes local cache to use boltdb instead of the dir backend that is now used only in tests.
2018-01-22 20:25:11 +00:00
const (
// SharedDirMode is a mode for a directory shared with group
SharedDirMode = 0750
Initial implementation of Kubernetes support This issue updates #1986. This is intial, experimental implementation that will be updated with tests and edge cases prior to production 2.7.0 release. Teleport proxy adds support for Kubernetes API protocol. Auth server uses Kubernetes API to receive certificates issued by Kubernetes CA. Proxy intercepts and forwards API requests to the Kubernetes API server and captures live session traffic, making recordings available in the audit log. Tsh login now updates kubeconfig configuration to use Teleport as a proxy server.
2018-05-19 23:58:14 +00:00
// PrivateDirMode is a mode for private directories
PrivateDirMode = 0700
UX and performance changes * Do not log EOF errors, avoid polluting logs * Trim space from tokens when reading from file * Do not use dir based caching The caching problem deserves a separate explanation. Directory backend is not concurrent friendly - it has a fundamental design flaw - multiple gorotuines writing to the same file corrupt cache data. This requires either redesign of the backend or switching to boltdb backend for caching. Boltdb backend uses transactions and is safe for concurrent access. This PR changes local cache to use boltdb instead of the dir backend that is now used only in tests.
2018-01-22 20:25:11 +00:00
)
* Push window size changes to clients instead of polling. * Cache services.ClusterConfig within srv.ServerContext for the duration of a connection. * Create a single websocket between the browser and the proxy for all * terminal bytes and events.
2018-05-04 00:36:08 +00:00
const (
// SessionEvent is sent by servers to clients when an audit event occurs on
// the session.
SessionEvent = "x-teleport-event"
Send UUIDv1 session IDs to legacy servers. Before establishing a session, request the server version. If the server replies false, that means it does not support that request type and is an older server version which needs UUIDv1 format session IDs.
2019-09-09 23:56:26 +00:00
// VersionRequest is sent by clients to server requesting the Teleport
// version they are running.
VersionRequest = "x-teleport-version"
* Push window size changes to clients instead of polling. * Cache services.ClusterConfig within srv.ServerContext for the duration of a connection. * Create a single websocket between the browser and the proxy for all * terminal bytes and events.
2018-05-04 00:36:08 +00:00
)
Initial implementation of Kubernetes support This issue updates #1986. This is intial, experimental implementation that will be updated with tests and edge cases prior to production 2.7.0 release. Teleport proxy adds support for Kubernetes API protocol. Auth server uses Kubernetes API to receive certificates issued by Kubernetes CA. Proxy intercepts and forwards API requests to the Kubernetes API server and captures live session traffic, making recordings available in the audit log. Tsh login now updates kubeconfig configuration to use Teleport as a proxy server.
2018-05-19 23:58:14 +00:00
const (
// EnvKubeConfig is environment variable for kubeconfig
EnvKubeConfig = "KUBECONFIG"
// KubeConfigDir is a default directory where k8s stores its user local config
KubeConfigDir = ".kube"
// KubeConfigFile is a default filename where k8s stores its user local config
KubeConfigFile = "config"
// EnvHome is home environment variable
EnvHome = "HOME"
Added tsh for Windows.
2018-07-25 20:56:14 +00:00
// EnvUserProfile is the home directory environment variable on Windows.
EnvUserProfile = "USERPROFILE"
Initial implementation of Kubernetes support This issue updates #1986. This is intial, experimental implementation that will be updated with tests and edge cases prior to production 2.7.0 release. Teleport proxy adds support for Kubernetes API protocol. Auth server uses Kubernetes API to receive certificates issued by Kubernetes CA. Proxy intercepts and forwards API requests to the Kubernetes API server and captures live session traffic, making recordings available in the audit log. Tsh login now updates kubeconfig configuration to use Teleport as a proxy server.
2018-05-19 23:58:14 +00:00
// KubeCAPath is a hardcode of mounted CA inside every pod of K8s
KubeCAPath = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
Kubernetes proxy integration tests. This PR contains Kubernetes proxy integration tests and associated internal changes.
2018-06-10 00:21:14 +00:00
// KubeRunTests turns on kubernetes tests
KubeRunTests = "TEST_KUBE"
Always add 'system:authenticated' to impersonation groups. Looks like impersonated users do not get 'system:authenticated' as a default. This leads to kubectl to fail for some restricted users, who don't have 'system:discovery' like permissions added to the roles. This commit always injects the group if not present in the request. See https://github.com/kubernetes/kubernetes/issues/43227 for a similar solution
2019-03-25 02:25:58 +00:00
// KubeSystemAuthenticated is a builtin group that allows
// any user to access common API methods, e.g. discovery methods
// required for initial client usage
KubeSystemAuthenticated = "system:authenticated"
Add framework for trusted cluster K8s access
2018-06-18 00:53:02 +00:00
// UsageKubeOnly specifies certificate usage metadata
// that limits certificate to be only used for kubernetes proxying
UsageKubeOnly = "usage:kube"
Added Application Access. Added support for an identity aware, RBAC enforcing, mutually authenticated, web application proxy to Teleport. * Updated services.Server to support an application servers. * Updated services.WebSession to support application sessions. * Added CRUD RPCs for "AppServers". * Added CRUD RPCs for "AppSessions". * Added RBAC support using labels for applications. * Added JWT signer as a services.CertAuthority type. * Added support for signing and verifying JWT tokens. * Refactored dynamic label and heartbeat code into standalone packages. * Added application support to web proxies and new "app_service" to proxy mutually authenticated connections from proxy to an internal application.
2020-10-19 00:09:29 +00:00
// UsageAppOnly specifies a certificate metadata that only allows it to be
// used for proxying applications.
UsageAppsOnly = "usage:apps"
Database access (#5005)
2021-01-15 02:21:38 +00:00
// UsageDatabaseOnly specifies certificate usage metadata that only allows
// it to be used for proxying database connections.
UsageDatabaseOnly = "usage:db"
Add framework for trusted cluster K8s access
2018-06-18 00:53:02 +00:00
)
const (
// UseOfClosedNetworkConnection is a special string some parts of
// go standard lib are using that is the only way to identify some errors
UseOfClosedNetworkConnection = "use of closed network connection"
implement transparent UUID based routing
2020-02-24 18:41:45 +00:00
// NodeIsAmbiguous serves as an identifying error string indicating that
// the proxy subsystem found multiple nodes matching the specified hostname.
NodeIsAmbiguous = "err-node-is-ambiguous"
concurrent session control Adds support for Concurrent Session Control and a new semaphore API. Roles now support two new configuration options, `max_ssh_connections` and `max_ssh_sessions` which correspond to the total number of authenticated ssh connections per cluster, and the number of ssh sessions within a connection respectively. Attempting to exceed these limits generate variants of the `session.rejected` audit event and cause the connection/session to be rejected.
2020-08-25 19:02:16 +00:00
// MaxLeases serves as an identifying error string indicating that the
// semaphore system is rejecting an acquisition attempt due to max
// leases having already been reached.
MaxLeases = "err-max-leases"
Initial implementation of Kubernetes support This issue updates #1986. This is intial, experimental implementation that will be updated with tests and edge cases prior to production 2.7.0 release. Teleport proxy adds support for Kubernetes API protocol. Auth server uses Kubernetes API to receive certificates issued by Kubernetes CA. Proxy intercepts and forwards API requests to the Kubernetes API server and captures live session traffic, making recordings available in the audit log. Tsh login now updates kubeconfig configuration to use Teleport as a proxy server.
2018-05-19 23:58:14 +00:00
)
Added tsh for Windows.
2018-07-25 20:56:14 +00:00
const (
// OpenBrowserLinux is the command used to open a web browser on Linux.
Use xdg-open to open a default browser (#2536)
2019-01-31 13:14:47 +00:00
OpenBrowserLinux = "xdg-open"
Added tsh for Windows.
2018-07-25 20:56:14 +00:00
// OpenBrowserDarwin is the command used to open a web browser on macOS/Darwin.
OpenBrowserDarwin = "open"
// OpenBrowserWindows is the command used to open a web browser on Windows.
OpenBrowserWindows = "rundll32.exe"
Implement --browser flag to tsh login (cherry picked from commit edf1ddf228881afc6cfeb1226c4f208a776831f7)
2020-05-13 20:23:26 +00:00
// BrowserNone is the string used to suppress the opening of a browser in
// response to 'tsh login' commands.
BrowserNone = "none"
Added tsh for Windows.
2018-07-25 20:56:14 +00:00
)
Always validate certificate (or key) algorithm. Added utils.CertChecker that wraps a ssh.CertChecker. The new certificate checker first checks if the certificate is a valid certificate for Teleport. At the moment that is 2048-bit RSA then calls the underlying certificate checker to perform the requested validation.
2019-02-28 00:55:57 +00:00
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
const (
Added support for reexec during port forwarding. Added support for reexec during port forwarding. This allows Teleport nodes to run PAM code before port forwarding requests. This makes any memory leaks in PAM code less dangerous as well as bringing port forwarding logic in-line with execution requests (exec or shell).
2020-02-12 21:29:30 +00:00
// ExecSubCommand is the sub-command Teleport uses to re-exec itself for
// command execution (exec and shells).
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
ExecSubCommand = "exec"
Added support for reexec during port forwarding. Added support for reexec during port forwarding. This allows Teleport nodes to run PAM code before port forwarding requests. This makes any memory leaks in PAM code less dangerous as well as bringing port forwarding logic in-line with execution requests (exec or shell).
2020-02-12 21:29:30 +00:00
// ForwardSubCommand is the sub-command Teleport uses to re-exec itself
// for port forwarding.
ForwardSubCommand = "forward"
)
const (
// ChanDirectTCPIP is a SSH channel of type "direct-tcpip".
ChanDirectTCPIP = "direct-tcpip"
// ChanSession is a SSH channel of type "session".
ChanSession = "session"
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
)
Always validate certificate (or key) algorithm. Added utils.CertChecker that wraps a ssh.CertChecker. The new certificate checker first checks if the certificate is a valid certificate for Teleport. At the moment that is 2048-bit RSA then calls the underlying certificate checker to perform the requested validation.
2019-02-28 00:55:57 +00:00
// RSAKeySize is the size of the RSA key.
const RSAKeySize = 2048
Add local aliases to default host cert principals Adding following principals: - `localhost` - `127.0.0.1` - `::1` With these, `tsh` (both `ssh` and `join`) works with a local proxy without any SSH handshake errors. Removed the warning from quickstart docs, but keeping `--proxy=grav-00` since that implies to the reader that proxy is usually remote. Fixes #2910
2020-04-14 22:11:53 +00:00
// A principal name for use in SSH certificates.
type Principal string
const (
// The localhost domain, for talking to a proxy or node on the same
// machine.
PrincipalLocalhost Principal = "localhost"
// The IPv4 loopback address, for talking to a proxy or node on the same
// machine.
PrincipalLoopbackV4 Principal = "127.0.0.1"
// The IPv6 loopback address, for talking to a proxy or node on the same
// machine.
PrincipalLoopbackV6 Principal = "::1"
)
Emit correct event user who updates user records (#3635) * Add UpdateUser rpc to proto * Differentiate between create and update in github,oidc,saml * Edit updated_by event field to be more generic (used with contexts to capture user modifying records) * Update security issue by removing secrets from user when update/upsert/create (forrest) * Update createUser in resource_command and require force for updates
2020-05-05 23:49:32 +00:00
// UserSystem defines a user as system.
const UserSystem = "system"
Added Application Access. Added support for an identity aware, RBAC enforcing, mutually authenticated, web application proxy to Teleport. * Updated services.Server to support an application servers. * Updated services.WebSession to support application sessions. * Added CRUD RPCs for "AppServers". * Added CRUD RPCs for "AppSessions". * Added RBAC support using labels for applications. * Added JWT signer as a services.CertAuthority type. * Added support for signing and verifying JWT tokens. * Refactored dynamic label and heartbeat code into standalone packages. * Added application support to web proxies and new "app_service" to proxy mutually authenticated connections from proxy to an internal application.
2020-10-19 00:09:29 +00:00
const (
// internal application being proxied.
AppJWTHeader = "teleport-jwt-assertion"
// AppCFHeader is a compatibility header.
AppCFHeader = "cf-access-token"
)
auth: API for requesting per-connection certificates (#5527) * auth: API for requesting per-connection certificates See https://github.com/gravitational/teleport/blob/master/rfd/0014-session-2FA.md#api This API is a wrapper around GenerateUserCerts with a few differences: - performs an MFA check before generating a cert - enforces a single usage (ssh/k8s/db for now) - embeds client IP in the cert - marks a cert to distinguish from regular user certs - enforces a 1min TTL * Apply suggestions from code review Co-authored-by: a-palchikov <deemok@gmail.com> Co-authored-by: a-palchikov <deemok@gmail.com>
2021-02-11 04:29:00 +00:00
// UserSingleUseCertTTL is a TTL for per-connection user certificates.
const UserSingleUseCertTTL = time.Minute
Prefer registering via proxy when the server's port is 443 (#5600) Checking for port 3080 was already implemented as part of #5182.
2021-02-18 12:25:46 +00:00
// StandardHTTPSPort is the default port used for the https URI scheme,
// cf. RFC 7230 § 2.7.2.
const StandardHTTPSPort = 443
Reference in a new issue Copy permalink