self-hosted/teleport
self-hosted/teleport
1
0
Fork 0
mirror of https://github.com/gravitational/teleport synced 2024-10-21 09:44:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
teleport/constants.go

593 lines
18 KiB
Go
Raw Normal View History

Added support for "keep_alive_interval" and "keep_alive_count_max" to control how often the server sends keep-alive messages to clients and after how many missed keep-alive replies the server tears down the connection to the client.
2018-11-07 01:21:44 +00:00
/*
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
Copyright 2018-2019 Gravitational, Inc.
Added support for "keep_alive_interval" and "keep_alive_count_max" to control how often the server sends keep-alive messages to clients and after how many missed keep-alive replies the server tears down the connection to the client.
2018-11-07 01:21:44 +00:00
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
user mappings should be deleted if user is deleted, fixes #116 This commit includes refactoring and cleanup of cert authority sybsystem: * User keys methods are deleted * Authorities CRUD is simplified * Lots of code removed
2016-02-16 17:36:02 +00:00
package teleport
import (
Teleport signal handling and live reload. This commit introduces signal handling. Parent teleport process is now capable of forking the child process and passing listeners file descriptors to the child. Parent process then can gracefully shutdown by tracking the amount of current connections and closing listeners once the amount goes to 0. Here are the signals handled: * USR2 signal will cause the parent to fork a child process and pass listener file descriptors to it. Child process will close unused file descriptors and will bind to the used ones. At this moment two processes - the parent and the forked child process will be serving requests. After looking at the traffic and the log files, administrator can either shut down the parent process or the child process if the child process is not functioning as expected. * TERM, INT signals will trigger graceful process shutdown. Auth, node and proxy processes will wait until the amount of active connections goes down to 0 and will exit after that. * KILL, QUIT signals will cause immediate non-graceful shutdown. * HUP signal combines USR2 and TERM signals in a convenient way: parent process will fork a child process and self-initate graceful shutdown. This is a more convenient than USR2/TERM sequence, but less agile and robust as if the connection to the parent process drops, but the new process exits with error, administrators can lock themselves out of the environment. Additionally, boltdb backend has to be phased out, as it does not support read/writes by two concurrent processes. This had required refactoring of the dir backend to use file locking to allow inter-process collaboration on read/write operations.
2018-02-08 02:32:50 +00:00
"strings"
user mappings should be deleted if user is deleted, fixes #116 This commit includes refactoring and cleanup of cert authority sybsystem: * User keys methods are deleted * Authorities CRUD is simplified * Lots of code removed
2016-02-16 17:36:02 +00:00
"time"
)
Added TrustedCluster resource.
2017-03-02 19:50:35 +00:00
// WebAPIVersion is a current webapi version
const WebAPIVersion = "v1"
user mappings should be deleted if user is deleted, fixes #116 This commit includes refactoring and cleanup of cert authority sybsystem: * User keys methods are deleted * Authorities CRUD is simplified * Lots of code removed
2016-02-16 17:36:02 +00:00
// ForeverTTL means that object TTL will not expire unless deleted
recover etcd backend support
2016-03-11 01:03:01 +00:00
const ForeverTTL time.Duration = 0
working proto
2017-03-08 05:42:17 +00:00
const (
// SSHAuthSock is the environment variable pointing to the
// Unix socket the SSH agent is running on.
SSHAuthSock = "SSH_AUTH_SOCK"
// SSHAgentPID is the environment variable pointing to the agent
// process ID
SSHAgentPID = "SSH_AGENT_PID"
Corrected the Session URL returned when calling "teleport status".
2017-04-07 00:16:28 +00:00
// SSHTeleportUser is the current Teleport user that is logged in.
SSHTeleportUser = "SSH_TELEPORT_USER"
// SSHSessionWebproxyAddr is the address the web proxy.
SSHSessionWebproxyAddr = "SSH_SESSION_WEBPROXY_ADDR"
// SSHTeleportClusterName is the name of the cluster this node belongs to.
SSHTeleportClusterName = "SSH_TELEPORT_CLUSTER_NAME"
// SSHTeleportHostUUID is the UUID of the host.
SSHTeleportHostUUID = "SSH_TELEPORT_HOST_UUID"
// SSHSessionID is the UUID of the current session.
SSHSessionID = "SSH_SESSION_ID"
working proto
2017-03-08 05:42:17 +00:00
)
Added debug ssh agent to be used in tests so they can run consistently across platforms.
2017-02-13 23:37:08 +00:00
Added HTTP CONNECT tunneling support for Trusted Clusters.
2017-05-17 00:43:55 +00:00
const (
// HTTPSProxy is an environment variable pointing to a HTTPS proxy.
HTTPSProxy = "HTTPS_PROXY"
// HTTPProxy is an environment variable pointing to a HTTP proxy.
HTTPProxy = "HTTP_PROXY"
Add support for no_proxy environment variable NO_PROXY or no_proxy environment variables can be set to override variable HTTP_PROXY or HTTPS_PROXY. Current implementation is taken from Go standard library.
2018-08-20 21:01:15 +00:00
// NoProxy is an environment variable matching the cases
// when HTTPS_PROXY or HTTP_PROXY is ignored
NoProxy = "NO_PROXY"
Added HTTP CONNECT tunneling support for Trusted Clusters.
2017-05-17 00:43:55 +00:00
)
Use a fake clock in OTP tests.
2017-02-10 22:46:26 +00:00
const (
Added debug ssh agent to be used in tests so they can run consistently across platforms.
2017-02-13 23:37:08 +00:00
// TOTPValidityPeriod is the number of seconds a TOTP token is valid.
TOTPValidityPeriod uint = 30
// TOTPSkew adds that many periods before and after to the validity window.
TOTPSkew uint = 1
Use a fake clock in OTP tests.
2017-02-10 22:46:26 +00:00
)
recover etcd backend support
2016-03-11 01:03:01 +00:00
const (
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
// ComponentMemory is a memory backend
ComponentMemory = "memory"
Mutual TLS Auth server and clients. This commit introduced mutual TLS authentication for auth server API server. Auth server multiplexes HTTP over SSH - existing protocol and HTTP over TLS - new protocol on the same listening socket. Nodes and users authenticate with 2.5.0 Teleport using TLS mutual TLS except backwards-compatibility cases.
2017-11-25 01:09:11 +00:00
// ComponentAuthority is a TLS and an SSH certificate authority
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
ComponentAuthority = "ca"
Mutual TLS Auth server and clients. This commit introduced mutual TLS authentication for auth server API server. Auth server multiplexes HTTP over SSH - existing protocol and HTTP over TLS - new protocol on the same listening socket. Nodes and users authenticate with 2.5.0 Teleport using TLS mutual TLS except backwards-compatibility cases.
2017-11-25 01:09:11 +00:00
// ComponentProcess is a main control process
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
ComponentProcess = "proc"
Mutual TLS Auth server and clients. This commit introduced mutual TLS authentication for auth server API server. Auth server multiplexes HTTP over SSH - existing protocol and HTTP over TLS - new protocol on the same listening socket. Nodes and users authenticate with 2.5.0 Teleport using TLS mutual TLS except backwards-compatibility cases.
2017-11-25 01:09:11 +00:00
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
// ComponentServer is a server subcomponent of some services
ComponentServer = "server"
introduce curiosity protocol and fix logs
2017-10-06 22:38:15 +00:00
// ComponentReverseTunnelServer is reverse tunnel server
// that together with agent establish a bi-directional SSH revers tunnel
Minor code cleanup - Replaced hard-coded timeouts with pre-existing teleport.DefaultTimeout constant. - Fixed tests
2016-03-16 02:57:02 +00:00
// to bypass firewall restrictions
introduce curiosity protocol and fix logs
2017-10-06 22:38:15 +00:00
ComponentReverseTunnelServer = "proxy:server"
Minor code cleanup - Replaced hard-coded timeouts with pre-existing teleport.DefaultTimeout constant. - Fixed tests
2016-03-16 02:57:02 +00:00
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
// ComponentReverseTunnelAgent is reverse tunnel agent
introduce curiosity protocol and fix logs
2017-10-06 22:38:15 +00:00
// that together with server establish a bi-directional SSH revers tunnel
Minor code cleanup - Replaced hard-coded timeouts with pre-existing teleport.DefaultTimeout constant. - Fixed tests
2016-03-16 02:57:02 +00:00
// to bypass firewall restrictions
introduce curiosity protocol and fix logs
2017-10-06 22:38:15 +00:00
ComponentReverseTunnelAgent = "proxy:agent"
Minor code cleanup - Replaced hard-coded timeouts with pre-existing teleport.DefaultTimeout constant. - Fixed tests
2016-03-16 02:57:02 +00:00
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
// ComponentLabel is a component label name used in reporting
ComponentLabel = "component"
Initial implementation of Kubernetes support This issue updates #1986. This is intial, experimental implementation that will be updated with tests and edge cases prior to production 2.7.0 release. Teleport proxy adds support for Kubernetes API protocol. Auth server uses Kubernetes API to receive certificates issued by Kubernetes CA. Proxy intercepts and forwards API requests to the Kubernetes API server and captures live session traffic, making recordings available in the audit log. Tsh login now updates kubeconfig configuration to use Teleport as a proxy server.
2018-05-19 23:58:14 +00:00
// ComponentKube is a kubernetes proxy
ComponentKube = "proxy:kube"
Cleaned up Teleport logging * Downgraded many messages from `Debug` to `Info` * Edited messages so they're not verbose and not too short * Added "context" to some * Added logical teleport component as [COMPONENT] at the beginning of many, making logs **vastly** easier to read. * Added one more logging level option when creating Teleport (only Teleconsole uses it for now) The output with 'info' severity now look extremely clean. This is startup, for example: ``` INFO[0000] [AUTH] Auth service is starting on turing:32829 file=utils/cli.go:107 INFO[0000] [SSH:auth] listening socket: 127.0.0.1:32829 file=sshutils/server.go:119 INFO[0000] [SSH:auth] is listening on 127.0.0.1:32829 file=sshutils/server.go:144 INFO[0000] [Proxy] Successfully registered with the cluster file=utils/cli.go:107 INFO[0000] [Node] Successfully registered with the cluster file=utils/cli.go:107 INFO[0000] [AUTH] keyAuth: 127.0.0.1:56886->127.0.0.1:32829, user=turing file=auth/tun.go:370 WARN[0000] unable to load the auth server cache: open /tmp/cluster-teleconsole-client781495771/authservers.json: no such file or directory file=auth/tun.go:594 INFO[0000] [SSH:auth] new connection 127.0.0.1:56886 -> 127.0.0.1:32829 vesion: SSH-2.0-Go file=sshutils/server.go:205 INFO[0000] [AUTH] keyAuth: 127.0.0.1:56888->127.0.0.1:32829, user=turing.teleconsole-client file=auth/tun.go:370 INFO[0000] [AUTH] keyAuth: 127.0.0.1:56890->127.0.0.1:32829, user=turing.teleconsole-client file=auth/tun.go:370 INFO[0000] [Node] turing connected to the cluster 'teleconsole-client' file=service/service.go:158 INFO[0000] [AUTH] keyAuth: 127.0.0.1:56892->127.0.0.1:32829, user=turing file=auth/tun.go:370 INFO[0000] [SSH:auth] new connection 127.0.0.1:56890 -> 127.0.0.1:32829 vesion: SSH-2.0-Go file=sshutils/server.go:205 INFO[0000] [SSH:auth] new connection 127.0.0.1:56888 -> 127.0.0.1:32829 vesion: SSH-2.0-Go file=sshutils/server.go:205 INFO[0000] [Node] turing.teleconsole-client connected to the cluster 'teleconsole-client' file=service/service.go:158 INFO[0000] [Node] turing.teleconsole-client connected to the cluster 'teleconsole-client' file=service/service.go:158 INFO[0000] [SSH] received event(SSHIdentity) file=service/service.go:436 INFO[0000] [SSH] received event(ProxyIdentity) file=service/service.go:563 ``` You can easily tell that auth, ssh node and proxy have successfully started.
2016-09-02 23:04:05 +00:00
// ComponentAuth is the cluster CA node (auth server API)
ComponentAuth = "auth"
Events and GRPC API This commit introduces several key changes to Teleport backend and API infrastructure in order to achieve scalability improvements on 10K+ node deployments. Events and plain keyspace -------------------------- New backend interface supports events, pagination and range queries and moves away from buckets to plain keyspace, what better aligns with DynamoDB and Etcd featuring similar interfaces. All backend implementations are exposing Events API, allowing multiple subscribers to consume the same event stream and avoid polling database. Replacing BoltDB, Dir with SQLite ------------------------------- BoltDB backend does not support having two processes access the database at the same time. This prevented Teleport using BoltDB backend to be live reloaded. SQLite supports reads/writes by multiple processes and makes Dir backend obsolete as SQLite is more efficient on larger collections, supports transactions and can detect data corruption. Teleport automatically migrates data from Bolt and Dir backends into SQLite. GRPC API and protobuf resources ------------------------------- GRPC API has been introduced for the auth server. The auth server now serves both GRPC and JSON-HTTP API on the same TLS socket and uses the same client certificate authentication. All future API methods should use GRPC and HTTP-JSON API is considered obsolete. In addition to that some resources like Server and CertificateAuthority are now generated from protobuf service specifications in a way that is fully backward compatible with original JSON spec and schema, so the same resource can be encoded and decoded from JSON, YAML and protobuf. All models should be refactored into new proto specification over time. Streaming presence service -------------------------- In order to cut bandwidth, nodes are sending full updates only when changes to labels or spec have occured, otherwise new light-weight GRPC keep alive updates are sent over to the presence service, reducing bandwidth usage on multi-node deployments. In addition to that nodes are no longer polling auth server for certificate authority rotation updates, instead they subscribe to event updates to detect updates as soon as they happen. This is a new API, so the errors are inevitable, that's why polling is still done, but on a way slower rate.
2018-11-07 23:33:38 +00:00
// ComponentGRPC is grpc server
ComponentGRPC = "grpc"
// ComponentMigrate is responsible for data migrations
ComponentMigrate = "migrate"
Minor code cleanup - Replaced hard-coded timeouts with pre-existing teleport.DefaultTimeout constant. - Fixed tests
2016-03-16 02:57:02 +00:00
// ComponentNode is SSH node (SSH server serving requests)
ComponentNode = "node"
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
// ComponentForwardingNode is SSH node (SSH server serving requests)
Added forwarding SSH server.
2017-11-29 00:15:46 +00:00
ComponentForwardingNode = "node:forward"
Minor code cleanup - Replaced hard-coded timeouts with pre-existing teleport.DefaultTimeout constant. - Fixed tests
2016-03-16 02:57:02 +00:00
// ComponentProxy is SSH proxy (SSH server forwarding connections)
ComponentProxy = "proxy"
Teleport signal handling and live reload. This commit introduces signal handling. Parent teleport process is now capable of forking the child process and passing listeners file descriptors to the child. Parent process then can gracefully shutdown by tracking the amount of current connections and closing listeners once the amount goes to 0. Here are the signals handled: * USR2 signal will cause the parent to fork a child process and pass listener file descriptors to it. Child process will close unused file descriptors and will bind to the used ones. At this moment two processes - the parent and the forked child process will be serving requests. After looking at the traffic and the log files, administrator can either shut down the parent process or the child process if the child process is not functioning as expected. * TERM, INT signals will trigger graceful process shutdown. Auth, node and proxy processes will wait until the amount of active connections goes down to 0 and will exit after that. * KILL, QUIT signals will cause immediate non-graceful shutdown. * HUP signal combines USR2 and TERM signals in a convenient way: parent process will fork a child process and self-initate graceful shutdown. This is a more convenient than USR2/TERM sequence, but less agile and robust as if the connection to the parent process drops, but the new process exits with error, administrators can lock themselves out of the environment. Additionally, boltdb backend has to be phased out, as it does not support read/writes by two concurrent processes. This had required refactoring of the dir backend to use file locking to allow inter-process collaboration on read/write operations.
2018-02-08 02:32:50 +00:00
// ComponentDiagnostic is a diagnostic service
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
ComponentDiagnostic = "diag"
Teleport signal handling and live reload. This commit introduces signal handling. Parent teleport process is now capable of forking the child process and passing listeners file descriptors to the child. Parent process then can gracefully shutdown by tracking the amount of current connections and closing listeners once the amount goes to 0. Here are the signals handled: * USR2 signal will cause the parent to fork a child process and pass listener file descriptors to it. Child process will close unused file descriptors and will bind to the used ones. At this moment two processes - the parent and the forked child process will be serving requests. After looking at the traffic and the log files, administrator can either shut down the parent process or the child process if the child process is not functioning as expected. * TERM, INT signals will trigger graceful process shutdown. Auth, node and proxy processes will wait until the amount of active connections goes down to 0 and will exit after that. * KILL, QUIT signals will cause immediate non-graceful shutdown. * HUP signal combines USR2 and TERM signals in a convenient way: parent process will fork a child process and self-initate graceful shutdown. This is a more convenient than USR2/TERM sequence, but less agile and robust as if the connection to the parent process drops, but the new process exits with error, administrators can lock themselves out of the environment. Additionally, boltdb backend has to be phased out, as it does not support read/writes by two concurrent processes. This had required refactoring of the dir backend to use file locking to allow inter-process collaboration on read/write operations.
2018-02-08 02:32:50 +00:00
Fix logging, collect status of forked processes fixes #1785, fixes #1776 This commit fixes several issues with output: First teleport start now prints output matching quickstart guide and sets default console logging to ERROR. SIGCHLD handler now only collects processes PID forked during live restart to avoid confusing other wait calls that have no process status to collect any more.
2018-03-18 02:47:06 +00:00
// ComponentClient is a client
ComponentClient = "client"
Minor code cleanup - Replaced hard-coded timeouts with pre-existing teleport.DefaultTimeout constant. - Fixed tests
2016-03-16 02:57:02 +00:00
// ComponentTunClient is a tunnel client
more work, discovery works
2017-10-08 01:11:03 +00:00
ComponentTunClient = "client:tunnel"
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
// ComponentCache is a cache component
ComponentCache = "cache"
// ComponentBackend is a backend component
ComponentBackend = "backend"
more work, discovery works
2017-10-08 01:11:03 +00:00
// ComponentCachingClient is a caching auth client
ComponentCachingClient = "client:cache"
Minor code cleanup - Replaced hard-coded timeouts with pre-existing teleport.DefaultTimeout constant. - Fixed tests
2016-03-16 02:57:02 +00:00
Refactored lib/srv to support multiple servers.
2017-11-09 00:41:52 +00:00
// ComponentSubsystemProxy is the proxy subsystem.
ComponentSubsystemProxy = "subsystem:proxy"
Added forwarding SSH server.
2017-11-29 00:15:46 +00:00
// ComponentLocalTerm is a terminal on a regular SSH node.
ComponentLocalTerm = "term:local"
// ComponentRemoteTerm is a terminal on a forwarding SSH node.
ComponentRemoteTerm = "term:remote"
// ComponentRemoteSubsystem is subsystem on a forwarding SSH node.
ComponentRemoteSubsystem = "subsystem:remote"
fix audit log file leak, fixes #1433 This is a fix for file leak in audit log server caused by design issue: Session file descriptors in audit log were opened on demand when the session event or byte stream chunk was reported. AuditLog server relied on SessionEnd event to close the file descriptors associated with the session. However, when SessionEnd event does not arrive (e.g. there is a timeout or disconnect), the file descriptors were not closed. This commit adds periodic clean up of inactive sessions. SessionEnd is now used as an optimization measure to close the files, but is not used as the only trigger to close files. Now, inactive idle sessions, will close file descriptors after periods of inactivity and will reopen the file descriptors when the session activity resumes. SessionLogger was not designed to open/close files multiple times as it was reseting offsets every time the session files were opened. This change fixes this condition as well.
2017-11-16 02:26:35 +00:00
// ComponentAuditLog is audit log component
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
ComponentAuditLog = "audit"
fix audit log file leak, fixes #1433 This is a fix for file leak in audit log server caused by design issue: Session file descriptors in audit log were opened on demand when the session event or byte stream chunk was reported. AuditLog server relied on SessionEnd event to close the file descriptors associated with the session. However, when SessionEnd event does not arrive (e.g. there is a timeout or disconnect), the file descriptors were not closed. This commit adds periodic clean up of inactive sessions. SessionEnd is now used as an optimization measure to close the files, but is not used as the only trigger to close files. Now, inactive idle sessions, will close file descriptors after periods of inactivity and will reopen the file descriptors when the session activity resumes. SessionLogger was not designed to open/close files multiple times as it was reseting offsets every time the session files were opened. This change fixes this condition as well.
2017-11-16 02:26:35 +00:00
LocalKeyAgent only loads keys for a user logged into a proxy.
2018-01-19 02:30:02 +00:00
// ComponentKeyAgent is an agent that has loaded the sessions keys and
// certificates for a user connected to a proxy.
ComponentKeyAgent = "keyagent"
// ComponentKeyStore is all sessions keys and certificates a user has on disk
// for all proxies.
ComponentKeyStore = "keystore"
Wrap connection used in HTTP CONNECT proxy to first read any buffered data then ready from the underlying connection.
2018-02-09 00:33:48 +00:00
// ComponentConnectProxy is the HTTP CONNECT proxy used to tunnel connection.
ComponentConnectProxy = "http:proxy"
Refactoring of SOCKS5 server.
2018-09-28 01:22:51 +00:00
// ComponentSOCKS is a SOCKS5 proxy.
ComponentSOCKS = "socks"
Create single instance of keygen per process. Use cache of precomputed certificates when using recording proxy.
2018-02-14 22:55:01 +00:00
// ComponentKeyGen is the public/private keypair generator.
ComponentKeyGen = "keygen"
adds support for GCP HA environments with gcs recording storage, firestore-backed events, and firestore backend storage
2019-06-18 20:35:21 +00:00
// ComponentFirestore represents firestore clients
ComponentFirestore = "firestore"
Migrate to structured logging in session handling code.
2018-02-20 01:59:08 +00:00
// ComponentSession is an active session.
ComponentSession = "session"
External events and sessions storage. Updates #1755 Design ------ This commit adds support for pluggable events and sessions recordings and adds several plugins. In case if external sessions recording storage is used, nodes or proxies depending on configuration store the session recordings locally and then upload the recordings in the background. Non-print session events are always sent to the remote auth server as usual. In case if remote events storage is used, auth servers download recordings from it during playbacks. DynamoDB event backend ---------------------- Transient DynamoDB backend is added for events storage. Events are stored with default TTL of 1 year. External lambda functions should be used to forward events from DynamoDB. Parameter audit_table_name in storage section turns on dynamodb backend. The table will be auto created. S3 sessions backend ------------------- If audit_sessions_uri is specified to s3://bucket-name node or proxy depending on recording mode will start uploading the recorded sessions to the bucket. If the bucket does not exist, teleport will attempt to create a bucket with versioning and encryption turned on by default. Teleport will turn on bucket-side encryption for the tarballs using aws:kms key. File sessions backend --------------------- If audit_sessions_uri is specified to file:///folder teleport will start writing tarballs to this folder instead of sending records to the file server. This is helpful for plugin writers who can use fuse or NFS mounted storage to handle the data. Working dynamic configuration.
2018-03-04 02:26:44 +00:00
// ComponentDynamoDB represents dynamodb clients
ComponentDynamoDB = "dynamodb"
Added PAM support to Teleport.
2018-02-24 01:23:09 +00:00
// Component pluggable authentication module (PAM)
ComponentPAM = "pam"
Introduce new upload API. This PR improves session recording: * Nodes and proxies always buffer recorded sessions to disk during the session what improves performance and makes the recording more resilient to network failures. * Async uploader running on proxy or node always uploads the session tarball to the audit log server. * Audit log server is the only component uploading to the S3 or any other API.
2018-03-29 20:47:53 +00:00
// ComponentUpload is a session recording upload server
ComponentUpload = "upload"
better user errors
2018-08-17 20:53:49 +00:00
// ComponentWeb is a web server
ComponentWeb = "web"
Use protobufs to communicate between proxy and web client.
2018-07-16 21:39:50 +00:00
// ComponentWebsocket is websocket server that the web client connects to.
ComponentWebsocket = "websocket"
Made GetNodes identity aware to only return nodes which that user has access to. In debug mode, made RBAC failures more verbose.
2018-08-11 00:50:06 +00:00
// ComponentRBAC is role-based access control.
ComponentRBAC = "rbac"
Added support for "keep_alive_interval" and "keep_alive_count_max" to control how often the server sends keep-alive messages to clients and after how many missed keep-alive replies the server tears down the connection to the client.
2018-11-07 01:21:44 +00:00
// ComponentKeepAlive is keep-alive messages sent from clients to servers
// and vice versa.
ComponentKeepAlive = "keepalive"
Remove Teleport related entries from kubeconfig upon "tsh logout".
2018-11-15 22:36:11 +00:00
// ComponentTSH is the "tsh" binary.
ComponentTSH = "tsh"
Split kubeconfig path after extracting from environment.
2018-11-16 20:23:08 +00:00
// ComponentKubeClient is the Kubernetes client.
ComponentKubeClient = "client:kube"
Events and GRPC API This commit introduces several key changes to Teleport backend and API infrastructure in order to achieve scalability improvements on 10K+ node deployments. Events and plain keyspace -------------------------- New backend interface supports events, pagination and range queries and moves away from buckets to plain keyspace, what better aligns with DynamoDB and Etcd featuring similar interfaces. All backend implementations are exposing Events API, allowing multiple subscribers to consume the same event stream and avoid polling database. Replacing BoltDB, Dir with SQLite ------------------------------- BoltDB backend does not support having two processes access the database at the same time. This prevented Teleport using BoltDB backend to be live reloaded. SQLite supports reads/writes by multiple processes and makes Dir backend obsolete as SQLite is more efficient on larger collections, supports transactions and can detect data corruption. Teleport automatically migrates data from Bolt and Dir backends into SQLite. GRPC API and protobuf resources ------------------------------- GRPC API has been introduced for the auth server. The auth server now serves both GRPC and JSON-HTTP API on the same TLS socket and uses the same client certificate authentication. All future API methods should use GRPC and HTTP-JSON API is considered obsolete. In addition to that some resources like Server and CertificateAuthority are now generated from protobuf service specifications in a way that is fully backward compatible with original JSON spec and schema, so the same resource can be encoded and decoded from JSON, YAML and protobuf. All models should be refactored into new proto specification over time. Streaming presence service -------------------------- In order to cut bandwidth, nodes are sending full updates only when changes to labels or spec have occured, otherwise new light-weight GRPC keep alive updates are sent over to the presence service, reducing bandwidth usage on multi-node deployments. In addition to that nodes are no longer polling auth server for certificate authority rotation updates, instead they subscribe to event updates to detect updates as soon as they happen. This is a new API, so the errors are inevitable, that's why polling is still done, but on a way slower rate.
2018-11-07 23:33:38 +00:00
// ComponentBuffer is in-memory event circular buffer
// used to broadcast events to subscribers.
ComponentBuffer = "buffer"
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
// ComponentBPF is the eBPF packagae.
ComponentBPF = "bpf"
// ComponentCgroup is the cgroup package.
ComponentCgroup = "cgroups"
Addressed PR comments - Comments - Error creation - Moved from Mailgun's frozen time to clockwork - Made tests more reliable
2016-12-26 06:12:23 +00:00
// DebugEnvVar tells tests to use verbose debug output
DebugEnvVar = "DEBUG"
// VerboseLogEnvVar forces all logs to be verbose (down to DEBUG level)
VerboseLogsEnvVar = "TELEPORT_DEBUG"
Proper handling of attached/detached terminals Also Teleport now will try to get the type of terminal you're already on, looking at $TERM
2016-09-10 04:44:04 +00:00
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
// IterationsEnvVar sets tests iterations to run
IterationsEnvVar = "ITERATIONS"
Proper handling of attached/detached terminals Also Teleport now will try to get the type of terminal you're already on, looking at $TERM
2016-09-10 04:44:04 +00:00
// DefaultTerminalWidth defines the default width of a server-side allocated
// pseudo TTY
DefaultTerminalWidth = 80
// DefaultTerminalHeight defines the default height of a server-side allocated
// pseudo TTY
DefaultTerminalHeight = 25
// SafeTerminalType is the fall-back TTY type to fall back to (when $TERM
// is not defined)
SafeTerminalType = "xterm"
map OIDC scopes to roles, implements #620
2016-12-24 03:02:59 +00:00
// ConnectorOIDC means connector type OIDC
ConnectorOIDC = "oidc"
Converted boltbk to the new format BoltDB backend is now compatible with how all backends should initialize. Also all BoltDB-specific code/constants have been consolidated inside of `backend.boltbk` package.
2017-01-13 00:04:00 +00:00
SAML 2.0 initial implementation
2017-05-05 22:53:05 +00:00
// ConnectorSAML means connector type SAML
Fix typos and some review comments
2017-12-15 01:19:57 +00:00
ConnectorSAML = "saml"
SAML 2.0 initial implementation
2017-05-05 22:53:05 +00:00
Github connector
2017-12-14 21:41:38 +00:00
// ConnectorGithub means connector type Github
ConnectorGithub = "github"
Converted boltbk to the new format BoltDB backend is now compatible with how all backends should initialize. Also all BoltDB-specific code/constants have been consolidated inside of `backend.boltbk` package.
2017-01-13 00:04:00 +00:00
// DataDirParameterName is the name of the data dir configuration parameter passed
// to all backends during initialization
DataDirParameterName = "data_dir"
Added TOTP support and deprecated HOTP support. New users are created with TOTP as the second factor, but HOTP backward compatibility is maintained by allowing users created before this commit to continue to log in with HOTP tokens.
2017-01-17 19:24:17 +00:00
SSH keepalive implementation + refactoring The base SSH server implementation now sends SSH keepalive at ta rate of 1/4 of "idle timeout" constant. The client properly responds to keepalive pings. The SSH client, instead of creating 2 goroutines for handling SSH requests and SSH channels now uses the same (existing) goroutine with for-loop + select statement.
2017-01-30 19:31:37 +00:00
// SSH request type to keep the connection alive. A client and a server keep
// pining each other with it:
KeepAliveReqType = "keepalive@openssh.com"
Forwarding to proxy is controlled by a global out-of-band request. Always forward Teleport agent to node in Web UI. Support the -A flag in tsh to optionally forward agent to node in CLI.
2017-11-13 22:55:21 +00:00
// RecordingProxyReqType is the name of a global request which returns if
// the proxy is recording sessions or not.
RecordingProxyReqType = "recording-proxy@teleport.com"
Refactored authentication configuration, created resources for dynamic configuration of authentication configuration, and updated documentation.
2017-02-14 02:29:27 +00:00
// OTP means One-time Password Algorithm for Two-Factor Authentication.
Added TOTP support and deprecated HOTP support. New users are created with TOTP as the second factor, but HOTP backward compatibility is maintained by allowing users created before this commit to continue to log in with HOTP tokens.
2017-01-17 19:24:17 +00:00
OTP = "otp"
Refactored authentication configuration, created resources for dynamic configuration of authentication configuration, and updated documentation.
2017-02-14 02:29:27 +00:00
// TOTP means Time-based One-time Password Algorithm. for Two-Factor Authentication.
Added TOTP support and deprecated HOTP support. New users are created with TOTP as the second factor, but HOTP backward compatibility is maintained by allowing users created before this commit to continue to log in with HOTP tokens.
2017-01-17 19:24:17 +00:00
TOTP = "totp"
Refactored authentication configuration, created resources for dynamic configuration of authentication configuration, and updated documentation.
2017-02-14 02:29:27 +00:00
// HOTP means HMAC-based One-time Password Algorithm.for Two-Factor Authentication.
Two fixes in one commit Fix one: Fixed typo in defining `teleport.HOTP` constant. This fixes bug #721 Fix two: Removes 'drop tunnel connection' logic on any tunnel-related error. This fixes 2nd problem "Handling Unreachable nodes" for issue #717 (see klizhentas comment there)
2017-01-23 03:55:54 +00:00
HOTP = "hotp"
Added TOTP support and deprecated HOTP support. New users are created with TOTP as the second factor, but HOTP backward compatibility is maintained by allowing users created before this commit to continue to log in with HOTP tokens.
2017-01-17 19:24:17 +00:00
Refactored authentication configuration, created resources for dynamic configuration of authentication configuration, and updated documentation.
2017-02-14 02:29:27 +00:00
// U2F means Universal 2nd Factor.for Two-Factor Authentication.
Added TOTP support and deprecated HOTP support. New users are created with TOTP as the second factor, but HOTP backward compatibility is maintained by allowing users created before this commit to continue to log in with HOTP tokens.
2017-01-17 19:24:17 +00:00
U2F = "u2f"
Refactored authentication configuration, created resources for dynamic configuration of authentication configuration, and updated documentation.
2017-02-14 02:29:27 +00:00
// OFF means no second factor.for Two-Factor Authentication.
OFF = "off"
// Local means authentication will happen locally within the Teleport cluster.
Local = "local"
Github connector
2017-12-14 21:41:38 +00:00
// OIDC means authentication will happen remotely using an OIDC connector.
Fix typos and some review comments
2017-12-15 01:19:57 +00:00
OIDC = ConnectorOIDC
SAML 2.0 initial implementation
2017-05-05 22:53:05 +00:00
Github connector
2017-12-14 21:41:38 +00:00
// SAML means authentication will happen remotely using a SAML connector.
Fix typos and some review comments
2017-12-15 01:19:57 +00:00
SAML = ConnectorSAML
scaffolding for rules matchers
2017-08-25 03:24:47 +00:00
Github connector
2017-12-14 21:41:38 +00:00
// Github means authentication will happen remotely using a Github connector.
Fix typos and some review comments
2017-12-15 01:19:57 +00:00
Github = ConnectorGithub
Github connector
2017-12-14 21:41:38 +00:00
scaffolding for rules matchers
2017-08-25 03:24:47 +00:00
// JSON means JSON serialization format
JSON = "json"
make audit accessible by admin group members If user running teleport is a member of adm group create the directory and all subdirectories accessible to admins. Remove obsolete migrations required for pre 2.3 releases.
2017-11-18 00:40:41 +00:00
tctl: users add/ls and tokens ls json output
2019-02-21 09:46:50 +00:00
// YAML means YAML serialization format
YAML = "yaml"
// Text means text serialization format
Text = "text"
make audit accessible by admin group members If user running teleport is a member of adm group create the directory and all subdirectories accessible to admins. Remove obsolete migrations required for pre 2.3 releases.
2017-11-18 00:40:41 +00:00
// LinuxAdminGID is the ID of the standard adm group on linux
LinuxAdminGID = 4
Added tsh for Windows.
2018-07-25 20:56:14 +00:00
// LinuxOS is the GOOS constant used for Linux.
make audit accessible by admin group members If user running teleport is a member of adm group create the directory and all subdirectories accessible to admins. Remove obsolete migrations required for pre 2.3 releases.
2017-11-18 00:40:41 +00:00
LinuxOS = "linux"
Added tsh for Windows.
2018-07-25 20:56:14 +00:00
// WindowsOS is the GOOS constant used for Microsoft Windows.
WindowsOS = "windows"
// DarwinOS is the GOOS constant for Apple macOS/darwin.
DarwinOS = "darwin"
make audit accessible by admin group members If user running teleport is a member of adm group create the directory and all subdirectories accessible to admins. Remove obsolete migrations required for pre 2.3 releases.
2017-11-18 00:40:41 +00:00
// DirMaskSharedGroup is the mask for a directory accessible
// by the owner and group
DirMaskSharedGroup = 0770
Mutual TLS Auth server and clients. This commit introduced mutual TLS authentication for auth server API server. Auth server multiplexes HTTP over SSH - existing protocol and HTTP over TLS - new protocol on the same listening socket. Nodes and users authenticate with 2.5.0 Teleport using TLS mutual TLS except backwards-compatibility cases.
2017-11-25 01:09:11 +00:00
// FileMaskOwnerOnly is the file mask that allows read write access
// to owers only
FileMaskOwnerOnly = 0600
// On means mode is on
On = "on"
// Off means mode is off
Off = "off"
External events and sessions storage. Updates #1755 Design ------ This commit adds support for pluggable events and sessions recordings and adds several plugins. In case if external sessions recording storage is used, nodes or proxies depending on configuration store the session recordings locally and then upload the recordings in the background. Non-print session events are always sent to the remote auth server as usual. In case if remote events storage is used, auth servers download recordings from it during playbacks. DynamoDB event backend ---------------------- Transient DynamoDB backend is added for events storage. Events are stored with default TTL of 1 year. External lambda functions should be used to forward events from DynamoDB. Parameter audit_table_name in storage section turns on dynamodb backend. The table will be auto created. S3 sessions backend ------------------- If audit_sessions_uri is specified to s3://bucket-name node or proxy depending on recording mode will start uploading the recorded sessions to the bucket. If the bucket does not exist, teleport will attempt to create a bucket with versioning and encryption turned on by default. Teleport will turn on bucket-side encryption for the tarballs using aws:kms key. File sessions backend --------------------- If audit_sessions_uri is specified to file:///folder teleport will start writing tarballs to this folder instead of sending records to the file server. This is helpful for plugin writers who can use fuse or NFS mounted storage to handle the data. Working dynamic configuration.
2018-03-04 02:26:44 +00:00
// SchemeS3 is S3 file scheme, means upload or download to S3 like object
// storage
SchemeS3 = "s3"
adds support for GCP HA environments with gcs recording storage, firestore-backed events, and firestore backend storage
2019-06-18 20:35:21 +00:00
// SchemeGCS is GCS file scheme, means upload or download to GCS like object
// storage
SchemeGCS = "gs"
Allow S3 buckets in different regions, implements #2007 This commit allows additional configuration for the `audit_sessions_uri` parameter: `audit_sessions_uri: s3://example.com/path?region=us-east-1` Additional query parameter `region` will override default `audit` section `region` if set.
2019-02-09 22:39:18 +00:00
// Region is AWS region parameter
Region = "region"
External events and sessions storage. Updates #1755 Design ------ This commit adds support for pluggable events and sessions recordings and adds several plugins. In case if external sessions recording storage is used, nodes or proxies depending on configuration store the session recordings locally and then upload the recordings in the background. Non-print session events are always sent to the remote auth server as usual. In case if remote events storage is used, auth servers download recordings from it during playbacks. DynamoDB event backend ---------------------- Transient DynamoDB backend is added for events storage. Events are stored with default TTL of 1 year. External lambda functions should be used to forward events from DynamoDB. Parameter audit_table_name in storage section turns on dynamodb backend. The table will be auto created. S3 sessions backend ------------------- If audit_sessions_uri is specified to s3://bucket-name node or proxy depending on recording mode will start uploading the recorded sessions to the bucket. If the bucket does not exist, teleport will attempt to create a bucket with versioning and encryption turned on by default. Teleport will turn on bucket-side encryption for the tarballs using aws:kms key. File sessions backend --------------------- If audit_sessions_uri is specified to file:///folder teleport will start writing tarballs to this folder instead of sending records to the file server. This is helpful for plugin writers who can use fuse or NFS mounted storage to handle the data. Working dynamic configuration.
2018-03-04 02:26:44 +00:00
// SchemeFile is a local disk file storage
SchemeFile = "file"
Add ability to output audit logs to stdout. This commit implements #2872. Similarly to file://, the scheme `stdout://` could be used complimentary to the existing external scheme to logs audit logs: to stdout: ```yaml audit_events_uri: ['dynamodb://events', 'stdout://',] ``` Just like `file://` scheme it is only possible to use 'stdout://' scheme when external events and session uploader are defined, so all audit upload and search features of teleport could work.
2019-07-24 22:04:13 +00:00
// SchemeStdout outputs audit log entries to stdout
SchemeStdout = "stdout"
External events and sessions storage. Updates #1755 Design ------ This commit adds support for pluggable events and sessions recordings and adds several plugins. In case if external sessions recording storage is used, nodes or proxies depending on configuration store the session recordings locally and then upload the recordings in the background. Non-print session events are always sent to the remote auth server as usual. In case if remote events storage is used, auth servers download recordings from it during playbacks. DynamoDB event backend ---------------------- Transient DynamoDB backend is added for events storage. Events are stored with default TTL of 1 year. External lambda functions should be used to forward events from DynamoDB. Parameter audit_table_name in storage section turns on dynamodb backend. The table will be auto created. S3 sessions backend ------------------- If audit_sessions_uri is specified to s3://bucket-name node or proxy depending on recording mode will start uploading the recorded sessions to the bucket. If the bucket does not exist, teleport will attempt to create a bucket with versioning and encryption turned on by default. Teleport will turn on bucket-side encryption for the tarballs using aws:kms key. File sessions backend --------------------- If audit_sessions_uri is specified to file:///folder teleport will start writing tarballs to this folder instead of sending records to the file server. This is helpful for plugin writers who can use fuse or NFS mounted storage to handle the data. Working dynamic configuration.
2018-03-04 02:26:44 +00:00
// LogsDir is a log subdirectory for events and logs
LogsDir = "log"
Use signal pipe to make live reload better. This commit allows teleport parent process to track the status of the forked child process using os.Pipe. Child process signals success to parent process by writing to Pipe. This allows HUP and USR2 to be more intelligent as they can now detect the failure or success of the process.
2018-04-03 22:41:12 +00:00
// Syslog is a mode for syslog logging
Syslog = "syslog"
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// HumanDateFormat is a human readable date formatting
HumanDateFormat = "Jan _2 15:04 UTC"
// HumanDateFormatSeconds is a human readable date formatting with seconds
HumanDateFormatSeconds = "Jan _2 15:04:05 UTC"
// HumanDateFormatMilli is a human readable date formatting with milliseconds
HumanDateFormatMilli = "Jan _2 15:04:05.000 UTC"
Do not override syslog target, fixes #2550 (#2551) Whenever teleport was started with -d flag, output target was always overwritten to stderr. This commit makes sure that target supplied in the configuration is not overwritten even in case when -d flag is set.
2019-02-10 01:43:59 +00:00
// DebugLevel is a debug logging level name
DebugLevel = "debug"
add support for TELEPORT_DEBUG_TESTS environment variable turning on verbose testing
2016-03-14 21:07:45 +00:00
)
add optional agent forward cert extension
2017-03-21 20:56:05 +00:00
Teleport signal handling and live reload. This commit introduces signal handling. Parent teleport process is now capable of forking the child process and passing listeners file descriptors to the child. Parent process then can gracefully shutdown by tracking the amount of current connections and closing listeners once the amount goes to 0. Here are the signals handled: * USR2 signal will cause the parent to fork a child process and pass listener file descriptors to it. Child process will close unused file descriptors and will bind to the used ones. At this moment two processes - the parent and the forked child process will be serving requests. After looking at the traffic and the log files, administrator can either shut down the parent process or the child process if the child process is not functioning as expected. * TERM, INT signals will trigger graceful process shutdown. Auth, node and proxy processes will wait until the amount of active connections goes down to 0 and will exit after that. * KILL, QUIT signals will cause immediate non-graceful shutdown. * HUP signal combines USR2 and TERM signals in a convenient way: parent process will fork a child process and self-initate graceful shutdown. This is a more convenient than USR2/TERM sequence, but less agile and robust as if the connection to the parent process drops, but the new process exits with error, administrators can lock themselves out of the environment. Additionally, boltdb backend has to be phased out, as it does not support read/writes by two concurrent processes. This had required refactoring of the dir backend to use file locking to allow inter-process collaboration on read/write operations.
2018-02-08 02:32:50 +00:00
// Component generates "component:subcomponent1:subcomponent2" strings used
// in debugging
func Component(components ...string) string {
return strings.Join(components, ":")
}
Fixed User CA export and parsing and added --compat=1.0 flag to tctl.
2017-04-05 21:43:42 +00:00
const (
// AuthorizedKeys are public keys that check against User CAs.
AuthorizedKeys = "authorized_keys"
// KnownHosts are public keys that check against Host CAs.
KnownHosts = "known_hosts"
)
add optional agent forward cert extension
2017-03-21 20:56:05 +00:00
const (
// CertExtensionPermitAgentForwarding allows agent forwarding for certificate
CertExtensionPermitAgentForwarding = "permit-agent-forwarding"
// CertExtensionPermitPTY allows user to request PTY
CertExtensionPermitPTY = "permit-pty"
// CertExtensionPermitPortForwarding allows user to request port forwarding
CertExtensionPermitPortForwarding = "permit-port-forwarding"
work on trust
2017-05-17 17:36:25 +00:00
// CertExtensionTeleportRoles is used to propagate teleport roles
CertExtensionTeleportRoles = "teleport-roles"
Add support for ProxyJump. This commit implements #2543 In SSH terms ProxyJump is a shortcut for SSH client connecting the proxy/jumphost and requesting .port forwarding to the target node. This commit adds support for direct-tcpip request support in teleport proxy service that is an alias to the existing proxy subsystem and reuses most of the code. This commit also adds support to "route to cluster" metadata encoded in SSH certificate making it possible to have client SSH certificates to include the metadata that will cause the proxy to route the client requests to a specific cluster. `tsh ssh -J proxy:port ` is supported in a limited way: Only one jump host is supported (-J supports chaining that teleport does not utilise) and tsh will return with error in case of two jumphosts: -J a,b will not work. In case if `tsh ssh -J user@proxy` is used, it overrides the SSH proxy coming from the tsh profile and port-forwarding is used instead of the existing teleport proxy subsystem
2019-07-22 23:58:38 +00:00
// CertExtensionTeleportRouteToCluster is used to encode
// the target cluster to route to in the certificate
CertExtensionTeleportRouteToCluster = "teleport-route-to-cluster"
Use roles and traits in certificate for RBAC. If an attacker can force a username change at an IdP, upon second login, the services.User object of the original user can be updated with new roles and traits. If these new roles and traits differ, the original user can have their privileges raised (or lowered). To mitigate this, encode roles and traits within the certificate and use these when fetching roles to make RBAC decisions. If roles and traits are not encoded within an certificate (for example for old style SSH certificates then fallback to using the services.User object and log a warning.
2019-08-02 00:19:49 +00:00
// CertExtensionTeleportTraits is used to propagate traits about the user.
CertExtensionTeleportTraits = "teleport-traits"
Implment access-request system (workflow API)
2019-11-07 05:00:32 +00:00
// CertExtensionTeleportActiveRequests is used to track which privilege
// escalation requests were used to construct the certificate.
CertExtensionTeleportActiveRequests = "teleport-active-requests"
add optional agent forward cert extension
2017-03-21 20:56:05 +00:00
)
Added support for ACR values for OIDC connectors.
2017-04-13 00:04:51 +00:00
const (
// NetIQ is an identity provider.
NetIQ = "netiq"
SAML 2.0 and AD FS integration.
2017-05-12 19:14:44 +00:00
// ADFS is Microsoft Active Directory Federation Services
ADFS = "adfs"
Added support for ACR values for OIDC connectors.
2017-04-13 00:04:51 +00:00
)
Patch for TLP-01-006 and TLP-01-007: Validate Session ID.
2017-04-25 21:57:48 +00:00
const (
// RemoteCommandSuccess is returned when a command has successfully executed.
RemoteCommandSuccess = 0
// RemoteCommandFailure is returned when a command has failed to execute and
// we don't have another status code for it.
RemoteCommandFailure = 255
)
Added support for allowing the reading of a users environment when creating a new child session from ~/.tsh/environment.
2017-05-26 19:28:46 +00:00
// MaxEnvironmentFileLines is the maximum number of lines in a environment file.
const MaxEnvironmentFileLines = 1000
Added --compat=oldssh flag to generate user certificates without roles.
2017-06-20 00:20:21 +00:00
const (
Added cert_format to role as well as tsh to control how a certificate is generated.
2018-01-06 02:28:31 +00:00
// CertificateFormatOldSSH is used to make Teleport interoperate with older
Added --compat=oldssh flag to generate user certificates without roles.
2017-06-20 00:20:21 +00:00
// versions of OpenSSH.
Added cert_format to role as well as tsh to control how a certificate is generated.
2018-01-06 02:28:31 +00:00
CertificateFormatOldSSH = "oldssh"
Added --compat=oldssh flag to generate user certificates without roles.
2017-06-20 00:20:21 +00:00
Added cert_format to role as well as tsh to control how a certificate is generated.
2018-01-06 02:28:31 +00:00
// CertificateFormatStandard is used for normal Teleport operation without any
Added --compat=oldssh flag to generate user certificates without roles.
2017-06-20 00:20:21 +00:00
// compatibility modes.
Added cert_format to role as well as tsh to control how a certificate is generated.
2018-01-06 02:28:31 +00:00
CertificateFormatStandard = "standard"
// CertificateFormatUnspecified is used to check if the format was specified
// or not.
CertificateFormatUnspecified = ""
Introduce disconnect client logic. This commit implements #1935, fixes #2038 Auth server now supports global defaults for timeout behavior: ``` auth_service: client_idle_timeout: 15m disconnect_expired_cert: no ``` New role options were introduced: ``` kind: role version: v3 metadata: name: intern spec: options: # these two settings override the global ones: client_idle_timeout: 1m disconnect_expired_cert: yes ```
2018-07-08 17:52:15 +00:00
// DurationNever is human friendly shortcut that is interpreted as a Duration of 0
DurationNever = "never"
Added --compat=oldssh flag to generate user certificates without roles.
2017-06-20 00:20:21 +00:00
)
Added support for default roles.
2017-07-24 22:18:46 +00:00
const (
// TraitInternalPrefix is the role variable prefix that indicates it's for
// local accounts.
TraitInternalPrefix = "internal"
// TraitLogins is the name the role variable used to store
// allowed logins.
TraitLogins = "logins"
Add OSS support for kubernetes groups * Add k8s-groups flag for tctl users add * Add kubernetes_groups field in github connector
2018-08-06 23:46:19 +00:00
// TraitKubeGroups is the name the role variable used to store
// allowed kubernetes groups
TraitKubeGroups = "kubernetes_groups"
// TraitInternalLoginsVariable is the variable used to store allowed
Added support for default roles.
2017-07-24 22:18:46 +00:00
// logins for local accounts.
Add OSS support for kubernetes groups * Add k8s-groups flag for tctl users add * Add kubernetes_groups field in github connector
2018-08-06 23:46:19 +00:00
TraitInternalLoginsVariable = "{{internal.logins}}"
// TraitInternalKubeGroupsVariable is the variable used to store allowed
// kubernetes groups for local accounts.
TraitInternalKubeGroupsVariable = "{{internal.kubernetes_groups}}"
Added support for default roles.
2017-07-24 22:18:46 +00:00
)
Sasha/forward ports (#2491) * Fetch groups for GSuite SSO. (#2456) Fixes #2455 This commit adds support for fetching groups for GSuite SSO logins via OIDC connector interface. If OIDC connector has a special scope: `https://www.googleapis.com/auth/admin.directory.group.readonly` teleport will fetch user's group membership and populate groups claim. * Pass kubernetes groups to the remote cluster. (#2484) This commit allows remote cluster to reference the kubernetes groups coming from the roles of the main cluster in the trusted clusters configuration. For example, main cluster can have a user with a role 'main' and kubernetes groups: kube_groups: ['system:masters'] and SSH logins: logins: ['root'] Remote cluster can choose to map this 'main' cluster to it's own: 'remote-admin' cluster in the trusted cluster config: role_map: - remote: 'main' local: 'remote-admin' The role 'remote-admin' of the remote cluster can now be templated to use the main cluster role main logins and kubernetes_groups using variables: logins: ['{{internal.logins}}'] kubernetes_groups: ['{{internal.kubernetes_groups}}'] This is possible because teleport now encodes both values in X509 certificate metadata and remote cluster passes these values as 'internal' traits to the template engine.
2019-01-17 02:55:59 +00:00
const (
// GSuiteIssuerURL is issuer URL used for GSuite provider
GSuiteIssuerURL = "https://accounts.google.com"
// GSuiteGroupsEndpoint is gsuite API endpoint
GSuiteGroupsEndpoint = "https://www.googleapis.com/admin/directory/v1/groups"
// GSuiteGroupsScope is a scope to get access to admin groups API
GSuiteGroupsScope = "https://www.googleapis.com/auth/admin.directory.group.readonly"
Fix support for GSuite logins This commit fixes support for GSuite logins by using service accounts for access purposes. The resulting connector now looks like: ```yaml kind: oidc version: v2 metadata: name: gsuite spec: redirect_url: https://example.com/v1/webapi/oidc/callback client_id: exampleclientid.apps.googleusercontent.com client_secret: exampleclientsecret issuer_url: https://accounts.google.com # Notice that scope here is not requiested from OIDC exchange anymore, this scope # # https://www.googleapis.com/auth/admin.directory.group.readonly # # is now implicitly requested by the client # scope: ['openid', 'email'] # The setup below is involved and requires careful following of the guides: # # https://developers.google.com/admin-sdk/directory/v1/guides/delegation # https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority # # The service account scopes have to be set to # # https://www.googleapis.com/auth/admin.directory.group.readonly # https://www.googleapis.com/auth/admin.directory.group.member.readonly # # the following paths are supported: # 1. plain path # /var/lib/secrets/gsuite-creds.json # # 2. explicit scheme file:// # file:///var/lib/secrets/gsuite-creds.json # # other schemes are not supported at the moment # google_service_account_file: "/var/lib/secrets/gsuite-creds.json" google_admin_email: "admin@example.com" claims_to_roles: - {claim: "groups", value: "admin@example.com", roles: ["clusteradmin"]} ```
2019-11-03 20:55:03 +00:00
// GSuiteDomainClaim is the domain name claim for GSuite
GSuiteDomainClaim = "hd"
Sasha/forward ports (#2491) * Fetch groups for GSuite SSO. (#2456) Fixes #2455 This commit adds support for fetching groups for GSuite SSO logins via OIDC connector interface. If OIDC connector has a special scope: `https://www.googleapis.com/auth/admin.directory.group.readonly` teleport will fetch user's group membership and populate groups claim. * Pass kubernetes groups to the remote cluster. (#2484) This commit allows remote cluster to reference the kubernetes groups coming from the roles of the main cluster in the trusted clusters configuration. For example, main cluster can have a user with a role 'main' and kubernetes groups: kube_groups: ['system:masters'] and SSH logins: logins: ['root'] Remote cluster can choose to map this 'main' cluster to it's own: 'remote-admin' cluster in the trusted cluster config: role_map: - remote: 'main' local: 'remote-admin' The role 'remote-admin' of the remote cluster can now be templated to use the main cluster role main logins and kubernetes_groups using variables: logins: ['{{internal.logins}}'] kubernetes_groups: ['{{internal.kubernetes_groups}}'] This is possible because teleport now encodes both values in X509 certificate metadata and remote cluster passes these values as 'internal' traits to the template engine.
2019-01-17 02:55:59 +00:00
)
Added forwarding SSH server.
2017-11-29 00:15:46 +00:00
// SCP is Secure Copy.
const SCP = "scp"
Add root to the list of logins for an Enterprise role.
2017-09-08 00:35:05 +00:00
// Root is *nix system administrator account name.
const Root = "root"
Renamed default role to admin role.
2017-09-05 19:20:57 +00:00
// DefaultRole is the name of the default admin role for all local users if
Added support for default roles.
2017-07-24 22:18:46 +00:00
// another role is not explicitly assigned (Enterprise only).
Renamed default role to admin role.
2017-09-05 19:20:57 +00:00
const AdminRoleName = "admin"
Added support for role rules.
2017-08-16 00:27:51 +00:00
// DefaultImplicitRole is implicit role that gets added to all service.RoleSet
// objects.
const DefaultImplicitRole = "default-implicit-role"
Mutual TLS Auth server and clients. This commit introduced mutual TLS authentication for auth server API server. Auth server multiplexes HTTP over SSH - existing protocol and HTTP over TLS - new protocol on the same listening socket. Nodes and users authenticate with 2.5.0 Teleport using TLS mutual TLS except backwards-compatibility cases.
2017-11-25 01:09:11 +00:00
// APIDomain is a default domain name for Auth server API
const APIDomain = "teleport.cluster.local"
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
Advertise a minimum version for clients.
2018-11-08 22:34:44 +00:00
// MinClientVersion is the minimum client version required by the server.
const MinClientVersion = "3.0.0"
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
const (
// RemoteClusterStatusOffline indicates that cluster is considered as
// offline, since it has missed a series of heartbeats
RemoteClusterStatusOffline = "offline"
// RemoteClusterStatusOnline indicates that cluster is sending heartbeats
// at expected interval
RemoteClusterStatusOnline = "online"
)
UX and performance changes * Do not log EOF errors, avoid polluting logs * Trim space from tokens when reading from file * Do not use dir based caching The caching problem deserves a separate explanation. Directory backend is not concurrent friendly - it has a fundamental design flaw - multiple gorotuines writing to the same file corrupt cache data. This requires either redesign of the backend or switching to boltdb backend for caching. Boltdb backend uses transactions and is safe for concurrent access. This PR changes local cache to use boltdb instead of the dir backend that is now used only in tests.
2018-01-22 20:25:11 +00:00
const (
// SharedDirMode is a mode for a directory shared with group
SharedDirMode = 0750
Initial implementation of Kubernetes support This issue updates #1986. This is intial, experimental implementation that will be updated with tests and edge cases prior to production 2.7.0 release. Teleport proxy adds support for Kubernetes API protocol. Auth server uses Kubernetes API to receive certificates issued by Kubernetes CA. Proxy intercepts and forwards API requests to the Kubernetes API server and captures live session traffic, making recordings available in the audit log. Tsh login now updates kubeconfig configuration to use Teleport as a proxy server.
2018-05-19 23:58:14 +00:00
// PrivateDirMode is a mode for private directories
PrivateDirMode = 0700
UX and performance changes * Do not log EOF errors, avoid polluting logs * Trim space from tokens when reading from file * Do not use dir based caching The caching problem deserves a separate explanation. Directory backend is not concurrent friendly - it has a fundamental design flaw - multiple gorotuines writing to the same file corrupt cache data. This requires either redesign of the backend or switching to boltdb backend for caching. Boltdb backend uses transactions and is safe for concurrent access. This PR changes local cache to use boltdb instead of the dir backend that is now used only in tests.
2018-01-22 20:25:11 +00:00
)
* Push window size changes to clients instead of polling. * Cache services.ClusterConfig within srv.ServerContext for the duration of a connection. * Create a single websocket between the browser and the proxy for all * terminal bytes and events.
2018-05-04 00:36:08 +00:00
const (
// SessionEvent is sent by servers to clients when an audit event occurs on
// the session.
SessionEvent = "x-teleport-event"
Send UUIDv1 session IDs to legacy servers. Before establishing a session, request the server version. If the server replies false, that means it does not support that request type and is an older server version which needs UUIDv1 format session IDs.
2019-09-09 23:56:26 +00:00
// VersionRequest is sent by clients to server requesting the Teleport
// version they are running.
VersionRequest = "x-teleport-version"
* Push window size changes to clients instead of polling. * Cache services.ClusterConfig within srv.ServerContext for the duration of a connection. * Create a single websocket between the browser and the proxy for all * terminal bytes and events.
2018-05-04 00:36:08 +00:00
)
Initial implementation of Kubernetes support This issue updates #1986. This is intial, experimental implementation that will be updated with tests and edge cases prior to production 2.7.0 release. Teleport proxy adds support for Kubernetes API protocol. Auth server uses Kubernetes API to receive certificates issued by Kubernetes CA. Proxy intercepts and forwards API requests to the Kubernetes API server and captures live session traffic, making recordings available in the audit log. Tsh login now updates kubeconfig configuration to use Teleport as a proxy server.
2018-05-19 23:58:14 +00:00
const (
// EnvKubeConfig is environment variable for kubeconfig
EnvKubeConfig = "KUBECONFIG"
// KubeConfigDir is a default directory where k8s stores its user local config
KubeConfigDir = ".kube"
// KubeConfigFile is a default filename where k8s stores its user local config
KubeConfigFile = "config"
// EnvHome is home environment variable
EnvHome = "HOME"
Added tsh for Windows.
2018-07-25 20:56:14 +00:00
// EnvUserProfile is the home directory environment variable on Windows.
EnvUserProfile = "USERPROFILE"
Initial implementation of Kubernetes support This issue updates #1986. This is intial, experimental implementation that will be updated with tests and edge cases prior to production 2.7.0 release. Teleport proxy adds support for Kubernetes API protocol. Auth server uses Kubernetes API to receive certificates issued by Kubernetes CA. Proxy intercepts and forwards API requests to the Kubernetes API server and captures live session traffic, making recordings available in the audit log. Tsh login now updates kubeconfig configuration to use Teleport as a proxy server.
2018-05-19 23:58:14 +00:00
// KubeServiceAddr is an address for kubernetes endpoint service
KubeServiceAddr = "kubernetes.default.svc.cluster.local:443"
// KubeCAPath is a hardcode of mounted CA inside every pod of K8s
KubeCAPath = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
// KubeKindCSR is a certificate signing requests
KubeKindCSR = "CertificateSigningRequest"
Kubernetes proxy integration tests. This PR contains Kubernetes proxy integration tests and associated internal changes.
2018-06-10 00:21:14 +00:00
// KubeKindPod is a kubernetes pod
KubeKindPod = "Pod"
Initial implementation of Kubernetes support This issue updates #1986. This is intial, experimental implementation that will be updated with tests and edge cases prior to production 2.7.0 release. Teleport proxy adds support for Kubernetes API protocol. Auth server uses Kubernetes API to receive certificates issued by Kubernetes CA. Proxy intercepts and forwards API requests to the Kubernetes API server and captures live session traffic, making recordings available in the audit log. Tsh login now updates kubeconfig configuration to use Teleport as a proxy server.
2018-05-19 23:58:14 +00:00
// KubeMetadataNameSelector is a selector for name metadata in API requests
KubeMetadataNameSelector = "metadata.name"
Kubernetes proxy integration tests. This PR contains Kubernetes proxy integration tests and associated internal changes.
2018-06-10 00:21:14 +00:00
// KubeMetadataLabelSelector is a selector for label
KubeMetadataLabelSelector = "metadata.label"
// KubeRunTests turns on kubernetes tests
KubeRunTests = "TEST_KUBE"
// KubeSystemMasters is a name of the builtin kubernets group for master nodes
KubeSystemMasters = "system:masters"
Add framework for trusted cluster K8s access
2018-06-18 00:53:02 +00:00
Always add 'system:authenticated' to impersonation groups. Looks like impersonated users do not get 'system:authenticated' as a default. This leads to kubectl to fail for some restricted users, who don't have 'system:discovery' like permissions added to the roles. This commit always injects the group if not present in the request. See https://github.com/kubernetes/kubernetes/issues/43227 for a similar solution
2019-03-25 02:25:58 +00:00
// KubeSystemAuthenticated is a builtin group that allows
// any user to access common API methods, e.g. discovery methods
// required for initial client usage
KubeSystemAuthenticated = "system:authenticated"
Add framework for trusted cluster K8s access
2018-06-18 00:53:02 +00:00
// UsageKubeOnly specifies certificate usage metadata
// that limits certificate to be only used for kubernetes proxying
UsageKubeOnly = "usage:kube"
)
const (
// UseOfClosedNetworkConnection is a special string some parts of
// go standard lib are using that is the only way to identify some errors
UseOfClosedNetworkConnection = "use of closed network connection"
Initial implementation of Kubernetes support This issue updates #1986. This is intial, experimental implementation that will be updated with tests and edge cases prior to production 2.7.0 release. Teleport proxy adds support for Kubernetes API protocol. Auth server uses Kubernetes API to receive certificates issued by Kubernetes CA. Proxy intercepts and forwards API requests to the Kubernetes API server and captures live session traffic, making recordings available in the audit log. Tsh login now updates kubeconfig configuration to use Teleport as a proxy server.
2018-05-19 23:58:14 +00:00
)
Added tsh for Windows.
2018-07-25 20:56:14 +00:00
const (
// OpenBrowserLinux is the command used to open a web browser on Linux.
Use xdg-open to open a default browser (#2536)
2019-01-31 13:14:47 +00:00
OpenBrowserLinux = "xdg-open"
Added tsh for Windows.
2018-07-25 20:56:14 +00:00
// OpenBrowserDarwin is the command used to open a web browser on macOS/Darwin.
OpenBrowserDarwin = "open"
// OpenBrowserWindows is the command used to open a web browser on Windows.
OpenBrowserWindows = "rundll32.exe"
)
Always validate certificate (or key) algorithm. Added utils.CertChecker that wraps a ssh.CertChecker. The new certificate checker first checks if the certificate is a valid certificate for Teleport. At the moment that is 2048-bit RSA then calls the underlying certificate checker to perform the requested validation.
2019-02-28 00:55:57 +00:00
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
const (
// EnhancedRecordingMinKernel is the minimum kernel version for the enhanced
// recording feature.
EnhancedRecordingMinKernel = "4.18.0"
// EnhancedRecordingCommand is a role option that implies command events are
// captured.
EnhancedRecordingCommand = "command"
// EnhancedRecordingDisk is a role option that implies disk events are captured.
EnhancedRecordingDisk = "disk"
// EnhancedRecordingNetwork is a role option that implies network events
// are captured.
EnhancedRecordingNetwork = "network"
)
const (
// ExecSubCommand is the sub-command Teleport uses to re-exec itself.
ExecSubCommand = "exec"
)
Always validate certificate (or key) algorithm. Added utils.CertChecker that wraps a ssh.CertChecker. The new certificate checker first checks if the certificate is a valid certificate for Teleport. At the moment that is 2048-bit RSA then calls the underlying certificate checker to perform the requested validation.
2019-02-28 00:55:57 +00:00
// RSAKeySize is the size of the RSA key.
const RSAKeySize = 2048
Reference in a new issue Copy permalink