self-hosted/teleport
self-hosted/teleport
1
0
Fork 0
mirror of https://github.com/gravitational/teleport synced 2024-10-22 02:03:24 +00:00
Code Issues Packages Projects Releases Wiki Activity
teleport/lib/service/cfg.go

779 lines
25 KiB
Go
Raw Normal View History

Apply apache license to teleport
2015-10-31 18:56:49 +00:00
/*
Add "billing_information" RBAC resource (#5676) * Expose GRPC client connection to plugins * Replaces global plugin state with the PluginRegistry
2021-03-02 03:47:03 +00:00
Copyright 2015-2021 Gravitational, Inc.
Apply apache license to teleport
2015-10-31 18:56:49 +00:00
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
Introduce auth server and proxy heartbeats This commit introduces heartbeats of AuthServers and Proxies and fixes several issues: 1. Server init problem There was an issue in server init, when certificates of multiple roles were overwriting each otther. Now Teleport stores each keypair and certificate in a separate file <hostid>.role.key and <hostid>.role.cert This also means that it's backwards incompatible with previous on disk format. 2. Proxy and Auth heartbeats Auth servers and proxies now heartbeat into cluster as well 3. Bugfixes: * Proxy role was missing, it is now treated as a separate role with permissions * AdvertiseIP is now a global setting that can be used by all roles * --advertise-ip flag was ignored and was never applied * teleport service initialization has been simplified, now each role get it's own client * minor cleanups
2016-03-12 04:09:40 +00:00
orbit-compatible packaging and configuration for teleport and telescope
2015-10-13 00:50:36 +00:00
package service
import (
Sasha High Availability.
2017-04-07 23:51:31 +00:00
"fmt"
recover etcd backend support
2016-03-11 01:03:01 +00:00
"io"
Add kubernetes_service to teleport.yaml (#4497) * Fix local etcd test failures when etcd is not running * Add kubernetes_service to teleport.yaml This plumbs config fields only, they have no effect yet. Also, remove `cluster_name` from `proxy_config.kubernetes`. This field will only exist under `kubernetes_service` per https://github.com/gravitational/teleport/pull/4455 * Handle IPv6 in kubernetes_service and rename label fields * Disable k8s cluster name defaulting in user TLS certs Need to implement service registration first.
2020-10-19 17:28:10 +00:00
"net"
"net/url"
Added "connect to auth server" routine to tctl
2016-02-10 00:09:21 +00:00
"os"
Changes for the upcoming teleport pro: * Allow external audit log plugins * Add support for auth API server plugins * Add license file path configuration parameter (not used in open-source) * Extend audit log with user login events
2017-11-22 01:35:58 +00:00
"path/filepath"
Add kubernetes_service to teleport.yaml (#4497) * Fix local etcd test failures when etcd is not running * Add kubernetes_service to teleport.yaml This plumbs config fields only, they have no effect yet. Also, remove `cluster_name` from `proxy_config.kubernetes`. This field will only exist under `kubernetes_service` per https://github.com/gravitational/teleport/pull/4455 * Handle IPv6 in kubernetes_service and rename label fields * Disable k8s cluster name defaulting in user TLS certs Need to implement service registration first.
2020-10-19 17:28:10 +00:00
"strconv"
Sasha High Availability.
2017-04-07 23:51:31 +00:00
"time"
Incorporated PR comments from here: https://github.com/gravitational/teleport/pull/115
2016-02-09 21:46:34 +00:00
Allow configuration of the ciphers, KEX algorithm, and MAC algorithms for node and proxy.
2017-06-10 02:32:31 +00:00
"golang.org/x/crypto/ssh"
Consolidated application checks. Consolidated application validation checks. The previous implementation had a bug in it where it would fail if no /etc/teleport.yaml existed.
2020-11-17 05:03:26 +00:00
"k8s.io/apimachinery/pkg/util/validation"
Allow configuration of the ciphers, KEX algorithm, and MAC algorithms for node and proxy.
2017-06-10 02:32:31 +00:00
This commit adds ability to preconfigure the cluster without running auth server. This is needed when you configure cluster from scratch and all nodes including auth server spin up simultaneously. * Add tctl tools to generate keys and certificates + Command "tctl authorities gen" generates public and private keypair. + Command "tctl authorities gencert" generates public and private keypair signed by existng private key + Command "tctl authorities export" was modified to be able to export exisitng private CA keys to local storage All of these commands are hidden by default. section "static configuration" * Add ability to configure teleport from environment variable Environment variable TELEPORT_CONFIG can contain base64 encoded YAML file config file of the standard file format, so teleport will use it on start * Add special secrets section to the config file Section "secrets" was updated to support pre-configured trusted CA keys and pre-generated keys * Add special rts hidden section to add support for provisioning
2016-03-28 19:58:34 +00:00
"github.com/gravitational/teleport/lib/auth"
First pass at cleaning up DynamoDB and locks - Added ability to read AWS config from `~/.aws` directory for testing - Fixed TTL bug in DynamoDB back-end - Made FS back-end return similar error types as Boltdb does - Cleaned up buggy tests for DynamoDB - Removed unnecessary locks everywhere in code
2016-12-27 02:50:59 +00:00
"github.com/gravitational/teleport/lib/backend"
Cleanup of dead code. * Removed legacy backends no longer supported. * Removed code marked for deletion. * Updated Makefile to use $ instead of ` to match Enterprise.
2019-07-02 21:35:17 +00:00
"github.com/gravitational/teleport/lib/backend/lite"
Adds in-memory cache option, improves scalability for IOT mode. This commit resolves #3227 In IOT mode, 10K nodes are connecting back to the proxies, putting a lot of pressure on the proxy cache. Before this commit, Proxy's only cache option were persistent sqlite-backed caches. The advantage of those caches that Proxies could continue working after reboots with Auth servers unavailable. The disadvantage is that sqlite backend breaks down on many concurrent reads due to performance issues. This commit introduces the new cache configuration option, 'in-memory': ```yaml teleport: cache: # default value sqlite, # the only supported values are sqlite or in-memory type: in-memory ``` This cache mode allows two m4.4xlarge proxies to handle 10K IOT mode connected nodes with no issues. The second part of the commit disables the cache reload on timer that caused inconsistent view results for 10K displayed nodes with servers disappearing from the view. The third part of the commit increases the channels buffering discovery requests 10x. The channels were overfilling in 10K nodes and nodes were disconnected. The logic now does not treat the channel overflow as a reason to close the connection. This is possible due to the changes in the discovery protocol that allow target nodes to handle missing entries, duplicate entries or conflicting values.
2020-02-02 19:36:53 +00:00
"github.com/gravitational/teleport/lib/backend/memory"
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
"github.com/gravitational/teleport/lib/bpf"
Added "connect to auth server" routine to tctl
2016-02-10 00:09:21 +00:00
"github.com/gravitational/teleport/lib/defaults"
External events and sessions storage. Updates #1755 Design ------ This commit adds support for pluggable events and sessions recordings and adds several plugins. In case if external sessions recording storage is used, nodes or proxies depending on configuration store the session recordings locally and then upload the recordings in the background. Non-print session events are always sent to the remote auth server as usual. In case if remote events storage is used, auth servers download recordings from it during playbacks. DynamoDB event backend ---------------------- Transient DynamoDB backend is added for events storage. Events are stored with default TTL of 1 year. External lambda functions should be used to forward events from DynamoDB. Parameter audit_table_name in storage section turns on dynamodb backend. The table will be auto created. S3 sessions backend ------------------- If audit_sessions_uri is specified to s3://bucket-name node or proxy depending on recording mode will start uploading the recorded sessions to the bucket. If the bucket does not exist, teleport will attempt to create a bucket with versioning and encryption turned on by default. Teleport will turn on bucket-side encryption for the tarballs using aws:kms key. File sessions backend --------------------- If audit_sessions_uri is specified to file:///folder teleport will start writing tarballs to this folder instead of sending records to the file server. This is helpful for plugin writers who can use fuse or NFS mounted storage to handle the data. Working dynamic configuration.
2018-03-04 02:26:44 +00:00
"github.com/gravitational/teleport/lib/events"
Refactoring
2015-12-03 09:26:34 +00:00
"github.com/gravitational/teleport/lib/limiter"
Added PAM support to Teleport.
2018-02-24 01:23:09 +00:00
"github.com/gravitational/teleport/lib/pam"
Add "billing_information" RBAC resource (#5676) * Expose GRPC client connection to plugins * Replaces global plugin state with the PluginRegistry
2021-03-02 03:47:03 +00:00
"github.com/gravitational/teleport/lib/plugin"
add support for pre-configured trusted authorities
2015-10-25 23:13:12 +00:00
"github.com/gravitational/teleport/lib/services"
Mutual TLS Auth server and clients. This commit introduced mutual TLS authentication for auth server API server. Auth server multiplexes HTTP over SSH - existing protocol and HTTP over TLS - new protocol on the same listening socket. Nodes and users authenticate with 2.5.0 Teleport using TLS mutual TLS except backwards-compatibility cases.
2017-11-25 01:09:11 +00:00
"github.com/gravitational/teleport/lib/sshca"
Database access (#5005)
2021-01-15 02:21:38 +00:00
"github.com/gravitational/teleport/lib/tlsca"
add support for pre-configured trusted authorities
2015-10-25 23:13:12 +00:00
"github.com/gravitational/teleport/lib/utils"
Removed namespaces and expires from user interface.
2017-08-28 18:42:14 +00:00
"github.com/ghodss/yaml"
Read join tokens from file, fixes #2515. (#2864)
2019-07-17 19:51:18 +00:00
"github.com/gravitational/trace"
Support different ready states.
2018-10-26 22:20:02 +00:00
"github.com/jonboulle/clockwork"
orbit-compatible packaging and configuration for teleport and telescope
2015-10-13 00:50:36 +00:00
)
Architecture revision (#3093) Architecture revisions from @one000mph and &Yet.
2019-10-22 18:10:28 +00:00
// Config structure is used to initialize _all_ services Teleport can run.
Mutual TLS Auth server and clients. This commit introduced mutual TLS authentication for auth server API server. Auth server multiplexes HTTP over SSH - existing protocol and HTTP over TLS - new protocol on the same listening socket. Nodes and users authenticate with 2.5.0 Teleport using TLS mutual TLS except backwards-compatibility cases.
2017-11-25 01:09:11 +00:00
// Some settings are global (like DataDir) while others are grouped into
Removed old configuration persistence - Removed `yaml` structure attributes - Removed "LoadFromYAML()" routine - Removed YAML persistence tests References #133
2016-02-14 05:09:17 +00:00
// sections, like AuthConfig
orbit-compatible packaging and configuration for teleport and telescope
2015-10-13 00:50:36 +00:00
type Config struct {
This commit adds ability to preconfigure the cluster without running auth server. This is needed when you configure cluster from scratch and all nodes including auth server spin up simultaneously. * Add tctl tools to generate keys and certificates + Command "tctl authorities gen" generates public and private keypair. + Command "tctl authorities gencert" generates public and private keypair signed by existng private key + Command "tctl authorities export" was modified to be able to export exisitng private CA keys to local storage All of these commands are hidden by default. section "static configuration" * Add ability to configure teleport from environment variable Environment variable TELEPORT_CONFIG can contain base64 encoded YAML file config file of the standard file format, so teleport will use it on start * Add special secrets section to the config file Section "secrets" was updated to support pre-configured trusted CA keys and pre-generated keys * Add special rts hidden section to add support for provisioning
2016-03-28 19:58:34 +00:00
// DataDir provides directory where teleport stores it's permanent state
// (in case of auth server backed by BoltDB) or local state, e.g. keys
DataDir string
// Hostname is a node host name
Removed old configuration persistence - Removed `yaml` structure attributes - Removed "LoadFromYAML()" routine - Removed YAML persistence tests References #133
2016-02-14 05:09:17 +00:00
Hostname string
orbit-compatible packaging and configuration for teleport and telescope
2015-10-13 00:50:36 +00:00
Flexible tokens: - Static never-expiring tokens - TTL tokens - Single-use tokens with TTL of 30 mins
2016-05-12 07:44:25 +00:00
// Token is used to register this Teleport instance with the auth server
Token string
Improve error message for revoked node join token The node first tries using the token with auth server. If that fails, it tries the same address as a proxy server. If both fail, user only sees the error from the latter attempt. If using CA pin, this error will be "x509: certificate signed by unknown authority", which is confusing. Log both errors, and mention that a fallback is happening. The output looks like: ERRO [AUTH] Failed to register through auth server: "my-hostname" [3e53a982-afd1-4d2f-8864-54c25fbe5865] can not join the cluster with role Node, the token is not valid; falling back to trying the proxy server auth/register.go:123 ERRO [PROC:1] Node failed to establish connection to cluster: failed to register through proxy server: x509: certificate signed by unknown authority. time/sleep.go:149
2020-04-22 20:58:38 +00:00
// AuthServers is a list of auth servers, proxies and peer auth servers to
// connect to. Yes, this is not just auth servers, the field name is
// misleading.
This commit adds ability to preconfigure the cluster without running auth server. This is needed when you configure cluster from scratch and all nodes including auth server spin up simultaneously. * Add tctl tools to generate keys and certificates + Command "tctl authorities gen" generates public and private keypair. + Command "tctl authorities gencert" generates public and private keypair signed by existng private key + Command "tctl authorities export" was modified to be able to export exisitng private CA keys to local storage All of these commands are hidden by default. section "static configuration" * Add ability to configure teleport from environment variable Environment variable TELEPORT_CONFIG can contain base64 encoded YAML file config file of the standard file format, so teleport will use it on start * Add special secrets section to the config file Section "secrets" was updated to support pre-configured trusted CA keys and pre-generated keys * Add special rts hidden section to add support for provisioning
2016-03-28 19:58:34 +00:00
AuthServers []utils.NetAddr
// Identities is an optional list of pre-generated key pairs
// for teleport roles, this is helpful when server is preconfigured
Identities []*auth.Identity
orbit-compatible packaging and configuration for teleport and telescope
2015-10-13 00:50:36 +00:00
Add public_addr support for auth and ssh services. This commit fixes #1803, fixes #1889 * Adds support for public_addr for Proxy and Auth * Parameter advertise_ip now supports host:port format * Fixes incorrect output for tctl get proxies * Fixes duplicate output of some error messages.
2018-05-02 22:45:31 +00:00
// AdvertiseIP is used to "publish" an alternative IP address or hostname this node
Introduce auth server and proxy heartbeats This commit introduces heartbeats of AuthServers and Proxies and fixes several issues: 1. Server init problem There was an issue in server init, when certificates of multiple roles were overwriting each otther. Now Teleport stores each keypair and certificate in a separate file <hostid>.role.key and <hostid>.role.cert This also means that it's backwards incompatible with previous on disk format. 2. Proxy and Auth heartbeats Auth servers and proxies now heartbeat into cluster as well 3. Bugfixes: * Proxy role was missing, it is now treated as a separate role with permissions * AdvertiseIP is now a global setting that can be used by all roles * --advertise-ip flag was ignored and was never applied * teleport service initialization has been simplified, now each role get it's own client * minor cleanups
2016-03-12 04:09:40 +00:00
// can be reached on, if running behind NAT
Add public_addr support for auth and ssh services. This commit fixes #1803, fixes #1889 * Adds support for public_addr for Proxy and Auth * Parameter advertise_ip now supports host:port format * Fixes incorrect output for tctl get proxies * Fixes duplicate output of some error messages.
2018-05-02 22:45:31 +00:00
AdvertiseIP string
Introduce auth server and proxy heartbeats This commit introduces heartbeats of AuthServers and Proxies and fixes several issues: 1. Server init problem There was an issue in server init, when certificates of multiple roles were overwriting each otther. Now Teleport stores each keypair and certificate in a separate file <hostid>.role.key and <hostid>.role.cert This also means that it's backwards incompatible with previous on disk format. 2. Proxy and Auth heartbeats Auth servers and proxies now heartbeat into cluster as well 3. Bugfixes: * Proxy role was missing, it is now treated as a separate role with permissions * AdvertiseIP is now a global setting that can be used by all roles * --advertise-ip flag was ignored and was never applied * teleport service initialization has been simplified, now each role get it's own client * minor cleanups
2016-03-12 04:09:40 +00:00
Sasha High Availability.
2017-04-07 23:51:31 +00:00
// CachePolicy sets caching policy for nodes and proxies
// in case if they loose connection to auth servers
CachePolicy CachePolicy
Added Application Access. Added support for an identity aware, RBAC enforcing, mutually authenticated, web application proxy to Teleport. * Updated services.Server to support an application servers. * Updated services.WebSession to support application sessions. * Added CRUD RPCs for "AppServers". * Added CRUD RPCs for "AppSessions". * Added RBAC support using labels for applications. * Added JWT signer as a services.CertAuthority type. * Added support for signing and verifying JWT tokens. * Refactored dynamic label and heartbeat code into standalone packages. * Added application support to web proxies and new "app_service" to proxy mutually authenticated connections from proxy to an internal application.
2020-10-19 00:09:29 +00:00
// Auth service configuration. Manages cluster state and configuration.
Auth AuthConfig
// Proxy service configuration. Manages incoming and outbound
// connections to the cluster.
Proxy ProxyConfig
// SSH service configuration. Manages SSH servers running within the cluster.
Removed old configuration persistence - Removed `yaml` structure attributes - Removed "LoadFromYAML()" routine - Removed YAML persistence tests References #133
2016-02-14 05:09:17 +00:00
SSH SSHConfig
first batch of code changes of moving telescope into teleport
2015-10-24 23:04:13 +00:00
Added Application Access. Added support for an identity aware, RBAC enforcing, mutually authenticated, web application proxy to Teleport. * Updated services.Server to support an application servers. * Updated services.WebSession to support application sessions. * Added CRUD RPCs for "AppServers". * Added CRUD RPCs for "AppSessions". * Added RBAC support using labels for applications. * Added JWT signer as a services.CertAuthority type. * Added support for signing and verifying JWT tokens. * Refactored dynamic label and heartbeat code into standalone packages. * Added application support to web proxies and new "app_service" to proxy mutually authenticated connections from proxy to an internal application.
2020-10-19 00:09:29 +00:00
// App service configuration. Manages applications running within the cluster.
Apps AppsConfig
first batch of code changes of moving telescope into teleport
2015-10-24 23:04:13 +00:00
Database access (#5005)
2021-01-15 02:21:38 +00:00
// Databases defines database proxy service configuration.
Databases DatabasesConfig
Incorporated 'testauthority' into integration tests
2016-04-10 09:44:40 +00:00
// Keygen points to a key generator implementation
Mutual TLS Auth server and clients. This commit introduced mutual TLS authentication for auth server API server. Auth server multiplexes HTTP over SSH - existing protocol and HTTP over TLS - new protocol on the same listening socket. Nodes and users authenticate with 2.5.0 Teleport using TLS mutual TLS except backwards-compatibility cases.
2017-11-25 01:09:11 +00:00
Keygen sshca.Authority
Incorporated 'testauthority' into integration tests
2016-04-10 09:44:40 +00:00
This commit adds ability to preconfigure the cluster without running auth server. This is needed when you configure cluster from scratch and all nodes including auth server spin up simultaneously. * Add tctl tools to generate keys and certificates + Command "tctl authorities gen" generates public and private keypair. + Command "tctl authorities gencert" generates public and private keypair signed by existng private key + Command "tctl authorities export" was modified to be able to export exisitng private CA keys to local storage All of these commands are hidden by default. section "static configuration" * Add ability to configure teleport from environment variable Environment variable TELEPORT_CONFIG can contain base64 encoded YAML file config file of the standard file format, so teleport will use it on start * Add special secrets section to the config file Section "secrets" was updated to support pre-configured trusted CA keys and pre-generated keys * Add special rts hidden section to add support for provisioning
2016-03-28 19:58:34 +00:00
// HostUUID is a unique UUID of this host (it will be known via this UUID within
Updated .gitignore
2016-03-04 02:02:48 +00:00
// a teleport cluster). It's automatically generated on 1st start
HostUUID string
Intermediate commit: - Reverse tunnel service is now configurable - Separated logging output from the console UI output
2016-02-08 22:51:22 +00:00
// Console writer to speak to a user
Console io.Writer
This commit adds ability to preconfigure the cluster without running auth server. This is needed when you configure cluster from scratch and all nodes including auth server spin up simultaneously. * Add tctl tools to generate keys and certificates + Command "tctl authorities gen" generates public and private keypair. + Command "tctl authorities gencert" generates public and private keypair signed by existng private key + Command "tctl authorities export" was modified to be able to export exisitng private CA keys to local storage All of these commands are hidden by default. section "static configuration" * Add ability to configure teleport from environment variable Environment variable TELEPORT_CONFIG can contain base64 encoded YAML file config file of the standard file format, so teleport will use it on start * Add special secrets section to the config file Section "secrets" was updated to support pre-configured trusted CA keys and pre-generated keys * Add special rts hidden section to add support for provisioning
2016-03-28 19:58:34 +00:00
// ReverseTunnels is a list of reverse tunnels to create on the
// first cluster start
ReverseTunnels []services.ReverseTunnel
Added PID file support Fixes #317
2016-04-02 00:58:41 +00:00
draft OIDC support
2016-04-03 05:20:51 +00:00
// OIDCConnectors is a list of trusted OpenID Connect identity providers
OIDCConnectors []services.OIDCConnector
Added PID file support Fixes #317
2016-04-02 00:58:41 +00:00
// PidFile is a full path of the PID file for teleport daemon
Merge branch 'ev/bugs' of github.com:gravitational/teleport into ev/bugs
2016-04-02 01:03:57 +00:00
PIDFile string
allow to log in
2016-04-05 00:26:15 +00:00
// Trust is a service that manages users and credentials
Trust services.Trust
// Presence service is a discovery and hearbeat tracker
Presence services.Presence
Events and GRPC API This commit introduces several key changes to Teleport backend and API infrastructure in order to achieve scalability improvements on 10K+ node deployments. Events and plain keyspace -------------------------- New backend interface supports events, pagination and range queries and moves away from buckets to plain keyspace, what better aligns with DynamoDB and Etcd featuring similar interfaces. All backend implementations are exposing Events API, allowing multiple subscribers to consume the same event stream and avoid polling database. Replacing BoltDB, Dir with SQLite ------------------------------- BoltDB backend does not support having two processes access the database at the same time. This prevented Teleport using BoltDB backend to be live reloaded. SQLite supports reads/writes by multiple processes and makes Dir backend obsolete as SQLite is more efficient on larger collections, supports transactions and can detect data corruption. Teleport automatically migrates data from Bolt and Dir backends into SQLite. GRPC API and protobuf resources ------------------------------- GRPC API has been introduced for the auth server. The auth server now serves both GRPC and JSON-HTTP API on the same TLS socket and uses the same client certificate authentication. All future API methods should use GRPC and HTTP-JSON API is considered obsolete. In addition to that some resources like Server and CertificateAuthority are now generated from protobuf service specifications in a way that is fully backward compatible with original JSON spec and schema, so the same resource can be encoded and decoded from JSON, YAML and protobuf. All models should be refactored into new proto specification over time. Streaming presence service -------------------------- In order to cut bandwidth, nodes are sending full updates only when changes to labels or spec have occured, otherwise new light-weight GRPC keep alive updates are sent over to the presence service, reducing bandwidth usage on multi-node deployments. In addition to that nodes are no longer polling auth server for certificate authority rotation updates, instead they subscribe to event updates to detect updates as soon as they happen. This is a new API, so the errors are inevitable, that's why polling is still done, but on a way slower rate.
2018-11-07 23:33:38 +00:00
// Events is events service
Events services.Events
allow to log in
2016-04-05 00:26:15 +00:00
// Provisioner is a service that keeps track of provisioning tokens
Provisioner services.Provisioner
// Trust is a service that manages users and credentials
Identity services.Identity
Added "seed_config" configuration flag Teleport YAML config now has a new configuration variable for internal use by Gravitational: ```yaml teleport: seed_config: true ``` If set to 'true', Teleport treats YAML configuration simply as a seed configuration on first start. If set to 'false' (default for OSS version), Teleport will throw away its back-end config, treating YAML config as the only source of truth. Specifically, for now, the following settings are thrown away if not found in YAML: - trusted authorities - reverse tunnels
2016-06-17 06:50:12 +00:00
add support for namespaces almost everywhere
2016-12-14 23:48:36 +00:00
// Access is a service that controls access
Access services.Access
Allow configuration of the ciphers, KEX algorithm, and MAC algorithms for node and proxy.
2017-06-10 02:32:31 +00:00
add ClusterConfiguration section to teleport cfg
2018-01-20 19:25:31 +00:00
// ClusterConfiguration is a service that provides cluster configuration
ClusterConfiguration services.ClusterConfiguration
Support configurable cipher suites.
2018-06-08 23:50:43 +00:00
// CipherSuites is a list of TLS ciphersuites that Teleport supports. If
// omitted, a Teleport selected list of defaults will be used.
CipherSuites []uint16
// Ciphers is a list of SSH ciphers that the server supports. If omitted,
Allow configuration of the ciphers, KEX algorithm, and MAC algorithms for node and proxy.
2017-06-10 02:32:31 +00:00
// the defaults will be used.
Ciphers []string
Support configurable cipher suites.
2018-06-08 23:50:43 +00:00
// KEXAlgorithms is a list of SSH key exchange (KEX) algorithms that the
Allow configuration of the ciphers, KEX algorithm, and MAC algorithms for node and proxy.
2017-06-10 02:32:31 +00:00
// server supports. If omitted, the defaults will be used.
KEXAlgorithms []string
Support configurable cipher suites.
2018-06-08 23:50:43 +00:00
// MACAlgorithms is a list of SSH message authentication codes (MAC) that
Allow configuration of the ciphers, KEX algorithm, and MAC algorithms for node and proxy.
2017-06-10 02:32:31 +00:00
// the server supports. If omitted the defaults will be used.
MACAlgorithms []string
Teleport signal handling and live reload. This commit introduces signal handling. Parent teleport process is now capable of forking the child process and passing listeners file descriptors to the child. Parent process then can gracefully shutdown by tracking the amount of current connections and closing listeners once the amount goes to 0. Here are the signals handled: * USR2 signal will cause the parent to fork a child process and pass listener file descriptors to it. Child process will close unused file descriptors and will bind to the used ones. At this moment two processes - the parent and the forked child process will be serving requests. After looking at the traffic and the log files, administrator can either shut down the parent process or the child process if the child process is not functioning as expected. * TERM, INT signals will trigger graceful process shutdown. Auth, node and proxy processes will wait until the amount of active connections goes down to 0 and will exit after that. * KILL, QUIT signals will cause immediate non-graceful shutdown. * HUP signal combines USR2 and TERM signals in a convenient way: parent process will fork a child process and self-initate graceful shutdown. This is a more convenient than USR2/TERM sequence, but less agile and robust as if the connection to the parent process drops, but the new process exits with error, administrators can lock themselves out of the environment. Additionally, boltdb backend has to be phased out, as it does not support read/writes by two concurrent processes. This had required refactoring of the dir backend to use file locking to allow inter-process collaboration on read/write operations.
2018-02-08 02:32:50 +00:00
Add ca_signing_algo to the config file This allows users to override the SHA2 signing algorithms we default to now for compatibility with the (very) old OpenSSH versions. For host and user certs, use the CA signing algo for their own handshakes. This allows us to propagate the signing algo from auth server everywhere else.
2020-06-04 23:03:38 +00:00
// CASignatureAlgorithm is an SSH Certificate Authority (CA) signature
// algorithm that the server uses for signing user and host certificates.
// If omitted, the default will be used.
Use CA signing alg from config file on manual rotation This allows users to manually switch to a different algorithm by: - setting the config file field - running "tctl auth rotate" If config file field is not set, existing signing algorithm of the CA is preserved.
2020-06-11 23:32:55 +00:00
CASignatureAlgorithm *string
Add ca_signing_algo to the config file This allows users to override the SHA2 signing algorithms we default to now for compatibility with the (very) old OpenSSH versions. For host and user certs, use the CA signing algo for their own handshakes. This allows us to propagate the signing algo from auth server everywhere else.
2020-06-04 23:03:38 +00:00
Teleport signal handling and live reload. This commit introduces signal handling. Parent teleport process is now capable of forking the child process and passing listeners file descriptors to the child. Parent process then can gracefully shutdown by tracking the amount of current connections and closing listeners once the amount goes to 0. Here are the signals handled: * USR2 signal will cause the parent to fork a child process and pass listener file descriptors to it. Child process will close unused file descriptors and will bind to the used ones. At this moment two processes - the parent and the forked child process will be serving requests. After looking at the traffic and the log files, administrator can either shut down the parent process or the child process if the child process is not functioning as expected. * TERM, INT signals will trigger graceful process shutdown. Auth, node and proxy processes will wait until the amount of active connections goes down to 0 and will exit after that. * KILL, QUIT signals will cause immediate non-graceful shutdown. * HUP signal combines USR2 and TERM signals in a convenient way: parent process will fork a child process and self-initate graceful shutdown. This is a more convenient than USR2/TERM sequence, but less agile and robust as if the connection to the parent process drops, but the new process exits with error, administrators can lock themselves out of the environment. Additionally, boltdb backend has to be phased out, as it does not support read/writes by two concurrent processes. This had required refactoring of the dir backend to use file locking to allow inter-process collaboration on read/write operations.
2018-02-08 02:32:50 +00:00
// DiagnosticAddr is an address for diagnostic and healthz endpoint service
DiagnosticAddr utils.NetAddr
Better signal handling and pools for gzip. Fixes #1698. * Added sync.Pool to take care of many gzip.Writer allocating a lot of large objects on the heap. * Reshuffled signal handling, SIGQUIT is now graceful shutdown, just like in Nginx. * Signal USR1 prints hepful diagnostic info to stderr. * Removed gops endpoint and flags. * Fixed logs in some places. * Debug flag now adds extra pprof handlers to diagnostic endpoint.
2018-02-17 23:51:57 +00:00
// Debug sets debugging mode, results in diagnostic address
// endpoint extended with additional /debug handlers
Debug bool
External events and sessions storage. Updates #1755 Design ------ This commit adds support for pluggable events and sessions recordings and adds several plugins. In case if external sessions recording storage is used, nodes or proxies depending on configuration store the session recordings locally and then upload the recordings in the background. Non-print session events are always sent to the remote auth server as usual. In case if remote events storage is used, auth servers download recordings from it during playbacks. DynamoDB event backend ---------------------- Transient DynamoDB backend is added for events storage. Events are stored with default TTL of 1 year. External lambda functions should be used to forward events from DynamoDB. Parameter audit_table_name in storage section turns on dynamodb backend. The table will be auto created. S3 sessions backend ------------------- If audit_sessions_uri is specified to s3://bucket-name node or proxy depending on recording mode will start uploading the recorded sessions to the bucket. If the bucket does not exist, teleport will attempt to create a bucket with versioning and encryption turned on by default. Teleport will turn on bucket-side encryption for the tarballs using aws:kms key. File sessions backend --------------------- If audit_sessions_uri is specified to file:///folder teleport will start writing tarballs to this folder instead of sending records to the file server. This is helpful for plugin writers who can use fuse or NFS mounted storage to handle the data. Working dynamic configuration.
2018-03-04 02:26:44 +00:00
// UploadEventsC is a channel for upload events
// used in tests
Session streaming This commit introduces GRPC API for streaming sessions. It adds structured events and sync streaming that avoids storing events on disk. You can find design in rfd/0002-streaming.md RFD.
2020-07-15 00:15:01 +00:00
UploadEventsC chan events.UploadEvent `json:"-"`
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// FileDescriptors is an optional list of file descriptors for the process
// to inherit and use for listeners, used for in-process updates.
FileDescriptors []FileDescriptor
// PollingPeriod is set to override default internal polling periods
// of sync agents, used to speed up integration tests.
PollingPeriod time.Duration
// ClientTimeout is set to override default client timeouts
// used by internal clients, used to speed up integration tests.
ClientTimeout time.Duration
// ShutdownTimeout is set to override default shutdown timeout.
ShutdownTimeout time.Duration
Add support for CA pinning when joining a cluster.
2018-10-03 19:35:57 +00:00
// CAPin is the SKPI hash of the CA used to verify the Auth Server.
CAPin string
Support different ready states.
2018-10-26 22:20:02 +00:00
// Clock is used to control time in tests.
Clock clockwork.Clock
Added support for FedRAMP/FIPS 140-2. Added "--fips" flag to "teleport start" command which can start Enterprise in FedRAMP/FIPS 140-2 mode. In FIPS mode, Teleport configures the TLS and SSH servers with FIPS compliant cryptographic algorithms. In FIPS mode, if non-compliant algorithms are chosen, Teleport will fail to start. In addition, Teleport checks if the binary was compiled against an approved cryptographic module (BoringCrypto) and fails to start if it was not. If a client, like tsh, tries to use non-FIPS encryption, like NaCl, those requests are also rejected.
2019-03-12 22:30:44 +00:00
// FIPS means FedRAMP/FIPS 140-2 compliant configuration was requested.
FIPS bool
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
// BPFConfig holds configuration for the BPF service.
BPFConfig *bpf.Config
Add kubernetes_service to teleport.yaml (#4497) * Fix local etcd test failures when etcd is not running * Add kubernetes_service to teleport.yaml This plumbs config fields only, they have no effect yet. Also, remove `cluster_name` from `proxy_config.kubernetes`. This field will only exist under `kubernetes_service` per https://github.com/gravitational/teleport/pull/4455 * Handle IPv6 in kubernetes_service and rename label fields * Disable k8s cluster name defaulting in user TLS certs Need to implement service registration first.
2020-10-19 17:28:10 +00:00
// Kube is a Kubernetes API gateway using Teleport client identities.
Kube KubeConfig
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
// Log optionally specifies the logger
Log utils.Logger
Add "billing_information" RBAC resource (#5676) * Expose GRPC client connection to plugins * Replaces global plugin state with the PluginRegistry
2021-03-02 03:47:03 +00:00
// PluginRegistry allows adding enterprise logic to Teleport services
PluginRegistry plugin.Registry
orbit-compatible packaging and configuration for teleport and telescope
2015-10-13 00:50:36 +00:00
}
Changed the format of the configuration Instead of providing a token per auth server, it's now one global token for all. Also added a check for unknown config values to the config file parsing code.
2016-02-17 02:19:21 +00:00
// ApplyToken assigns a given token to all internal services but only if token
// is not an empty string.
//
Read join tokens from file, fixes #2515. (#2864)
2019-07-17 19:51:18 +00:00
// returns:
// true, nil if the token has been modified
// false, nil if the token has not been modified
// false, err if there was an error
func (cfg *Config) ApplyToken(token string) (bool, error) {
Changed the format of the configuration Instead of providing a token per auth server, it's now one global token for all. Also added a check for unknown config values to the config file parsing code.
2016-02-17 02:19:21 +00:00
if token != "" {
Read join tokens from file, fixes #2515. (#2864)
2019-07-17 19:51:18 +00:00
var err error
cfg.Token, err = utils.ReadToken(token)
if err != nil {
return false, trace.Wrap(err)
}
return true, nil
Changed the format of the configuration Instead of providing a token per auth server, it's now one global token for all. Also added a check for unknown config values to the config file parsing code.
2016-02-17 02:19:21 +00:00
}
Read join tokens from file, fixes #2515. (#2864)
2019-07-17 19:51:18 +00:00
return false, nil
Changed the format of the configuration Instead of providing a token per auth server, it's now one global token for all. Also added a check for unknown config values to the config file parsing code.
2016-02-17 02:19:21 +00:00
}
recover etcd backend support
2016-03-11 01:03:01 +00:00
// RoleConfig is a config for particular Teleport role
reduce code duplication
2015-10-27 00:58:39 +00:00
func (cfg *Config) RoleConfig() RoleConfig {
return RoleConfig{
DataDir: cfg.DataDir,
Intermediate commit
2016-03-05 00:27:52 +00:00
HostUUID: cfg.HostUUID,
Hostname handling changes: 1. `--name` setting is passed through into AuthServer as "AuthServiceName". This will be used in UIs when there are multiple clusters, and also in places like Google Authenticator 2. `tctl nodes ls` now lists both host name and host UUID 3. Changed `--name` setting to `--nodename` to be consistent with the config file. Closes #194
2016-03-06 00:47:03 +00:00
HostName: cfg.Hostname,
reduce code duplication
2015-10-27 00:58:39 +00:00
AuthServers: cfg.AuthServers,
Auth: cfg.Auth,
Intermediate commit: - Reverse tunnel service is now configurable - Separated logging output from the console UI output
2016-02-08 22:51:22 +00:00
Console: cfg.Console,
reduce code duplication
2015-10-27 00:58:39 +00:00
}
}
recover etcd backend support
2016-03-11 01:03:01 +00:00
// DebugDumpToYAML is useful for debugging: it dumps the Config structure into
Added support for auth-server and tokens
2016-02-09 04:55:13 +00:00
// a string
func (cfg *Config) DebugDumpToYAML() string {
This commit adds ability to preconfigure the cluster without running auth server. This is needed when you configure cluster from scratch and all nodes including auth server spin up simultaneously. * Add tctl tools to generate keys and certificates + Command "tctl authorities gen" generates public and private keypair. + Command "tctl authorities gencert" generates public and private keypair signed by existng private key + Command "tctl authorities export" was modified to be able to export exisitng private CA keys to local storage All of these commands are hidden by default. section "static configuration" * Add ability to configure teleport from environment variable Environment variable TELEPORT_CONFIG can contain base64 encoded YAML file config file of the standard file format, so teleport will use it on start * Add special secrets section to the config file Section "secrets" was updated to support pre-configured trusted CA keys and pre-generated keys * Add special rts hidden section to add support for provisioning
2016-03-28 19:58:34 +00:00
shallow := *cfg
// do not copy sensitive data to stdout
shallow.Identities = nil
shallow.Auth.Authorities = nil
out, err := yaml.Marshal(shallow)
Added support for auth-server and tokens
2016-02-09 04:55:13 +00:00
if err != nil {
return err.Error()
}
return string(out)
}
Sasha High Availability.
2017-04-07 23:51:31 +00:00
// CachePolicy sets caching policy for proxies and nodes
type CachePolicy struct {
Adds in-memory cache option, improves scalability for IOT mode. This commit resolves #3227 In IOT mode, 10K nodes are connecting back to the proxies, putting a lot of pressure on the proxy cache. Before this commit, Proxy's only cache option were persistent sqlite-backed caches. The advantage of those caches that Proxies could continue working after reboots with Auth servers unavailable. The disadvantage is that sqlite backend breaks down on many concurrent reads due to performance issues. This commit introduces the new cache configuration option, 'in-memory': ```yaml teleport: cache: # default value sqlite, # the only supported values are sqlite or in-memory type: in-memory ``` This cache mode allows two m4.4xlarge proxies to handle 10K IOT mode connected nodes with no issues. The second part of the commit disables the cache reload on timer that caused inconsistent view results for 10K displayed nodes with servers disappearing from the view. The third part of the commit increases the channels buffering discovery requests 10x. The channels were overfilling in 10K nodes and nodes were disconnected. The logic now does not treat the channel overflow as a reason to close the connection. This is possible due to the changes in the discovery protocol that allow target nodes to handle missing entries, duplicate entries or conflicting values.
2020-02-02 19:36:53 +00:00
// Type sets the cache type
Type string
Sasha High Availability.
2017-04-07 23:51:31 +00:00
// Enabled enables or disables caching
Enabled bool
// TTL sets maximum TTL for the cached values
// without explicit TTL set
TTL time.Duration
// NeverExpires means that cache values without TTL
// set by the auth server won't expire
NeverExpires bool
Cache recently accessed items. Introduce cache for items that were accessed by proxies and nodes within 2 second window to reduce load on database under high load.
2018-01-30 23:54:37 +00:00
// RecentTTL is the recently accessed items cache TTL
RecentTTL *time.Duration
}
// GetRecentTTL either returns TTL that was set,
// or default recent TTL value
func (c *CachePolicy) GetRecentTTL() time.Duration {
if c.RecentTTL == nil {
return defaults.RecentCacheTTL
}
return *c.RecentTTL
Sasha High Availability.
2017-04-07 23:51:31 +00:00
}
Adds in-memory cache option, improves scalability for IOT mode. This commit resolves #3227 In IOT mode, 10K nodes are connecting back to the proxies, putting a lot of pressure on the proxy cache. Before this commit, Proxy's only cache option were persistent sqlite-backed caches. The advantage of those caches that Proxies could continue working after reboots with Auth servers unavailable. The disadvantage is that sqlite backend breaks down on many concurrent reads due to performance issues. This commit introduces the new cache configuration option, 'in-memory': ```yaml teleport: cache: # default value sqlite, # the only supported values are sqlite or in-memory type: in-memory ``` This cache mode allows two m4.4xlarge proxies to handle 10K IOT mode connected nodes with no issues. The second part of the commit disables the cache reload on timer that caused inconsistent view results for 10K displayed nodes with servers disappearing from the view. The third part of the commit increases the channels buffering discovery requests 10x. The channels were overfilling in 10K nodes and nodes were disconnected. The logic now does not treat the channel overflow as a reason to close the connection. This is possible due to the changes in the discovery protocol that allow target nodes to handle missing entries, duplicate entries or conflicting values.
2020-02-02 19:36:53 +00:00
// CheckAndSetDefaults checks and sets default values
func (c *CachePolicy) CheckAndSetDefaults() error {
switch c.Type {
case "", lite.GetName():
c.Type = lite.GetName()
case memory.GetName():
default:
return trace.BadParameter("unsupported cache type %q, supported values are %q and %q",
c.Type, lite.GetName(), memory.GetName())
}
return nil
}
Sasha High Availability.
2017-04-07 23:51:31 +00:00
// String returns human-friendly representation of the policy
func (c CachePolicy) String() string {
if !c.Enabled {
return "no cache policy"
}
Cache recently accessed items. Introduce cache for items that were accessed by proxies and nodes within 2 second window to reduce load on database under high load.
2018-01-30 23:54:37 +00:00
recentCachePolicy := ""
if c.GetRecentTTL() == 0 {
recentCachePolicy = "will not cache frequently accessed items"
} else {
recentCachePolicy = fmt.Sprintf("will cache frequently accessed items for %v", c.GetRecentTTL())
}
Sasha High Availability.
2017-04-07 23:51:31 +00:00
if c.NeverExpires {
Adds in-memory cache option, improves scalability for IOT mode. This commit resolves #3227 In IOT mode, 10K nodes are connecting back to the proxies, putting a lot of pressure on the proxy cache. Before this commit, Proxy's only cache option were persistent sqlite-backed caches. The advantage of those caches that Proxies could continue working after reboots with Auth servers unavailable. The disadvantage is that sqlite backend breaks down on many concurrent reads due to performance issues. This commit introduces the new cache configuration option, 'in-memory': ```yaml teleport: cache: # default value sqlite, # the only supported values are sqlite or in-memory type: in-memory ``` This cache mode allows two m4.4xlarge proxies to handle 10K IOT mode connected nodes with no issues. The second part of the commit disables the cache reload on timer that caused inconsistent view results for 10K displayed nodes with servers disappearing from the view. The third part of the commit increases the channels buffering discovery requests 10x. The channels were overfilling in 10K nodes and nodes were disconnected. The logic now does not treat the channel overflow as a reason to close the connection. This is possible due to the changes in the discovery protocol that allow target nodes to handle missing entries, duplicate entries or conflicting values.
2020-02-02 19:36:53 +00:00
return fmt.Sprintf("%v cache that will not expire in case if connection to database is lost, %v", c.Type, recentCachePolicy)
Sasha High Availability.
2017-04-07 23:51:31 +00:00
}
if c.TTL == 0 {
Adds in-memory cache option, improves scalability for IOT mode. This commit resolves #3227 In IOT mode, 10K nodes are connecting back to the proxies, putting a lot of pressure on the proxy cache. Before this commit, Proxy's only cache option were persistent sqlite-backed caches. The advantage of those caches that Proxies could continue working after reboots with Auth servers unavailable. The disadvantage is that sqlite backend breaks down on many concurrent reads due to performance issues. This commit introduces the new cache configuration option, 'in-memory': ```yaml teleport: cache: # default value sqlite, # the only supported values are sqlite or in-memory type: in-memory ``` This cache mode allows two m4.4xlarge proxies to handle 10K IOT mode connected nodes with no issues. The second part of the commit disables the cache reload on timer that caused inconsistent view results for 10K displayed nodes with servers disappearing from the view. The third part of the commit increases the channels buffering discovery requests 10x. The channels were overfilling in 10K nodes and nodes were disconnected. The logic now does not treat the channel overflow as a reason to close the connection. This is possible due to the changes in the discovery protocol that allow target nodes to handle missing entries, duplicate entries or conflicting values.
2020-02-02 19:36:53 +00:00
return fmt.Sprintf("%v cache that will expire after connection to database is lost after %v, %v", c.Type, defaults.CacheTTL, recentCachePolicy)
Sasha High Availability.
2017-04-07 23:51:31 +00:00
}
Adds in-memory cache option, improves scalability for IOT mode. This commit resolves #3227 In IOT mode, 10K nodes are connecting back to the proxies, putting a lot of pressure on the proxy cache. Before this commit, Proxy's only cache option were persistent sqlite-backed caches. The advantage of those caches that Proxies could continue working after reboots with Auth servers unavailable. The disadvantage is that sqlite backend breaks down on many concurrent reads due to performance issues. This commit introduces the new cache configuration option, 'in-memory': ```yaml teleport: cache: # default value sqlite, # the only supported values are sqlite or in-memory type: in-memory ``` This cache mode allows two m4.4xlarge proxies to handle 10K IOT mode connected nodes with no issues. The second part of the commit disables the cache reload on timer that caused inconsistent view results for 10K displayed nodes with servers disappearing from the view. The third part of the commit increases the channels buffering discovery requests 10x. The channels were overfilling in 10K nodes and nodes were disconnected. The logic now does not treat the channel overflow as a reason to close the connection. This is possible due to the changes in the discovery protocol that allow target nodes to handle missing entries, duplicate entries or conflicting values.
2020-02-02 19:36:53 +00:00
return fmt.Sprintf("%v cache that will expire after connection to database is lost after %v, %v", c.Type, c.TTL, recentCachePolicy)
Sasha High Availability.
2017-04-07 23:51:31 +00:00
}
Kubernetes configuration, fetch proxy settings. This commit moves proxy kubernetes configuration to a separate nested block to provide more fine grained settings: ```yaml auth: kubernetes_ca_cert_path: /tmp/custom-ca proxy: enabled: yes kubernetes: enabled: yes public_addr: [custom.example.com:port] api_addr: kuberentes.example.com:443 listen_addr: localhost:3026 ``` 1. Kubernetes config section is explicitly enabled and disabled. It is disabled by default. 2. Public address in kubernetes section is propagated to tsh profile The other part of the commit updates Ping endpoint to send proxy configuration back to the client, including kubernetes public address and ssh listen address. Clients updates profile accordingly to configuration received from the proxy.
2018-08-02 00:25:16 +00:00
// ProxyConfig specifies configuration for proxy service
first batch of code changes of moving telescope into teleport
2015-10-24 23:04:13 +00:00
type ProxyConfig struct {
// Enabled turns proxy role on or off for this process
Removed old configuration persistence - Removed `yaml` structure attributes - Removed "LoadFromYAML()" routine - Removed YAML persistence tests References #133
2016-02-14 05:09:17 +00:00
Enabled bool
first batch of code changes of moving telescope into teleport
2015-10-24 23:04:13 +00:00
Fixes for https://github.com/gravitational/teleport/pull/1426
2017-10-29 10:50:29 +00:00
//DisableTLS is enabled if we don't want self signed certs
DisableTLS bool
fix and complete tests
2017-05-20 19:52:03 +00:00
// DisableWebInterface allows to turn off serving the Web UI interface
DisableWebInterface bool
// DisableWebService turnes off serving web service completely, including web UI
DisableWebService bool
// DisableReverseTunnel disables reverse tunnel on the proxy
DisableReverseTunnel bool
Added an option to disable web ui
2016-04-06 08:15:04 +00:00
Database access (#5005)
2021-01-15 02:21:38 +00:00
// DisableDatabaseProxy disables database access proxy listener
DisableDatabaseProxy bool
first batch of code changes of moving telescope into teleport
2015-10-24 23:04:13 +00:00
// ReverseTunnelListenAddr is address where reverse tunnel dialers connect to
Removed old configuration persistence - Removed `yaml` structure attributes - Removed "LoadFromYAML()" routine - Removed YAML persistence tests References #133
2016-02-14 05:09:17 +00:00
ReverseTunnelListenAddr utils.NetAddr
first batch of code changes of moving telescope into teleport
2015-10-24 23:04:13 +00:00
Join address for web, reverse tunnel, fixes #1544 Support configuration for web and reverse tunnel proxies to listen on the same port. * Default config are not changed for backwards compatibility. * If administrator configures web and reverse tunnel addresses to be on the same port, multiplexing is turned on * In trusted clusters configuration reverse_tunnel_addr defaults to web_addr.
2018-01-06 00:20:56 +00:00
// EnableProxyProtocol enables proxy protocol support
EnableProxyProtocol bool
first batch of code changes of moving telescope into teleport
2015-10-24 23:04:13 +00:00
// WebAddr is address for web portal of the proxy
Removed old configuration persistence - Removed `yaml` structure attributes - Removed "LoadFromYAML()" routine - Removed YAML persistence tests References #133
2016-02-14 05:09:17 +00:00
WebAddr utils.NetAddr
first batch of code changes of moving telescope into teleport
2015-10-24 23:04:13 +00:00
Cleaned up
2015-11-02 21:02:34 +00:00
// SSHAddr is address of ssh proxy
Removed old configuration persistence - Removed `yaml` structure attributes - Removed "LoadFromYAML()" routine - Removed YAML persistence tests References #133
2016-02-14 05:09:17 +00:00
SSHAddr utils.NetAddr
Added proxy, needs more test and cleaning up
2015-10-31 01:17:37 +00:00
Add MySQL support for database access (#5453)
2021-02-10 19:08:13 +00:00
// MySQLAddr is address of MySQL proxy.
MySQLAddr utils.NetAddr
Fixing golint warnings, batch 1 Mostly cosmetic changes: - making receiver names consistent - renaming `foo.FooBar` to `foo.Bar` (using package name as prefix) - removing redundant `else` branches - changing `a += 1` to `a++`
2020-10-05 22:12:25 +00:00
Limiter limiter.Config
Added public_address to proxy server configuration and heartbeat.
2017-03-17 01:22:27 +00:00
Split public_addr into web_proxy_addr and ssh_proxy_addr.
2018-08-29 22:54:35 +00:00
// PublicAddrs is a list of the public addresses the proxy advertises
// for the HTTP endpoint. The hosts in in PublicAddr are included in the
// list of host principals on the TLS and SSH certificate.
Add public_addr support for auth and ssh services. This commit fixes #1803, fixes #1889 * Adds support for public_addr for Proxy and Auth * Parameter advertise_ip now supports host:port format * Fixes incorrect output for tctl get proxies * Fixes duplicate output of some error messages.
2018-05-02 22:45:31 +00:00
PublicAddrs []utils.NetAddr
Kubernetes configuration, fetch proxy settings. This commit moves proxy kubernetes configuration to a separate nested block to provide more fine grained settings: ```yaml auth: kubernetes_ca_cert_path: /tmp/custom-ca proxy: enabled: yes kubernetes: enabled: yes public_addr: [custom.example.com:port] api_addr: kuberentes.example.com:443 listen_addr: localhost:3026 ``` 1. Kubernetes config section is explicitly enabled and disabled. It is disabled by default. 2. Public address in kubernetes section is propagated to tsh profile The other part of the commit updates Ping endpoint to send proxy configuration back to the client, including kubernetes public address and ssh listen address. Clients updates profile accordingly to configuration received from the proxy.
2018-08-02 00:25:16 +00:00
Split public_addr into web_proxy_addr and ssh_proxy_addr.
2018-08-29 22:54:35 +00:00
// SSHPublicAddrs is a list of the public addresses the proxy advertises
// for the SSH endpoint. The hosts in in PublicAddr are included in the
// list of host principals on the TLS and SSH certificate.
SSHPublicAddrs []utils.NetAddr
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
// TunnelPublicAddrs is a list of the public addresses the proxy advertises
// for the tunnel endpoint. The hosts in in PublicAddr are included in the
// list of host principals on the TLS and SSH certificate.
TunnelPublicAddrs []utils.NetAddr
Kubernetes configuration, fetch proxy settings. This commit moves proxy kubernetes configuration to a separate nested block to provide more fine grained settings: ```yaml auth: kubernetes_ca_cert_path: /tmp/custom-ca proxy: enabled: yes kubernetes: enabled: yes public_addr: [custom.example.com:port] api_addr: kuberentes.example.com:443 listen_addr: localhost:3026 ``` 1. Kubernetes config section is explicitly enabled and disabled. It is disabled by default. 2. Public address in kubernetes section is propagated to tsh profile The other part of the commit updates Ping endpoint to send proxy configuration back to the client, including kubernetes public address and ssh listen address. Clients updates profile accordingly to configuration received from the proxy.
2018-08-02 00:25:16 +00:00
// Kube specifies kubernetes proxy configuration
Kube KubeProxyConfig
Added Application Access. Added support for an identity aware, RBAC enforcing, mutually authenticated, web application proxy to Teleport. * Updated services.Server to support an application servers. * Updated services.WebSession to support application sessions. * Added CRUD RPCs for "AppServers". * Added CRUD RPCs for "AppSessions". * Added RBAC support using labels for applications. * Added JWT signer as a services.CertAuthority type. * Added support for signing and verifying JWT tokens. * Refactored dynamic label and heartbeat code into standalone packages. * Added application support to web proxies and new "app_service" to proxy mutually authenticated connections from proxy to an internal application.
2020-10-19 00:09:29 +00:00
// KeyPairs are the key and certificate pairs that the proxy will load.
KeyPairs []KeyPairPath
Adds ACME - auto cert management This commit fixes #5177 Initial implementation uses dir backend as a cache and is OK for small clusters, but will be a problem for many proxies. This implementation uses Go autocert that is quite limited compared to Caddy's certmagic or lego. Autocert has no OCSP stapling and no locking for cache for example. However, it is much simpler and has no dependencies. It will be easier to extend to use Teleport backend as a cert cache. ```yaml proxy_service: public_addr: ['example.com'] # ACME - automatic certificate management environment. # # It provisions certificates for domains and # valid subdomains in public_addr section. # # The sudomains are valid if there is a registered application. # For example, app.example.com will get a cert if app is a regsitered # application access app. The sudomain cookie.example.com is not. # # Teleport acme is using TLS-ALPN-01 challenge: # # https://letsencrypt.org/docs/challenge-types/#tls-alpn-01 # acme: # By default acme is disabled. enabled: true # Use a custom URI, for example staging is # # https://acme-staging-v02.api.letsencrypt.org/directory # # Default is letsencrypt.org production URL: # # https://acme-v02.api.letsencrypt.org/directory uri: '' # Set email to receive alerts and other correspondence # from your certificate authority. email: 'alice@example.com' ```
2020-12-20 03:56:03 +00:00
// ACME is ACME protocol support config
ACME ACME
}
// ACME configures ACME automatic certificate renewal
type ACME struct {
// Enabled enables or disables ACME support
Enabled bool
// Email receives notifications from ACME server
Email string
// URI is ACME server URI
URI string
Added Application Access. Added support for an identity aware, RBAC enforcing, mutually authenticated, web application proxy to Teleport. * Updated services.Server to support an application servers. * Updated services.WebSession to support application sessions. * Added CRUD RPCs for "AppServers". * Added CRUD RPCs for "AppSessions". * Added RBAC support using labels for applications. * Added JWT signer as a services.CertAuthority type. * Added support for signing and verifying JWT tokens. * Refactored dynamic label and heartbeat code into standalone packages. * Added application support to web proxies and new "app_service" to proxy mutually authenticated connections from proxy to an internal application.
2020-10-19 00:09:29 +00:00
}
// KeyPairPath are paths to a key and certificate file.
type KeyPairPath struct {
// PrivateKey is the path to a PEM encoded private key.
PrivateKey string
// Certificate is the path to a PEM encoded certificate.
Certificate string
Kubernetes configuration, fetch proxy settings. This commit moves proxy kubernetes configuration to a separate nested block to provide more fine grained settings: ```yaml auth: kubernetes_ca_cert_path: /tmp/custom-ca proxy: enabled: yes kubernetes: enabled: yes public_addr: [custom.example.com:port] api_addr: kuberentes.example.com:443 listen_addr: localhost:3026 ``` 1. Kubernetes config section is explicitly enabled and disabled. It is disabled by default. 2. Public address in kubernetes section is propagated to tsh profile The other part of the commit updates Ping endpoint to send proxy configuration back to the client, including kubernetes public address and ssh listen address. Clients updates profile accordingly to configuration received from the proxy.
2018-08-02 00:25:16 +00:00
}
Add kube_listen_addr to proxy_service (#4616) This is a shorthand for the larger kubernetes section: ``` proxy_service: kube_listen_addr: "0.0.0.0:3026" ``` if equivalent to: ``` proxy_service: kubernetes: enabled: yes listen_addr: "0.0.0.0:3026" ``` This shorthand is meant to be used with the new `kubernetes_service`: https://github.com/gravitational/teleport/pull/4455 It reduces confusion when both `proxy_service` and `kubernetes_service` are configured in the same process.
2020-10-28 21:52:08 +00:00
// KubeAddr returns the address for the Kubernetes endpoint on this proxy that
// can be reached by clients.
Use the correct k8s port in tctl auth sign --format=kubernetes Previously, it used the public_addr of the proxy directly. Now it parses it and replaces the port with k8s port.
2020-09-30 21:04:09 +00:00
func (c ProxyConfig) KubeAddr() (string, error) {
if !c.Kube.Enabled {
return "", trace.NotFound("kubernetes support not enabled on this proxy")
}
if len(c.Kube.PublicAddrs) > 0 {
return fmt.Sprintf("https://%s", c.Kube.PublicAddrs[0].Addr), nil
}
host := "<proxyhost>"
// Try to guess the hostname from the HTTP public_addr.
if len(c.PublicAddrs) > 0 {
host = c.PublicAddrs[0].Host()
}
Add kubernetes_service to teleport.yaml (#4497) * Fix local etcd test failures when etcd is not running * Add kubernetes_service to teleport.yaml This plumbs config fields only, they have no effect yet. Also, remove `cluster_name` from `proxy_config.kubernetes`. This field will only exist under `kubernetes_service` per https://github.com/gravitational/teleport/pull/4455 * Handle IPv6 in kubernetes_service and rename label fields * Disable k8s cluster name defaulting in user TLS certs Need to implement service registration first.
2020-10-19 17:28:10 +00:00
u := url.URL{
Scheme: "https",
Host: net.JoinHostPort(host, strconv.Itoa(c.Kube.ListenAddr.Port(defaults.KubeListenPort))),
}
return u.String(), nil
Use the correct k8s port in tctl auth sign --format=kubernetes Previously, it used the public_addr of the proxy directly. Now it parses it and replaces the port with k8s port.
2020-09-30 21:04:09 +00:00
}
Kubernetes configuration, fetch proxy settings. This commit moves proxy kubernetes configuration to a separate nested block to provide more fine grained settings: ```yaml auth: kubernetes_ca_cert_path: /tmp/custom-ca proxy: enabled: yes kubernetes: enabled: yes public_addr: [custom.example.com:port] api_addr: kuberentes.example.com:443 listen_addr: localhost:3026 ``` 1. Kubernetes config section is explicitly enabled and disabled. It is disabled by default. 2. Public address in kubernetes section is propagated to tsh profile The other part of the commit updates Ping endpoint to send proxy configuration back to the client, including kubernetes public address and ssh listen address. Clients updates profile accordingly to configuration received from the proxy.
2018-08-02 00:25:16 +00:00
// KubeProxyConfig specifies configuration for proxy service
type KubeProxyConfig struct {
// Enabled turns kubernetes proxy role on or off for this process
Enabled bool
Use the correct k8s port in tctl auth sign --format=kubernetes Previously, it used the public_addr of the proxy directly. Now it parses it and replaces the port with k8s port.
2020-09-30 21:04:09 +00:00
// ListenAddr is the address to listen on for incoming kubernetes requests.
Kubernetes configuration, fetch proxy settings. This commit moves proxy kubernetes configuration to a separate nested block to provide more fine grained settings: ```yaml auth: kubernetes_ca_cert_path: /tmp/custom-ca proxy: enabled: yes kubernetes: enabled: yes public_addr: [custom.example.com:port] api_addr: kuberentes.example.com:443 listen_addr: localhost:3026 ``` 1. Kubernetes config section is explicitly enabled and disabled. It is disabled by default. 2. Public address in kubernetes section is propagated to tsh profile The other part of the commit updates Ping endpoint to send proxy configuration back to the client, including kubernetes public address and ssh listen address. Clients updates profile accordingly to configuration received from the proxy.
2018-08-02 00:25:16 +00:00
ListenAddr utils.NetAddr
// ClusterOverride causes all traffic to go to a specific remote
// cluster, used only in tests
ClusterOverride string
// PublicAddrs is a list of the public addresses the Teleport Kube proxy can be accessed by,
// it also affects the host principals and routing logic
PublicAddrs []utils.NetAddr
Kubernetes proxy to use impersonation API This commit switches Teleport proxy to use impersonation API instead of the CSR API. This allows Teleport to work on EKS clusters, GKE and all other CNCF compabitble clusters. This commit updates helm chart RBAC as well. It introduces extra configuration flag to proxy_service configuration parameter: ```yaml proxy_service: # kubeconfig_file is used for scenarios # when Teleport Proxy is deployed outside # of the kubernetes cluster kubeconfig_file: /path/to/kube/config ``` It deprecates similar flag in auth_service: ```yaml auth_service: # DEPRECATED. THIS FLAG IS IGNORED kubeconfig_file: /path/to/kube/config ```
2019-03-11 03:25:43 +00:00
// KubeconfigPath is a path to kubeconfig
KubeconfigPath string
first batch of code changes of moving telescope into teleport
2015-10-24 23:04:13 +00:00
}
This commit adds ability to preconfigure the cluster without running auth server. This is needed when you configure cluster from scratch and all nodes including auth server spin up simultaneously. * Add tctl tools to generate keys and certificates + Command "tctl authorities gen" generates public and private keypair. + Command "tctl authorities gencert" generates public and private keypair signed by existng private key + Command "tctl authorities export" was modified to be able to export exisitng private CA keys to local storage All of these commands are hidden by default. section "static configuration" * Add ability to configure teleport from environment variable Environment variable TELEPORT_CONFIG can contain base64 encoded YAML file config file of the standard file format, so teleport will use it on start * Add special secrets section to the config file Section "secrets" was updated to support pre-configured trusted CA keys and pre-generated keys * Add special rts hidden section to add support for provisioning
2016-03-28 19:58:34 +00:00
// AuthConfig is a configuration of the auth server
orbit-compatible packaging and configuration for teleport and telescope
2015-10-13 00:50:36 +00:00
type AuthConfig struct {
first batch of code changes of moving telescope into teleport
2015-10-24 23:04:13 +00:00
// Enabled turns auth role on or off for this process
Removed old configuration persistence - Removed `yaml` structure attributes - Removed "LoadFromYAML()" routine - Removed YAML persistence tests References #133
2016-02-14 05:09:17 +00:00
Enabled bool
first batch of code changes of moving telescope into teleport
2015-10-24 23:04:13 +00:00
Mutual TLS Auth server and clients. This commit introduced mutual TLS authentication for auth server API server. Auth server multiplexes HTTP over SSH - existing protocol and HTTP over TLS - new protocol on the same listening socket. Nodes and users authenticate with 2.5.0 Teleport using TLS mutual TLS except backwards-compatibility cases.
2017-11-25 01:09:11 +00:00
// EnableProxyProtocol enables proxy protocol support
EnableProxyProtocol bool
orbit-compatible packaging and configuration for teleport and telescope
2015-10-13 00:50:36 +00:00
// SSHAddr is the listening address of SSH tunnel to HTTP service
Removed old configuration persistence - Removed `yaml` structure attributes - Removed "LoadFromYAML()" routine - Removed YAML persistence tests References #133
2016-02-14 05:09:17 +00:00
SSHAddr utils.NetAddr
first batch of code changes of moving telescope into teleport
2015-10-24 23:04:13 +00:00
This commit adds ability to preconfigure the cluster without running auth server. This is needed when you configure cluster from scratch and all nodes including auth server spin up simultaneously. * Add tctl tools to generate keys and certificates + Command "tctl authorities gen" generates public and private keypair. + Command "tctl authorities gencert" generates public and private keypair signed by existng private key + Command "tctl authorities export" was modified to be able to export exisitng private CA keys to local storage All of these commands are hidden by default. section "static configuration" * Add ability to configure teleport from environment variable Environment variable TELEPORT_CONFIG can contain base64 encoded YAML file config file of the standard file format, so teleport will use it on start * Add special secrets section to the config file Section "secrets" was updated to support pre-configured trusted CA keys and pre-generated keys * Add special rts hidden section to add support for provisioning
2016-03-28 19:58:34 +00:00
// Authorities is a set of trusted certificate authorities
// that will be added by this auth server on the first start
Authorities []services.CertAuthority
orbit-compatible packaging and configuration for teleport and telescope
2015-10-13 00:50:36 +00:00
Support resource-based bootstrapping for backend. (#2871) * Support resource-based bootstrapping for backend. Outside of static configuration, most of the persistent state of an auth server exists as a collection of resources, stored in its backend. The resource API also forms the basis of Teleport's more advanced dynamic configuration options. This commit extends the usefulness of the resource API by adding the ability to bootstrap backend state with a set of previously exported resources. This allows the resource API to serve as a rudimentary backup/migration tool. Notes: This features is a work in progress, and very easy to misuse; while it will prevent you from overwriting the state of an existing auth server, it won't stop you from bootstrapping into a wildly misconfigured state. In general, resource-based bootstrapping is not a complete solution for backup or migration. * update e-ref
2019-08-29 23:16:03 +00:00
// Resources is a set of previously backed up resources
// used to bootstrap backend state on the first start.
Resources []services.Resource
fix integration tests
2016-12-30 22:47:52 +00:00
// Roles is a set of roles to pre-provision for this cluster
Roles []services.Role
Re-factored cluster configuration.
2017-07-28 18:37:12 +00:00
// ClusterName is a name that identifies this authority and all
Introduce auth server and proxy heartbeats This commit introduces heartbeats of AuthServers and Proxies and fixes several issues: 1. Server init problem There was an issue in server init, when certificates of multiple roles were overwriting each otther. Now Teleport stores each keypair and certificate in a separate file <hostid>.role.key and <hostid>.role.cert This also means that it's backwards incompatible with previous on disk format. 2. Proxy and Auth heartbeats Auth servers and proxies now heartbeat into cluster as well 3. Bugfixes: * Proxy role was missing, it is now treated as a separate role with permissions * AdvertiseIP is now a global setting that can be used by all roles * --advertise-ip flag was ignored and was never applied * teleport service initialization has been simplified, now each role get it's own client * minor cleanups
2016-03-12 04:09:40 +00:00
// host nodes in the cluster that will share this authority domain name
// as a base name, e.g. if authority domain name is example.com,
// all nodes in the cluster will have UUIDs in the form: <uuid>.example.com
Re-factored cluster configuration.
2017-07-28 18:37:12 +00:00
ClusterName services.ClusterName
Introduce auth server and proxy heartbeats This commit introduces heartbeats of AuthServers and Proxies and fixes several issues: 1. Server init problem There was an issue in server init, when certificates of multiple roles were overwriting each otther. Now Teleport stores each keypair and certificate in a separate file <hostid>.role.key and <hostid>.role.cert This also means that it's backwards incompatible with previous on disk format. 2. Proxy and Auth heartbeats Auth servers and proxies now heartbeat into cluster as well 3. Bugfixes: * Proxy role was missing, it is now treated as a separate role with permissions * AdvertiseIP is now a global setting that can be used by all roles * --advertise-ip flag was ignored and was never applied * teleport service initialization has been simplified, now each role get it's own client * minor cleanups
2016-03-12 04:09:40 +00:00
Flexible tokens: - Static never-expiring tokens - TTL tokens - Single-use tokens with TTL of 30 mins
2016-05-12 07:44:25 +00:00
// StaticTokens are pre-defined host provisioning tokens supplied via config file for
// environments where paranoid security is not needed
Re-factored cluster configuration.
2017-07-28 18:37:12 +00:00
StaticTokens services.StaticTokens
Flexible tokens: - Static never-expiring tokens - TTL tokens - Single-use tokens with TTL of 30 mins
2016-05-12 07:44:25 +00:00
Added dynamic_config and removed seed_config.
2017-03-01 01:38:31 +00:00
// StorageConfig contains configuration settings for the storage backend.
Finished cleaning up storage back-ends I hope this closes #688
2017-01-16 00:27:19 +00:00
StorageConfig backend.Config
Added rate limiter, connection limiter
2015-12-02 18:51:32 +00:00
Fixing golint warnings, batch 1 Mostly cosmetic changes: - making receiver names consistent - renaming `foo.FooBar` to `foo.Bar` (using package name as prefix) - removing redundant `else` branches - changing `a += 1` to `a++`
2020-10-05 22:12:25 +00:00
Limiter limiter.Config
Implemented a new Teleport option: "no recording" Teleport configuration now has a new field: NoAudit (false by default, which means audit is always on). When this option is set, Teleport will not record events and will not record sessions. It's implemented by adding "DiscardLogger" which implements the same interface as teh real logger, and it's plugged into the system instead. NOTE: this option is not exposed in teleport in any way: no config file, no switch, etc. I quickly needed it for Telecast.
2016-09-06 05:12:57 +00:00
// NoAudit, when set to true, disables session recording and event audit
NoAudit bool
Implmented U2F registration and some of authentication on the server side I know comments are very lacking right now. Once things are stable I will add proper comments. Minimal manual testing of the U2F registration API was done with a hardware U2F key. Some of the code may need to be cleaned up later to remove excessively long variable names... Currently we return an error rightaway if the username/password combo is wrong. It's difficult to do U2F without revealing either whether a user exists or whether the password is correct. Returning error immediately reveals whether the user/password combo is valid, while waiting until we get a signed response from the U2F device to announce whether the user/pass combo is valid can reveal which users exist since we need to return a keyHandle in the U2F SignRequest and generating fake keyHandles for nonexistent users can be difficult to get right since there is no rigid format for keyHandle.
2016-10-14 06:51:16 +00:00
Refactored authentication configuration, created resources for dynamic configuration of authentication configuration, and updated documentation.
2017-02-14 02:29:27 +00:00
// Preference defines the authentication preference (type and second factor) for
// the auth server.
Preference services.AuthPreference
Changes for the upcoming teleport pro: * Allow external audit log plugins * Add support for auth API server plugins * Add license file path configuration parameter (not used in open-source) * Extend audit log with user login events
2017-11-22 01:35:58 +00:00
Added forwarding SSH server.
2017-11-29 00:15:46 +00:00
// ClusterConfig stores cluster level configuration.
ClusterConfig services.ClusterConfig
Changes for the upcoming teleport pro: * Allow external audit log plugins * Add support for auth API server plugins * Add license file path configuration parameter (not used in open-source) * Extend audit log with user login events
2017-11-22 01:35:58 +00:00
// LicenseFile is a full path to the license file
LicenseFile string
Add public_addr support for auth and ssh services. This commit fixes #1803, fixes #1889 * Adds support for public_addr for Proxy and Auth * Parameter advertise_ip now supports host:port format * Fixes incorrect output for tctl get proxies * Fixes duplicate output of some error messages.
2018-05-02 22:45:31 +00:00
// PublicAddrs affects the SSH host principals and DNS names added to the SSH and TLS certs.
PublicAddrs []utils.NetAddr
orbit-compatible packaging and configuration for teleport and telescope
2015-10-13 00:50:36 +00:00
}
// SSHConfig configures SSH server node role
type SSHConfig struct {
Added support for allowing the reading of a users environment when creating a new child session from ~/.tsh/environment.
2017-05-26 19:28:46 +00:00
Enabled bool
Addr utils.NetAddr
Namespace string
Shell string
Fixing golint warnings, batch 1 Mostly cosmetic changes: - making receiver names consistent - renaming `foo.FooBar` to `foo.Bar` (using package name as prefix) - removing redundant `else` branches - changing `a += 1` to `a++`
2020-10-05 22:12:25 +00:00
Limiter limiter.Config
Added support for allowing the reading of a users environment when creating a new child session from ~/.tsh/environment.
2017-05-26 19:28:46 +00:00
Labels map[string]string
CmdLabels services.CommandLabels
PermitUserEnvironment bool
Added PAM support to Teleport.
2018-02-24 01:23:09 +00:00
// PAM holds PAM configuration for Teleport.
PAM *pam.Config
Add public_addr support for auth and ssh services. This commit fixes #1803, fixes #1889 * Adds support for public_addr for Proxy and Auth * Parameter advertise_ip now supports host:port format * Fixes incorrect output for tctl get proxies * Fixes duplicate output of some error messages.
2018-05-02 22:45:31 +00:00
// PublicAddrs affects the SSH host principals and DNS names added to the SSH and TLS certs.
PublicAddrs []utils.NetAddr
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
// BPF holds BPF configuration for Teleport.
BPF *bpf.Config
orbit-compatible packaging and configuration for teleport and telescope
2015-10-13 00:50:36 +00:00
}
Add kubernetes_service to teleport.yaml (#4497) * Fix local etcd test failures when etcd is not running * Add kubernetes_service to teleport.yaml This plumbs config fields only, they have no effect yet. Also, remove `cluster_name` from `proxy_config.kubernetes`. This field will only exist under `kubernetes_service` per https://github.com/gravitational/teleport/pull/4455 * Handle IPv6 in kubernetes_service and rename label fields * Disable k8s cluster name defaulting in user TLS certs Need to implement service registration first.
2020-10-19 17:28:10 +00:00
// KubeConfig specifies configuration for kubernetes service
type KubeConfig struct {
// Enabled turns kubernetes service role on or off for this process
Enabled bool
// ListenAddr is the address to listen on for incoming kubernetes requests.
// Optional.
ListenAddr *utils.NetAddr
// PublicAddrs is a list of the public addresses the Teleport kubernetes
// service can be reached by the proxy service.
PublicAddrs []utils.NetAddr
// KubeClusterName is the name of a kubernetes cluster this proxy is running
// in. If empty, defaults to the Teleport cluster name.
KubeClusterName string
// KubeconfigPath is a path to kubeconfig
KubeconfigPath string
// Labels are used for RBAC on clusters.
StaticLabels map[string]string
DynamicLabels services.CommandLabels
Implement kubernetes_service registration and startup (#4611) * Implement kubernetes_service registration and sratup The new service now starts, registers (locally or via a join token) and heartbeats its presence to the auth server. This service can handle k8s requests (like a proxy) but not to remote teleport clusters. Proxies will be responsible for routing those. The client (tsh) will not yet go to this service, until proxy routing is implemented. I manually tweaked server addres in kubeconfig to test it. You can also run `tctl get kube_service` to list all registered instances. The self-reported info is currently limited - only listening address is set. * Address review feedback
2020-10-30 17:19:53 +00:00
// Limiter limits the connection and request rates.
Limiter limiter.Config
Add kubernetes_service to teleport.yaml (#4497) * Fix local etcd test failures when etcd is not running * Add kubernetes_service to teleport.yaml This plumbs config fields only, they have no effect yet. Also, remove `cluster_name` from `proxy_config.kubernetes`. This field will only exist under `kubernetes_service` per https://github.com/gravitational/teleport/pull/4455 * Handle IPv6 in kubernetes_service and rename label fields * Disable k8s cluster name defaulting in user TLS certs Need to implement service registration first.
2020-10-19 17:28:10 +00:00
}
Database access (#5005)
2021-01-15 02:21:38 +00:00
// DatabasesConfig configures the database proxy service.
type DatabasesConfig struct {
// Enabled enables the database proxy service.
Enabled bool
// Databases is a list of databases proxied by this service.
Databases []Database
}
// Database represents a single database that's being proxied.
type Database struct {
// Name is the database name, used to refer to in CLI.
Name string
// Description is a free-form database description.
Description string
// Protocol is the database type, e.g. postgres or mysql.
Protocol string
// URI is the database endpoint to connect to.
URI string
// StaticLabels is a map of database static labels.
StaticLabels map[string]string
// DynamicLabels is a list of database dynamic labels.
DynamicLabels services.CommandLabels
// CACert is an optional database CA certificate.
CACert []byte
// AWS contains AWS specific settings for RDS/Aurora.
AWS DatabaseAWS
}
// DatabaseAWS contains AWS specific settings for RDS/Aurora databases.
type DatabaseAWS struct {
// Region is the cloud region database is running in when using AWS RDS.
Region string
}
// Check validates the database proxy configuration.
func (d *Database) Check() error {
if d.Name == "" {
return trace.BadParameter("empty database name")
}
// Unlike application access proxy, database proxy name doesn't necessarily
// need to be a valid subdomain but use the same validation logic for the
// simplicity and consistency.
if errs := validation.IsDNS1035Label(d.Name); len(errs) > 0 {
return trace.BadParameter("invalid database %q name: %v", d.Name, errs)
}
if !utils.SliceContainsStr(defaults.DatabaseProtocols, d.Protocol) {
return trace.BadParameter("unsupported database %q protocol %q, supported are: %v",
d.Name, d.Protocol, defaults.DatabaseProtocols)
}
if _, _, err := net.SplitHostPort(d.URI); err != nil {
return trace.BadParameter("invalid database %q address %q: %v",
d.Name, d.URI, err)
}
if len(d.CACert) != 0 {
if _, err := tlsca.ParseCertificatePEM(d.CACert); err != nil {
return trace.BadParameter("provided database %q CA doesn't appear to be a valid x509 certificate: %v",
d.Name, err)
}
}
return nil
}
Added Application Access. Added support for an identity aware, RBAC enforcing, mutually authenticated, web application proxy to Teleport. * Updated services.Server to support an application servers. * Updated services.WebSession to support application sessions. * Added CRUD RPCs for "AppServers". * Added CRUD RPCs for "AppSessions". * Added RBAC support using labels for applications. * Added JWT signer as a services.CertAuthority type. * Added support for signing and verifying JWT tokens. * Refactored dynamic label and heartbeat code into standalone packages. * Added application support to web proxies and new "app_service" to proxy mutually authenticated connections from proxy to an internal application.
2020-10-19 00:09:29 +00:00
// AppsConfig configures application proxy service.
type AppsConfig struct {
// Enabled enables application proxying service.
Enabled bool
// DebugApp enabled a header dumping debugging application.
DebugApp bool
// Apps is the list of applications that are being proxied.
Apps []App
}
// App is the specific application that will be proxied by the application
// service. This needs to exist because if the "config" package tries to
// directly create a services.App it will get into circular imports.
type App struct {
// Name of the application.
Name string
// URI is the internal address of the application.
URI string
// Public address of the application. This is the address users will access
// the application at.
PublicAddr string
// StaticLabels is a map of static labels to apply to this application.
StaticLabels map[string]string
// DynamicLabels is a list of dynamic labels to apply to this application.
DynamicLabels services.CommandLabels
// InsecureSkipVerify is used to skip validating the server's certificate.
InsecureSkipVerify bool
// Rewrite defines a block that is used to rewrite requests and responses.
Rewrite *Rewrite
}
Consolidated application checks. Consolidated application validation checks. The previous implementation had a bug in it where it would fail if no /etc/teleport.yaml existed.
2020-11-17 05:03:26 +00:00
// Check validates an application.
func (a App) Check() error {
if a.Name == "" {
return trace.BadParameter("missing application name")
}
if a.URI == "" {
return trace.BadParameter("missing application URI")
}
// Check if the application name is a valid subdomain. Don't allow names that
// are invalid subdomains because for trusted clusters the name is used to
// construct the domain that the application will be available at.
if errs := validation.IsDNS1035Label(a.Name); len(errs) > 0 {
Cherry pick Gravitational -> GoTeleport (#4932)
2020-11-25 19:18:55 +00:00
return trace.BadParameter("application name %q must be a valid DNS subdomain: https://goteleport.com/teleport/docs/application-access/#application-name", a.Name)
Consolidated application checks. Consolidated application validation checks. The previous implementation had a bug in it where it would fail if no /etc/teleport.yaml existed.
2020-11-17 05:03:26 +00:00
}
// Parse and validate URL.
if _, err := url.Parse(a.URI); err != nil {
return trace.BadParameter("application URI invalid: %v", err)
}
// If a port was specified or an IP address was provided for the public
// address, return an error.
if a.PublicAddr != "" {
if _, _, err := net.SplitHostPort(a.PublicAddr); err == nil {
return trace.BadParameter("public_addr %q can not contain a port, applications will be available on the same port as the web proxy", a.PublicAddr)
}
if net.ParseIP(a.PublicAddr) != nil {
return trace.BadParameter("public_addr %q can not be an IP address, Teleport Application Access uses DNS names for routing", a.PublicAddr)
}
}
return nil
}
Added Application Access. Added support for an identity aware, RBAC enforcing, mutually authenticated, web application proxy to Teleport. * Updated services.Server to support an application servers. * Updated services.WebSession to support application sessions. * Added CRUD RPCs for "AppServers". * Added CRUD RPCs for "AppSessions". * Added RBAC support using labels for applications. * Added JWT signer as a services.CertAuthority type. * Added support for signing and verifying JWT tokens. * Refactored dynamic label and heartbeat code into standalone packages. * Added application support to web proxies and new "app_service" to proxy mutually authenticated connections from proxy to an internal application.
2020-10-19 00:09:29 +00:00
// Rewrite is a list of rewriting rules to apply to requests and responses.
type Rewrite struct {
// Redirect is a list of hosts that should be rewritten to the public address.
Redirect []string
}
This commit adds ability to preconfigure the cluster without running auth server. This is needed when you configure cluster from scratch and all nodes including auth server spin up simultaneously. * Add tctl tools to generate keys and certificates + Command "tctl authorities gen" generates public and private keypair. + Command "tctl authorities gencert" generates public and private keypair signed by existng private key + Command "tctl authorities export" was modified to be able to export exisitng private CA keys to local storage All of these commands are hidden by default. section "static configuration" * Add ability to configure teleport from environment variable Environment variable TELEPORT_CONFIG can contain base64 encoded YAML file config file of the standard file format, so teleport will use it on start * Add special secrets section to the config file Section "secrets" was updated to support pre-configured trusted CA keys and pre-generated keys * Add special rts hidden section to add support for provisioning
2016-03-28 19:58:34 +00:00
// MakeDefaultConfig creates a new Config structure and populates it with defaults
Better "sample config" implementation Three changes: - Sample configuration is no longer a dump of a string constant. It's generated using the same data structure used for configuration parsing. This guarantees that 'teleport configure' will always dump a valid sample config file. - Added a unit test which validates sample configuration and verifies its correctness - MakeSampleConfig() does not return an error anymore. It will default to 'localhost' with error logged instead of failing. It makes no sense to fail when generating an example. Also this makes code cleaner.
2016-02-24 07:35:25 +00:00
func MakeDefaultConfig() (config *Config) {
Added "connect to auth server" routine to tctl
2016-02-10 00:09:21 +00:00
config = &Config{}
Better "sample config" implementation Three changes: - Sample configuration is no longer a dump of a string constant. It's generated using the same data structure used for configuration parsing. This guarantees that 'teleport configure' will always dump a valid sample config file. - Added a unit test which validates sample configuration and verifies its correctness - MakeSampleConfig() does not return an error anymore. It will default to 'localhost' with error logged instead of failing. It makes no sense to fail when generating an example. Also this makes code cleaner.
2016-02-24 07:35:25 +00:00
ApplyDefaults(config)
return config
Added "connect to auth server" routine to tctl
2016-02-10 00:09:21 +00:00
}
merged from alex/sharing
2016-02-17 19:58:28 +00:00
// ApplyDefaults applies default values to the existing config structure
Better "sample config" implementation Three changes: - Sample configuration is no longer a dump of a string constant. It's generated using the same data structure used for configuration parsing. This guarantees that 'teleport configure' will always dump a valid sample config file. - Added a unit test which validates sample configuration and verifies its correctness - MakeSampleConfig() does not return an error anymore. It will default to 'localhost' with error logged instead of failing. It makes no sense to fail when generating an example. Also this makes code cleaner.
2016-02-24 07:35:25 +00:00
func ApplyDefaults(cfg *Config) {
Update default cryptographic primitives.
2018-05-08 20:30:37 +00:00
// Get defaults for Cipher, Kex algorithms, and MAC algorithms from
Allow configuration of the ciphers, KEX algorithm, and MAC algorithms for node and proxy.
2017-06-10 02:32:31 +00:00
// golang.org/x/crypto/ssh default config.
var sc ssh.Config
sc.SetDefaults()
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
if cfg.Log == nil {
cfg.Log = utils.NewLogger()
}
Update default cryptographic primitives.
2018-05-08 20:30:37 +00:00
// Remove insecure and (borderline insecure) cryptographic primitives from
// default configuration. These can still be added back in file configuration by
// users, but not supported by default by Teleport. See #1856 for more
// details.
kex := utils.RemoveFromSlice(sc.KeyExchanges,
defaults.DiffieHellmanGroup1SHA1,
defaults.DiffieHellmanGroup14SHA1)
macs := utils.RemoveFromSlice(sc.MACs,
defaults.HMACSHA1,
defaults.HMACSHA196)
Added "connect to auth server" routine to tctl
2016-02-10 00:09:21 +00:00
hostname, err := os.Hostname()
if err != nil {
Better "sample config" implementation Three changes: - Sample configuration is no longer a dump of a string constant. It's generated using the same data structure used for configuration parsing. This guarantees that 'teleport configure' will always dump a valid sample config file. - Added a unit test which validates sample configuration and verifies its correctness - MakeSampleConfig() does not return an error anymore. It will default to 'localhost' with error logged instead of failing. It makes no sense to fail when generating an example. Also this makes code cleaner.
2016-02-24 07:35:25 +00:00
hostname = "localhost"
flaky tests: consistent logging (#4849) * Update logrus package to fix data races * Introduce a logger that uses the test context to log the messages so they are output if a test fails for improved trouble-shooting. * Revert introduction of test logger - simply leave logger configuration at debug level outputting to stderr during tests. * Run integration test for e as well * Use make with a cap and append to only copy the relevant roles. * Address review comments * Update integration test suite to use test-local logger that would only output logs iff a specific test has failed - no logs from other test cases will be output. * Revert changes to InitLoggerForTests API * Create a new logger instance when applying defaults or merging with file service configuration * Introduce a local logger interface to be able to test file configuration merge. * Fix kube integration tests w.r.t log * Move goroutine profile dump into a separate func to handle parameters consistently for all invocations
2020-12-07 14:35:15 +00:00
cfg.Log.Errorf("Failed to determine hostname: %v.", err)
Added "connect to auth server" routine to tctl
2016-02-10 00:09:21 +00:00
}
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
// Global defaults.
Finished cleaning up storage back-ends I hope this closes #688
2017-01-16 00:27:19 +00:00
cfg.Hostname = hostname
cfg.DataDir = defaults.DataDir
cfg.Console = os.Stdout
Support configurable cipher suites.
2018-06-08 23:50:43 +00:00
cfg.CipherSuites = utils.DefaultCipherSuites()
Allow configuration of the ciphers, KEX algorithm, and MAC algorithms for node and proxy.
2017-06-10 02:32:31 +00:00
cfg.Ciphers = sc.Ciphers
Update default cryptographic primitives.
2018-05-08 20:30:37 +00:00
cfg.KEXAlgorithms = kex
cfg.MACAlgorithms = macs
Finished cleaning up storage back-ends I hope this closes #688
2017-01-16 00:27:19 +00:00
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
// Auth service defaults.
Added "connect to auth server" routine to tctl
2016-02-10 00:09:21 +00:00
cfg.Auth.Enabled = true
cfg.Auth.SSHAddr = *defaults.AuthListenAddr()
Cleanup of dead code. * Removed legacy backends no longer supported. * Removed code marked for deletion. * Updated Makefile to use $ instead of ` to match Enterprise.
2019-07-02 21:35:17 +00:00
cfg.Auth.StorageConfig.Type = lite.GetName()
Switch to default dir backend. This commit fixes #1741 * If bolt backend was used as a default, new teleport continues using it as a default to prevent regressions on start. * Otherwise, dir backend is used as a default.
2018-05-03 17:58:22 +00:00
cfg.Auth.StorageConfig.Params = backend.Params{defaults.BackendPath: filepath.Join(cfg.DataDir, defaults.BackendDir)}
Corrected static token handling.
2017-10-11 19:09:06 +00:00
cfg.Auth.StaticTokens = services.DefaultStaticTokens()
Set default cluster configuration when not specified.
2017-10-31 18:03:29 +00:00
cfg.Auth.ClusterConfig = services.DefaultClusterConfig()
Support viewing cluster auth preferences with `tctl get cap` (#5159)
2021-01-07 13:42:45 +00:00
cfg.Auth.Preference = services.DefaultAuthPreference()
Added "connect to auth server" routine to tctl
2016-02-10 00:09:21 +00:00
defaults.ConfigureLimiter(&cfg.Auth.Limiter)
Changes for the upcoming teleport pro: * Allow external audit log plugins * Add support for auth API server plugins * Add license file path configuration parameter (not used in open-source) * Extend audit log with user login events
2017-11-22 01:35:58 +00:00
cfg.Auth.LicenseFile = filepath.Join(cfg.DataDir, defaults.LicenseFile)
Added "connect to auth server" routine to tctl
2016-02-10 00:09:21 +00:00
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
// Proxy service defaults.
Added "connect to auth server" routine to tctl
2016-02-10 00:09:21 +00:00
cfg.Proxy.Enabled = true
cfg.Proxy.SSHAddr = *defaults.ProxyListenAddr()
cfg.Proxy.WebAddr = *defaults.ProxyWebListenAddr()
Handle HTTP connections to TLS socket in a more graceful way (#2886)
2019-08-13 17:03:22 +00:00
cfg.Proxy.ReverseTunnelListenAddr = *defaults.ReverseTunnelListenAddr()
Added "connect to auth server" routine to tctl
2016-02-10 00:09:21 +00:00
defaults.ConfigureLimiter(&cfg.Proxy.Limiter)
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
// Kubernetes proxy service defaults.
Kubernetes configuration, fetch proxy settings. This commit moves proxy kubernetes configuration to a separate nested block to provide more fine grained settings: ```yaml auth: kubernetes_ca_cert_path: /tmp/custom-ca proxy: enabled: yes kubernetes: enabled: yes public_addr: [custom.example.com:port] api_addr: kuberentes.example.com:443 listen_addr: localhost:3026 ``` 1. Kubernetes config section is explicitly enabled and disabled. It is disabled by default. 2. Public address in kubernetes section is propagated to tsh profile The other part of the commit updates Ping endpoint to send proxy configuration back to the client, including kubernetes public address and ssh listen address. Clients updates profile accordingly to configuration received from the proxy.
2018-08-02 00:25:16 +00:00
cfg.Proxy.Kube.Enabled = false
cfg.Proxy.Kube.ListenAddr = *defaults.KubeProxyListenAddr()
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
// SSH service defaults.
Added "connect to auth server" routine to tctl
2016-02-10 00:09:21 +00:00
cfg.SSH.Enabled = true
Wrote tests for configuration defaults
2016-02-16 21:18:58 +00:00
cfg.SSH.Shell = defaults.DefaultShell
Added "connect to auth server" routine to tctl
2016-02-10 00:09:21 +00:00
defaults.ConfigureLimiter(&cfg.SSH.Limiter)
Added PAM support to Teleport.
2018-02-24 01:23:09 +00:00
cfg.SSH.PAM = &pam.Config{Enabled: false}
Enhanced Session Recording. Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes.
2019-11-16 00:39:40 +00:00
cfg.SSH.BPF = &bpf.Config{Enabled: false}
Add kubernetes_service to teleport.yaml (#4497) * Fix local etcd test failures when etcd is not running * Add kubernetes_service to teleport.yaml This plumbs config fields only, they have no effect yet. Also, remove `cluster_name` from `proxy_config.kubernetes`. This field will only exist under `kubernetes_service` per https://github.com/gravitational/teleport/pull/4455 * Handle IPv6 in kubernetes_service and rename label fields * Disable k8s cluster name defaulting in user TLS certs Need to implement service registration first.
2020-10-19 17:28:10 +00:00
// Kubernetes service defaults.
cfg.Kube.Enabled = false
Implement kubernetes_service registration and startup (#4611) * Implement kubernetes_service registration and sratup The new service now starts, registers (locally or via a join token) and heartbeats its presence to the auth server. This service can handle k8s requests (like a proxy) but not to remote teleport clusters. Proxies will be responsible for routing those. The client (tsh) will not yet go to this service, until proxy routing is implemented. I manually tweaked server addres in kubeconfig to test it. You can also run `tctl get kube_service` to list all registered instances. The self-reported info is currently limited - only listening address is set. * Address review feedback
2020-10-30 17:19:53 +00:00
defaults.ConfigureLimiter(&cfg.Kube.Limiter)
Added Application Access. Added support for an identity aware, RBAC enforcing, mutually authenticated, web application proxy to Teleport. * Updated services.Server to support an application servers. * Updated services.WebSession to support application sessions. * Added CRUD RPCs for "AppServers". * Added CRUD RPCs for "AppSessions". * Added RBAC support using labels for applications. * Added JWT signer as a services.CertAuthority type. * Added support for signing and verifying JWT tokens. * Refactored dynamic label and heartbeat code into standalone packages. * Added application support to web proxies and new "app_service" to proxy mutually authenticated connections from proxy to an internal application.
2020-10-19 00:09:29 +00:00
// Apps service defaults. It's disabled by default.
cfg.Apps.Enabled = false
Database access (#5005)
2021-01-15 02:21:38 +00:00
// Databases proxy service is disabled by default.
cfg.Databases.Enabled = false
Added "connect to auth server" routine to tctl
2016-02-10 00:09:21 +00:00
}
Added support for FedRAMP/FIPS 140-2. Added "--fips" flag to "teleport start" command which can start Enterprise in FedRAMP/FIPS 140-2 mode. In FIPS mode, Teleport configures the TLS and SSH servers with FIPS compliant cryptographic algorithms. In FIPS mode, if non-compliant algorithms are chosen, Teleport will fail to start. In addition, Teleport checks if the binary was compiled against an approved cryptographic module (BoringCrypto) and fails to start if it was not. If a client, like tsh, tries to use non-FIPS encryption, like NaCl, those requests are also rejected.
2019-03-12 22:30:44 +00:00
// ApplyFIPSDefaults updates default configuration to be FedRAMP/FIPS 140-2
// compliant.
func ApplyFIPSDefaults(cfg *Config) {
cfg.FIPS = true
// Update TLS and SSH cryptographic primitives.
cfg.CipherSuites = defaults.FIPSCipherSuites
cfg.Ciphers = defaults.FIPSCiphers
cfg.KEXAlgorithms = defaults.FIPSKEXAlgorithms
cfg.MACAlgorithms = defaults.FIPSMACAlgorithms
// Only SSO based authentication is supported in FIPS mode. The SSO
// provider is where any FedRAMP/FIPS 140-2 compliance (like password
// complexity) should be enforced.
cfg.Auth.ClusterConfig.SetLocalAuth(false)
// Update cluster configuration to record sessions at node, this way the
// entire cluster is FedRAMP/FIPS 140-2 compliant.
cfg.Auth.ClusterConfig.SetSessionRecording(services.RecordAtNode)
}
Reference in a new issue Copy permalink