mirror of
https://github.com/gravitational/teleport
synced 2024-10-19 16:53:57 +00:00
purge extra newlines (#24247)
This commit is contained in:
parent
94077c960e
commit
2f31c7479c
|
@ -173,7 +173,6 @@ run the Jira plugin on the same server as the Teleport Proxy, so you can use the
|
|||
|
||||
You should be able to run the Teleport plugin now!
|
||||
|
||||
|
||||
<Tabs>
|
||||
<TabItem label="Executable" scopes={["oss", "enterprise", "cloud"]}>
|
||||
```code
|
||||
|
|
|
@ -272,7 +272,6 @@ severity = "INFO" # Logger severity. Could be "INFO", "ERROR", "DEBUG" or "WARN"
|
|||
|
||||
## Step 7/8. Test your Mattermost bot
|
||||
|
||||
|
||||
<Tabs>
|
||||
<TabItem label="Executable" scope={["oss", "enterprise"]}>
|
||||
After modifying your configuration, run the bot with the following command:
|
||||
|
|
|
@ -471,7 +471,6 @@ flag when you run the plugin binary later in this guide.
|
|||
|
||||
</Details>
|
||||
|
||||
|
||||
Edit the configuration file in `/etc/teleport-pagerduty.toml` as explained
|
||||
below:
|
||||
|
||||
|
@ -583,7 +582,6 @@ Access Request:
|
|||
![PagerDuty dashboard showing an Access
|
||||
Request](../../../img/enterprise/plugins/pagerduty/new-access-req-incident.png)
|
||||
|
||||
|
||||
### Resolve the request
|
||||
|
||||
(!docs/pages/includes/plugins/resolve-request.mdx!)
|
||||
|
|
|
@ -146,7 +146,6 @@ To request access to these resources, run
|
|||
--reason <request reason>
|
||||
```
|
||||
|
||||
|
||||
## Step 5/8. Request access to a resource
|
||||
|
||||
Copy the command output by `tsh request search` in the previous step, optionally filling in a request reason.
|
||||
|
|
|
@ -209,7 +209,6 @@ Bob can also assume granted Access Request roles using Web UI:
|
|||
|
||||
![Teleport Assume](../../../img/access-controls/dual-authz/teleport-7-bob-assume.png)
|
||||
|
||||
|
||||
{/* TODO: This H2 will show up in the table of contents when this section is invisible.
|
||||
We need a way to hide invisible H2s from the TOC. */}
|
||||
<ScopedBlock scope={["oss", "enterprise"]}>
|
||||
|
|
|
@ -35,7 +35,6 @@ For example:
|
|||
- A Web browser with [WebAuthn support](
|
||||
https://developers.yubico.com/WebAuthn/WebAuthn_Browser_Support/).
|
||||
|
||||
|
||||
## Step 1/3. Configuration
|
||||
|
||||
A v12.2+ Teleport cluster capable of WebAuthn is automatically capable of
|
||||
|
|
|
@ -62,7 +62,6 @@ spec:
|
|||
...
|
||||
```
|
||||
|
||||
|
||||
## Role example
|
||||
|
||||
Let's walk through an example of setting up IP pinning for a role.
|
||||
|
@ -79,6 +78,7 @@ spec:
|
|||
options:
|
||||
pin_source_ip: true
|
||||
```
|
||||
|
||||
The admin assigns this role to the user Alice, who then logs into Teleport using the 'tsh' command and tries
|
||||
to access a node from the same IP address she logged in with:
|
||||
|
||||
|
|
|
@ -4,7 +4,6 @@ description: Moderated Sessions
|
|||
h1: Moderated Sessions
|
||||
---
|
||||
|
||||
|
||||
## Introduction
|
||||
|
||||
Moderated Sessions allows Teleport administrators to define requirements for
|
||||
|
@ -168,7 +167,6 @@ A participant joining a session will always have one of three modes:
|
|||
- `moderator`: Allows you to watch the session. You can view output and forcefully terminate or pause the session at any time, but can't send input.
|
||||
- `peer`: Allows you to collaborate in the session. You can view output and send input.
|
||||
|
||||
|
||||
When joining a session with `tsh join` or `tsh kube join`, a user can specify a
|
||||
participant mode with the `--mode <mode>` flag , where the mode is one of `peer`,
|
||||
`moderator` or `observer`. By default, the mode is `observer`.
|
||||
|
|
|
@ -185,7 +185,6 @@ $ tsh login --proxy=mytenant.teleport.sh --user=alice
|
|||
|
||||
</ScopedBlock>
|
||||
|
||||
|
||||
## SSO users
|
||||
|
||||
Identity provider admins can assign metadata to a user such as group membership
|
||||
|
|
|
@ -46,7 +46,6 @@ information about the temporary user.
|
|||
You can inspect a temporary `user` resource created via your SSO integration
|
||||
by using the `tctl` command:
|
||||
|
||||
|
||||
<ScopedBlock scope={["oss", "enterprise"]}>
|
||||
|
||||
```code
|
||||
|
@ -560,7 +559,6 @@ If something is not working, we recommend to:
|
|||
|
||||
- Double-check the host names, tokens and TCP ports in a connector definition.
|
||||
|
||||
|
||||
### Using the Web UI
|
||||
|
||||
If you get "access denied" or other login errors, the number one place to check is the Audit
|
||||
|
|
|
@ -123,7 +123,6 @@ spec:
|
|||
|
||||
Replace the `acs` field with your Teleport address, update the group IDs in the `attributes_to_roles` field with the actual Azure AD group ID values, and insert the downloaded Federation Metadata XML into the `entity_descriptor` field.
|
||||
|
||||
|
||||
Create the connector using `tctl`:
|
||||
|
||||
```code
|
||||
|
@ -177,8 +176,6 @@ $ tctl create dev.yaml
|
|||
|
||||
![Login with Microsoft](../../../img/azuread/azure-11-loginwithmsft.png)
|
||||
|
||||
|
||||
|
||||
The CLI is the same as before:
|
||||
```code
|
||||
$ tsh --proxy=proxy.example.com login
|
||||
|
@ -389,7 +386,6 @@ Change the Name ID format to use email instead:
|
|||
|
||||
![Change NameID format to use email](../../../img/azuread/azuread-nameid.png)
|
||||
|
||||
|
||||
## Further reading
|
||||
- [Teleport Configuration Resources Reference](../../reference/resources.mdx)
|
||||
|
||||
|
|
|
@ -219,7 +219,6 @@ After logging in successfully, you will see the following:
|
|||
|
||||
![Login success view](../../../img/login-success.jpg)
|
||||
|
||||
|
||||
You will receive the details of your user session within the CLI.
|
||||
|
||||
<ScopedBlock scope={["oss", "enterprise"]}>
|
||||
|
|
|
@ -212,7 +212,6 @@ Configure [domain-wide
|
|||
The scope granted to the service account will determine if Teleport will
|
||||
fetch both direct and indirect groups or just direct groups, respectively.
|
||||
|
||||
|
||||
## Step 3/4. Create an OIDC connector
|
||||
|
||||
Create the following OIDC connector [resource spec](../../reference/resources.mdx) as `gworkspace-connector.yaml`. We will explain how to choose values for fields within the resource spec below.
|
||||
|
@ -233,7 +232,6 @@ Create the following OIDC connector [resource spec](../../reference/resources.md
|
|||
|
||||
The email that you set for `google_admin_email` **must** be the email address of a user that has permission to list all groups, users, and group membership in your Google Workspace account. This user will generally need super admin or group admin privileges.
|
||||
|
||||
|
||||
Do not use the email of the service account for `google_admin_email`. The configuration display will look the same, but the service account will not have the required domain-wide delegation.
|
||||
|
||||
The `client_id` field must be the unique ID number captured from the Google Cloud Platform UI. An indicator that this is misconfigured is if you see "invalid Google Workspace credentials for scopes [...]" in your log.
|
||||
|
|
|
@ -975,4 +975,3 @@ short-lived credentials via Machine ID, which reduces the risk of these
|
|||
credentials becoming stolen. View our [Machine ID
|
||||
documentation](../machine-id/introduction.mdx) to learn more.
|
||||
|
||||
|
||||
|
|
|
@ -62,12 +62,10 @@ Enter a role name and press create role.
|
|||
|
||||
![Create Role Step 3](../../../img/application-access/create-role-example-readonly-3.png)
|
||||
|
||||
|
||||
### Repeat for Power User
|
||||
|
||||
Follow the same steps and select `PowerUserAccess` IAM Policy to create a `ExamplePowerUser` role.
|
||||
|
||||
|
||||
## Step 2/9. Update IAM role trust relationships
|
||||
|
||||
<Admonition type="note">
|
||||
|
|
|
@ -240,7 +240,6 @@ Azure managed identities (if any) they can access.
|
|||
There are two approaches you can take to authorize users to access Azure
|
||||
identities.
|
||||
|
||||
|
||||
|Approach|Description|Supported User Types|
|
||||
|---|---|---|
|
||||
|**Dynamic**|A Teleport role includes a template variable that grants a user access to all Azure identities assigned directly to them.|Local users, OIDC, SAML|
|
||||
|
|
|
@ -69,7 +69,6 @@ $ tctl tokens add \
|
|||
|
||||
### Start Teleport
|
||||
|
||||
|
||||
Install Teleport on the host where you will run the Teleport Application Service. See our [Installation](../installation.mdx) page for options besides Linux servers.
|
||||
|
||||
(!docs/pages/includes/install-linux.mdx!)
|
||||
|
|
|
@ -103,7 +103,6 @@ $ tctl create app.yaml
|
|||
|
||||
</ScopedBlock>
|
||||
|
||||
|
||||
After the resource has been created, it will appear among the list of available
|
||||
apps (in `tsh apps ls` or UI) as long as at least one Application Service
|
||||
instance picks it up according to its label selectors.
|
||||
|
|
|
@ -208,7 +208,6 @@ The same applies to Kubernetes:
|
|||
- Alice can access kubernetes cluster as `system:masters` if it's labeled as `test` or `stage`.
|
||||
- Alice can access kubernetes clusters only as a `view` role if it's labeled as `prod`.
|
||||
|
||||
|
||||
### Role templates
|
||||
|
||||
Roles support template variables. Here is a role snippet that explains
|
||||
|
|
|
@ -147,8 +147,6 @@ See the [reference](../reference/audit.mdx#recorded-sessions) to learn how to tu
|
|||
on the recording proxy mode. Note that the recording mode is configured on the
|
||||
Auth Service.
|
||||
|
||||
|
||||
|
||||
## More concepts
|
||||
|
||||
- [Architecture Overview](../core-concepts.mdx)
|
||||
|
|
|
@ -295,8 +295,6 @@ more information.)
|
|||
|
||||
![DynamoDB local connection in NoSQL Workbench](../../img/database-access/nosql-workbench-connection.png)
|
||||
|
||||
|
||||
|
||||
## SQL Server DBeaver
|
||||
|
||||
In the DBeaver connection configuration menu, use your proxy's endpoint. This is
|
||||
|
@ -356,10 +354,8 @@ Congratulations! You have just connected to your Redis instance.
|
|||
|
||||
![Redis Insight Connected](../../img/database-access/guides/redis/redisinsight-connected.png)
|
||||
|
||||
|
||||
## Snowflake: JetBrains (IntelliJ, Goland, DataGrip, PyCharm, etc.)
|
||||
|
||||
|
||||
The Snowflake integration works only in the authenticated proxy mode. Start a local proxy for connections to your Snowflake database by using the command below:
|
||||
```
|
||||
tsh proxy db --tunnel --port 2000 snowflake
|
||||
|
|
|
@ -139,7 +139,6 @@ a custom home location through [the `TELEPORT_HOME` environment
|
|||
variable](../reference/cli.mdx#tsh-environment-variables). For example, logging in to a new cluster
|
||||
through tsh will not make that cluster show up in Teleport Connect.
|
||||
|
||||
|
||||
<Tabs>
|
||||
<TabItem label="macOS">
|
||||
To add tsh to `PATH`, execute `tsh install` from the command bar in Teleport Connect. This will
|
||||
|
@ -173,7 +172,6 @@ The file will open in your default editor.
|
|||
|
||||
Below is the list of the supported config properties.
|
||||
|
||||
|
||||
| Property | Default | Description |
|
||||
|-------------------------------|----------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------|
|
||||
| `usageReporting.enabled` | `false` | Enables collecting anonymous usage data (see [Telemetry](#telemetry)). |
|
||||
|
@ -215,7 +213,6 @@ Available key codes:
|
|||
- `,`, `.`, `/`, `\`, `` ` ``, `-`, `=`, `;`, `'`, `[`, `]`
|
||||
- `Space`, `Tab`, `CapsLock`, `NumLock`, `ScrollLock`, `Backspace`, `Delete`, `Insert`, `Enter`, `Up`, `Down`, `Left`, `Right`, `Home`, `End`, `PageUp`, `PageDown`, `Escape`, `IntlBackslash`
|
||||
|
||||
|
||||
## Telemetry
|
||||
|
||||
(!docs/pages/includes/teleport-connect-telemetry.mdx!)
|
||||
|
|
|
@ -874,7 +874,6 @@ tmpfs 1982720 0 1982720 0% /sys/firmware
|
|||
root@ubuntu:/# exit
|
||||
exit
|
||||
|
||||
|
||||
end of session playback
|
||||
```
|
||||
|
||||
|
|
|
@ -53,7 +53,6 @@ Teleport and want to set up Teleport for a specific scenario.
|
|||
- Setup steps
|
||||
- Next steps
|
||||
|
||||
|
||||
### Getting started articles
|
||||
|
||||
**Getting started guides** are designed to get a user up and running in the
|
||||
|
@ -96,7 +95,6 @@ Specific kinds of architecture guides include:
|
|||
2. **Security**: Lists security protocols and primitives. SecOps will look for an attack vector tree diagram.
|
||||
3. **Deployment**: Should include a deployment diagram which in turn explains components and how they interact with databases and each other.
|
||||
|
||||
|
||||
### Conceptual guides
|
||||
|
||||
**Conceptual guides** are a continuations of our architectural guides and distinct from how-to guides. They explain a concept that is relevant for understanding Teleport. Some overlap will be likely between conceptual guides and architecture guides.
|
||||
|
|
|
@ -13,7 +13,6 @@ description: How to configure Teleport Database Access with AWS Keyspaces (Apach
|
|||
Database Access for AWS Keyspaces (Apache Cassandra) is available starting from Teleport `v11.0`.
|
||||
</Details>
|
||||
|
||||
|
||||
This guide will help you to:
|
||||
|
||||
- Install and configure Teleport.
|
||||
|
@ -109,7 +108,6 @@ You can choose `AmazonKeyspacesReadOnlyAccess` for read-only access to AWS Keysp
|
|||
Enter a role name and press "Create role".
|
||||
![Create Role Step 1](../../../img/database-access/guides/keyspaces/create-role-step3.png)
|
||||
|
||||
|
||||
## Step 4/5. Give Teleport permissions to assume roles
|
||||
|
||||
Next, attach the following policy to the IAM role or IAM user the Teleport
|
||||
|
@ -134,7 +132,6 @@ assume the IAM roles:
|
|||
ARNs in the "Resource" field instead of using a wildcard.
|
||||
</Admonition>
|
||||
|
||||
|
||||
## Step 5/5. Connect
|
||||
|
||||
Once the Database Service has joined the cluster, log in to see the available
|
||||
|
|
|
@ -13,7 +13,6 @@ description: How to configure Teleport Database Access with Cassandra and Scylla
|
|||
Database access for Cassandra & ScyllaDB is available starting from Teleport `v11.0`.
|
||||
</Details>
|
||||
|
||||
|
||||
This guide will help you to:
|
||||
|
||||
- Install and configure Teleport.
|
||||
|
@ -93,7 +92,6 @@ $ teleport db start \
|
|||
|
||||
(!docs/pages/includes/database-access/create-user.mdx!)
|
||||
|
||||
|
||||
## Step 3/5. Set up mutual TLS
|
||||
|
||||
(!docs/pages/includes/database-access/tctl-auth-sign.mdx!)
|
||||
|
@ -168,8 +166,6 @@ Follow the instructions for your database to enable TLS communication with your
|
|||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
|
||||
|
||||
## Step 5/5. Connect
|
||||
|
||||
Once the Database Service has joined the cluster, log in to see the available
|
||||
|
@ -217,7 +213,6 @@ $ tsh db logout example
|
|||
$ tsh db logout
|
||||
```
|
||||
|
||||
|
||||
## Next steps
|
||||
|
||||
(!docs/pages/includes/database-access/guides-next-steps.mdx!)
|
||||
|
|
|
@ -43,7 +43,6 @@ Install Teleport on the host where you will run the Teleport Database Service:
|
|||
|
||||
(!docs/pages/includes/install-linux.mdx!)
|
||||
|
||||
|
||||
<Tabs>
|
||||
<TabItem label="Self-Hosted" scope={["enterprise","oss"]}>
|
||||
Start the Teleport Database Service, pointing the `--auth-server` flag to the address of your Teleport Proxy Service:
|
||||
|
@ -82,7 +81,6 @@ $ teleport db start \
|
|||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
|
||||
<Admonition type="tip">
|
||||
You can start the Database Service using a configuration file instead of CLI flags.
|
||||
See [YAML reference](../reference/configuration.mdx).
|
||||
|
|
|
@ -58,7 +58,6 @@ spec:
|
|||
uri: "localhost:5432"
|
||||
```
|
||||
|
||||
|
||||
The user creating the dynamic registration needs to have a role with access to the
|
||||
database labels and the `db` resource. In this example role the user can only
|
||||
create and maintain database services labeled `env: prod` and `engine: postgres`.
|
||||
|
|
|
@ -10,7 +10,6 @@ In this guide you will:
|
|||
2. Configure mutual TLS authentication between Teleport and your MongoDB cluster.
|
||||
3. Connect to your MongoDB instance via Teleport.
|
||||
|
||||
|
||||
<ScopedBlock scope={["oss", "enterprise"]}>
|
||||
![Teleport Database Access MongoDB Self-Hosted](../../../img/database-access/guides/mongodb_selfhosted.png)
|
||||
</ScopedBlock>
|
||||
|
|
|
@ -231,7 +231,6 @@ $ teleport db configure create \
|
|||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
|
||||
## Step 4/4. Connect
|
||||
|
||||
Once the Database Service has joined the cluster, log in to see the available
|
||||
|
|
|
@ -31,7 +31,6 @@ This guide will help you to:
|
|||
|
||||
(!docs/pages/includes/database-access/create-user.mdx!)
|
||||
|
||||
|
||||
## Step 2/7. Set up the Teleport Database Service
|
||||
|
||||
(!docs/pages/includes/database-access/token.mdx!)
|
||||
|
@ -65,7 +64,6 @@ $ teleport db configure create \
|
|||
|
||||
(!docs/pages/includes/start-teleport.mdx service="the Database Service"!)
|
||||
|
||||
|
||||
## Step 5/7. Create a certificate/key pair and Teleport Oracle Wallet
|
||||
|
||||
(!docs/pages/includes/database-access/tctl-auth-sign.mdx!)
|
||||
|
@ -158,7 +156,6 @@ $ tsh db logout oracle
|
|||
$ tsh db logout
|
||||
```
|
||||
|
||||
|
||||
## Next steps
|
||||
|
||||
(!docs/pages/includes/database-access/guides-next-steps.mdx!)
|
||||
|
|
|
@ -90,7 +90,6 @@ in Google Cloud documentation for more info.
|
|||
The final part of GCP configuration is to create a service account for the
|
||||
Teleport Database Service.
|
||||
|
||||
|
||||
### Create a service account
|
||||
|
||||
Go to the [Service Accounts](https://console.cloud.google.com/iam-admin/serviceaccounts)
|
||||
|
|
|
@ -275,8 +275,6 @@ Provide Active Directory parameters:
|
|||
| `--ad-domain` | Active Directory domain (Kerberos realm) that SQL Server is joined. |
|
||||
| `--ad-spn` | Service Principal Name for SQL Server to fetch Kerberos tickets for. |
|
||||
|
||||
|
||||
|
||||
### Service Principal Name
|
||||
|
||||
You can use `ldapsearch` command to see the SPNs registered for your SQL
|
||||
|
|
|
@ -18,7 +18,6 @@ cluster:
|
|||
|
||||
</ScopedBlock>
|
||||
|
||||
|
||||
This guide will show you how to get started with Teleport on DigitalOcean
|
||||
Kubernetes.
|
||||
|
||||
|
@ -42,7 +41,6 @@ While the Kubernetes cluster is being provisioned, follow the "Getting Started"
|
|||
![Set up DigitalOcean Kubernetes client](../../../img/helm/digitalocean/setup-k8s.png)
|
||||
</Figure>
|
||||
|
||||
|
||||
## Step 2/4. Install Teleport
|
||||
|
||||
(!docs/pages/kubernetes-access/helm/includes/helm-repo-add.mdx!)
|
||||
|
@ -149,7 +147,6 @@ Copy the link shown after executing the above command and open the link in a web
|
|||
![Set up user](../../../img/helm/digitalocean/setup-user.png)
|
||||
</Figure>
|
||||
|
||||
|
||||
After you complete the registration process by setting up a password and enrolling in two-factor authentication, you will be logged in to Teleport Web UI.
|
||||
|
||||
In this step, we created a user **tadmin** with roles `access, edit`. These are the default roles available in Teleport. However, to allow this user to access the Kubernetes cluster, we will need to assign **tadmin** a role authorized to access the Kubernetes cluster. So first, let's create a role named **member** with the Kubernetes privilege `system:master`.
|
||||
|
@ -250,7 +247,6 @@ Teleport keeps an audit log of access to a Kubernetes cluster. In the screenshot
|
|||
![View audit log](../../../img/helm/digitalocean/view-activity.png)
|
||||
</Figure>
|
||||
|
||||
|
||||
## Next steps
|
||||
|
||||
To see all of the options you can set in the values file for the
|
||||
|
|
|
@ -180,7 +180,6 @@ Go back to the "Service Accounts" view in Google Cloud IAM & Admin.
|
|||
![Private key saved](../../../img/helm/gcp/12-privatekey@1.5x.png)
|
||||
</Figure>
|
||||
|
||||
|
||||
#### Create the Kubernetes secret containing the JSON private key for the service account
|
||||
|
||||
Find the path where the JSON private key was just saved (likely your browser's default "Downloads" directory).
|
||||
|
|
|
@ -188,7 +188,6 @@ Started](../try-out-teleport/introduction.mdx) guide.
|
|||
These steps will need to be repeated if Teleport's user certificate authority is rotated.
|
||||
</Admonition>
|
||||
|
||||
|
||||
Get the Teleport user CA certificate by running the following in the Windows machine where you can manage your group policy, assigning <Var name="proxy" /> to the address of your Teleport Proxy Service:
|
||||
|
||||
```code
|
||||
|
@ -378,7 +377,6 @@ to use the newly created template to issue certificates used for Remote Desktop
|
|||
|
||||
In this section, we will create a certificate template that uses elliptic curve P-384 and uses SHA384 as the signature algorithm.
|
||||
|
||||
|
||||
1. Open the Microsoft Management Console (MMC)
|
||||
|
||||
```text
|
||||
|
@ -416,7 +414,6 @@ Right-click on `Server authentication certificate template`, `Edit`, then select
|
|||
![RDP Certificate Template](../../img/desktop-access/rdp-certificate-template.png)
|
||||
</Figure>
|
||||
|
||||
|
||||
### Configure server certificate auto-enrollment
|
||||
|
||||
In the group policy editor for `Teleport Access Policy`, select:
|
||||
|
@ -427,7 +424,6 @@ Computer Configuration > Policies > Windows Settings > Public Key Policies
|
|||
|
||||
Double-click on `Certificate Services Client - Auto-Enrollment`, then select `Enabled` in the `Configuration Model`.
|
||||
|
||||
|
||||
### Ensure your GPO is updated
|
||||
|
||||
If you have not done so already, ensure your GPO is updated by opening a PowerShell prompt and running:
|
||||
|
|
|
@ -54,4 +54,3 @@ description of credential loading behavior.
|
|||
|
||||
</Details>
|
||||
|
||||
|
||||
|
|
|
@ -66,14 +66,12 @@ teleport:
|
|||
# This value can be specified as FQDN e.g. host.example.com
|
||||
advertise_ip: 10.1.0.5
|
||||
|
||||
|
||||
# Teleport provides HTTP endpoints for monitoring purposes. They are
|
||||
# disabled by default but you can enable them using the diagnosis address.
|
||||
# See the Teleport metrics reference:
|
||||
# https://goteleport.com/docs/management/diagnostics/metrics/
|
||||
diag_addr: "127.0.0.1:3000"
|
||||
|
||||
|
||||
# Only use one of auth_server or proxy_server.
|
||||
#
|
||||
# When you have either the application service or database service enabled,
|
||||
|
|
|
@ -53,7 +53,6 @@ Service:
|
|||
```
|
||||
</TabItem>
|
||||
|
||||
|
||||
</Tabs>
|
||||
|
||||
</Details>
|
||||
|
|
|
@ -50,7 +50,6 @@ files in partials, this partial uses relative URL paths instead.
|
|||
- The Enterprise `tctl` admin tool and `tsh` client tool version >= (=cloud.version=).
|
||||
To download these tools, visit the [Downloads](../choose-an-edition/teleport-cloud/downloads.mdx) page.
|
||||
|
||||
|
||||
```code
|
||||
$ tctl version
|
||||
# Teleport Enterprise v(=cloud.version=) go(=teleport.golang=)
|
||||
|
|
|
@ -115,7 +115,6 @@
|
|||
| `teleport_cache_stale_events` | counter | Teleport | Number of stale events received by a Teleport service cache. A high percentage of stale events can indicate a degraded backend. |
|
||||
| `tx` | counter | Teleport | Number of bytes transmitted during an SSH connection. |
|
||||
|
||||
|
||||
## Golang runtime metrics
|
||||
|
||||
| Name | Type | Component | Description |
|
||||
|
|
|
@ -44,7 +44,6 @@ traits correctly. For a user to see a Node in Teleport, the result of populating
|
|||
template variable in a role's `allow.logins` must match at least one of a user's
|
||||
`traits.logins`.
|
||||
|
||||
|
||||
In this example a user will have usernames `ubuntu`, `debian` and usernames from the SSO trait `logins` for Nodes that have a `env: dev` label. If the SSO trait username is `bob` then the usernames would include `ubuntu`, `debian`, and `bob`.
|
||||
|
||||
```yaml
|
||||
|
|
|
@ -101,7 +101,6 @@ chart.
|
|||
|`teleport-cluster`|Auth Service<br/>Proxy Service<br/>Other Teleport services if using a custom configuration|[Reference](reference/helm-reference/teleport-cluster.mdx)
|
||||
|`teleport-kube-agent`|Kubernetes Service<br/>Application Service<br/>Database Service|[Reference](reference/helm-reference/teleport-kube-agent.mdx)|
|
||||
|
||||
|
||||
## macOS
|
||||
|
||||
<Tabs dropdownView dropdownCaption="Teleport Edition">
|
||||
|
@ -187,7 +186,6 @@ Teleport is written in Go, and currently requires **go v(=teleport.golang=)** or
|
|||
newer. Detailed instructions for building from source are available in the
|
||||
[README](https://github.com/gravitational/teleport#building-teleport).
|
||||
|
||||
|
||||
## Checksums
|
||||
|
||||
If you want to verify the integrity of a Teleport binary, SHA256 checksums are
|
||||
|
|
|
@ -181,7 +181,6 @@ associated with Teleport identity.
|
|||
|
||||
</Details>
|
||||
|
||||
|
||||
</TabItem>
|
||||
<TabItem label="Local Accounts">
|
||||
In this case, Teleport will use the user credentials generated during the
|
||||
|
@ -207,7 +206,6 @@ associated with Teleport identity.
|
|||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
|
||||
## Step 2/2. Configure Teleport to discover AKS clusters
|
||||
|
||||
Teleport AKS Auto-Discovery requires a valid auth token for the Discovery and
|
||||
|
|
|
@ -29,7 +29,6 @@ to automatically join the cluster on subsequent restarts.
|
|||
|
||||
- (!docs/pages/includes/tctl.mdx!)
|
||||
|
||||
|
||||
## Step 1/3. Create a Kubernetes service account with an IAM identity
|
||||
|
||||
Teleport supports a mode where agents running in AWS can join the cluster using the
|
||||
|
|
|
@ -106,7 +106,6 @@ differences.
|
|||
- The certificates exchanged for the token are
|
||||
renewable, as we will explain in the next section.
|
||||
|
||||
|
||||
### Dynamic join tokens (e.g AWS IAM)
|
||||
|
||||
- These tokens rely on an external authority that allows the bot to prove it is
|
||||
|
|
|
@ -80,7 +80,6 @@ Once complete, create your role to apply to the `tbot` configuration in the next
|
|||
$ tctl create tbotrole.yaml
|
||||
```
|
||||
|
||||
|
||||
## Step 3/5 Create Your `tbot` Configuration
|
||||
|
||||
Before you create a bot user, you need to determine which role(s) you want to
|
||||
|
@ -362,7 +361,6 @@ Your output will resemble the following:
|
|||
x-teleport-role UNKNOWN OPTION (len 8)
|
||||
```
|
||||
|
||||
|
||||
## Step 5/5 Configuring SSHD and connecting to the Teleport Cluster
|
||||
|
||||
In order to ensure that the Machine ID host is able to authorize and authenticate itself to the cluster using `sshd`, `sshd` must now be configured to
|
||||
|
|
|
@ -3,7 +3,6 @@ title: Machine ID Reference
|
|||
description: Configuration and CLI reference for Teleport Machine ID.
|
||||
---
|
||||
|
||||
|
||||
- [Configuration](./reference/configuration.mdx)
|
||||
- [GitHub Actions](./reference/github-actions.mdx)
|
||||
- [GitLab CI](./reference/gitlab.mdx)
|
||||
|
|
|
@ -67,7 +67,6 @@ destinations:
|
|||
# artifacts.
|
||||
path: /opt/machine-id
|
||||
|
||||
|
||||
# Configure symlink attack prevention. Requires Linux 5.6+.
|
||||
# Possible values:
|
||||
# * try-secure (default): Attempt to securely read and write certificates
|
||||
|
|
|
@ -25,7 +25,6 @@ The following constraints exist:
|
|||
- `sub`: a string uniquely identifying the CI run's source. It follows the
|
||||
following format:
|
||||
|
||||
|
||||
```yaml
|
||||
kind: token
|
||||
version: v2
|
||||
|
|
|
@ -153,13 +153,11 @@ To upgrade a host to a newer version of Teleport, you must:
|
|||
|
||||
</Admonition>
|
||||
|
||||
|
||||
## Understanding Teleport daemon command line options for unit file configuration
|
||||
|
||||
The `teleport install systemd` command includes a number of optional flags that you can use to strictly define parameters of the generated unit file and set where that output will be written.
|
||||
The following table includes all command line options available with the `teleport install systemd` command, a brief description of what they do, and their default settings:
|
||||
|
||||
|
||||
| Flag | Description | Default |
|
||||
| --- | ----------- | ---- |
|
||||
| `--fd-limit` | The maximum number of open file descriptors by the service, defined by `LimitNOFILE` in the unit file. | `--fd-limit=8192` |
|
||||
|
|
|
@ -379,7 +379,6 @@ If this doesn't work, delete the directory your Node uses to maintain its state,
|
|||
|
||||
</Details>
|
||||
|
||||
|
||||
## Next steps: Using labels
|
||||
|
||||
Once you have labeled your resources, you can refer to your labels when running
|
||||
|
|
|
@ -14,7 +14,6 @@ to a format that your telemetry backend accepts.
|
|||
In order to enable tracing for a `teleport` instance, add the following section to that instance's configuration file (`/etc/teleport.yaml`).
|
||||
For a detailed description of these configuration fields, see the [configuration reference](./reference/configuration.mdx) page.
|
||||
|
||||
|
||||
```yaml
|
||||
tracing_service:
|
||||
enabled: yes
|
||||
|
|
|
@ -226,7 +226,6 @@ In the **Input Settings** view (above), next to the **Source type** field, click
|
|||
then **_json**. Splunk will index incoming logs as JSON, which is the format the
|
||||
Event Handler uses to send logs to the Universal Forwarder.
|
||||
|
||||
|
||||
In the **Index** section, select the `teleport-audit-logs` index you created
|
||||
earlier. Click **Review** then view the summary and click **Submit**. Copy the
|
||||
**Token Value** field and keep it somewhere safe so you can use it later in this
|
||||
|
@ -253,7 +252,6 @@ $ sudo chown splunk:splunk server.pem
|
|||
|
||||
### Configure the HTTP Event Collector
|
||||
|
||||
|
||||
On your Universal Forwarder host, create a file at
|
||||
`/opt/splunkforwarder/etc/system/local/inputs.conf` with the following content:
|
||||
|
||||
|
|
|
@ -218,7 +218,6 @@ proxy_service:
|
|||
number>-<instance id>`) and will not be allowed to join.
|
||||
</Admonition>
|
||||
|
||||
|
||||
Start Teleport on the Node and confirm that it is able to connect to and join
|
||||
your cluster. You're all set!
|
||||
|
||||
|
|
|
@ -84,7 +84,6 @@ If your `second_factor` configuration is set to `off` and a user creates an acco
|
|||
- Run the `tctl users reset <account>` command to force a user to enter new credentials, including any required MFA device.
|
||||
</Admonition>
|
||||
|
||||
|
||||
## Present an MFA challenge for every attempt to access a resource
|
||||
After a user logs into a Teleport cluster, they can request access to a particular resource, e.g., a node, database, application, or Kubernetes cluster. In this case, the Teleport Auth Service issues a single-use certificate for accessing that resource. You can prevent attackers from doing damage with a compromised certificate by enabling per-session MFA. With this setting, whenever a user requests a one-time certificate to access a resource, the Teleport Auth Service will issue an MFA challenge, even if the user has already begun a Teleport session via `tsh login`.
|
||||
|
||||
|
@ -161,7 +160,6 @@ spec:
|
|||
|
||||
The `spec.allow.request.roles` field lists the names of other roles that a user with the `reviewee` role can request. When a reviewee requests access to one of these roles, Teleport notifies reviewers via your access plugins. The `spec.allow.requests.roles.thresholds` field indicates how many reviews are required to approve or deny the request.
|
||||
|
||||
|
||||
## Automatically prevent some roles from requesting others
|
||||
A malicious Teleport user could request a more privileged role and trick a reviewer into granting access. You can prevent such a scenario by defining roles that prohibit users from even requesting access to particular roles.
|
||||
|
||||
|
@ -193,7 +191,6 @@ Creating request...
|
|||
ERROR: user "myuser" can not request role "admin"
|
||||
```
|
||||
|
||||
|
||||
## Restrict role requests based on user traits
|
||||
Teleport's `role` resource lets you take precautions against accidental privilege escalation by ensuring that any user with particular attributes will have restricted access to certain roles. You can assign a list of `traits` to a user, then define a `role` resource that prevents any user whose traits match a regular expression from requesting elevated privileges.
|
||||
|
||||
|
@ -241,7 +238,6 @@ spec:
|
|||
|
||||
The `claims_to_roles` field within an `allow` or `deny` rule maps a user's `traits` to `roles` that they are either permitted or forbidden to request. In this case, we use the `{{regexp.not_match(\"admin\")}}` template function to prevent any user from requesting the `db-writer` role unless they have a `groups` trait with a value like `administrator` or `admins`. Users who *do* have such a trait can request the role with two approvals.
|
||||
|
||||
|
||||
## Set up your RBAC without admin roles
|
||||
You can design your Teleport RBAC so that there is no all-powerful administrator in the system, or even a `reviewer` role with elevated privileges. This way, you can reduce the blast radius if an attacker successfully impersonates a Teleport user and requests a more privileged role.
|
||||
|
||||
|
|
|
@ -56,7 +56,6 @@ The key areas of focus for Teleport cloud in early 2022 are:
|
|||
| Q2 2022 | Offer more data retention options |
|
||||
| Q3 2022 | Option to store data in alternate regions around the world |
|
||||
|
||||
|
||||
## Semantic Versioning
|
||||
|
||||
Teleport follows [semantic versioning](https://semver.org/) for pre-releases and releases.
|
||||
|
|
|
@ -9,7 +9,6 @@ There are two components of the audit log:
|
|||
<Tabs>
|
||||
<TabItem scope={["enterprise", "oss"]} label="Self-Hosted">
|
||||
|
||||
|
||||
1. **Cluster Events:** Teleport logs events like successful user logins along
|
||||
with metadata like remote IP address, time, and the session ID.
|
||||
2. **Recorded Sessions:** Every SSH, desktop, or Kubernetes shell session is recorded and
|
||||
|
@ -19,7 +18,6 @@ There are two components of the audit log:
|
|||
</TabItem>
|
||||
<TabItem scope={["cloud"]} label="Teleport Cloud">
|
||||
|
||||
|
||||
1. **Cluster Events:** Teleport logs events like successful user logins along
|
||||
with metadata like remote IP address, time, and the session ID.
|
||||
2. **Recorded Sessions:** Every SSH, desktop, or Kubernetes shell session is recorded and
|
||||
|
@ -148,7 +146,6 @@ In addition to logging start and end events, Teleport can also record the entire
|
|||
For SSH or Kubernetes sessions this captures the entire stream of bytes from the PTY.
|
||||
For desktop sessions the recording includes the contents of the screen.
|
||||
|
||||
|
||||
<Tabs>
|
||||
<TabItem scope={["enterprise", "oss"]} label="Self-Hosted">
|
||||
|
||||
|
|
|
@ -49,7 +49,6 @@ Add the following to your Teleport configuration file, which is stored in
|
|||
second_factor: off
|
||||
```
|
||||
|
||||
|
||||
### Dynamic resource
|
||||
|
||||
Obtain your existing `cluster_auth_preference` resource:
|
||||
|
@ -122,7 +121,6 @@ $ tctl create -f cap.yaml
|
|||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
|
||||
## Authentication connectors
|
||||
|
||||
<Tabs>
|
||||
|
|
|
@ -446,6 +446,7 @@ Downloaded recorded session are directly playable as a file.
|
|||
```code
|
||||
$ tsh play c8e1b2c5-322a-4095-89e3-391edfd2da9b.tar
|
||||
```
|
||||
|
||||
</Admonition>
|
||||
|
||||
### tsh recordings export
|
||||
|
@ -1389,7 +1390,6 @@ DEBU [TSH] Self re-exec command: tsh [status --format=json]. tsh/aliases.g
|
|||
...
|
||||
```
|
||||
|
||||
|
||||
## tctl
|
||||
|
||||
`tctl` is a CLI tool that allows a cluster administrator to manage all resources
|
||||
|
@ -1489,8 +1489,6 @@ which could result in the error,
|
|||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
|
||||
|
||||
**Example**
|
||||
|
||||
```code
|
||||
|
@ -2017,7 +2015,6 @@ The test process is safe from side effects in that:
|
|||
```
|
||||
</Admonition>
|
||||
|
||||
|
||||
#### Arguments
|
||||
|
||||
- `[<filename>]` Connector resource definition file. Optional. Empty for stdin.
|
||||
|
@ -2198,7 +2195,6 @@ The following flags are specific to Google Workspace:
|
|||
| `--google-legacy` | Flag to select groups with direct membership filtered by domain (legacy behavior). <br/>Disabled by default. [More info](https://goteleport.com/docs/enterprise/sso/google-workspace/#how-teleport-uses-google-workspace-apis) |
|
||||
| `--google-id` | Shorthand for setting the `--id` flag to `<GOOGLE_WORKSPACE_CLIENT_ID>.apps.googleusercontent.com` |
|
||||
|
||||
|
||||
#### Global flags
|
||||
|
||||
These flags are available for all commands: `--debug, --config`. Run
|
||||
|
@ -2241,7 +2237,6 @@ $ tctl sso configure oidc --preset google -r groups,mygroup@mydomain.example.com
|
|||
$ tctl sso configure oidc ... | tctl sso test
|
||||
```
|
||||
|
||||
|
||||
### tctl sso configure saml
|
||||
|
||||
Configure the SAML auth connector, optionally using a preset.
|
||||
|
@ -2282,7 +2277,6 @@ Mandatory flags: `--name`, `--attributes-to-roles`, `--entity-descriptor`. These
|
|||
| `--provider` | | Sets the external identity provider type, enabling workarounds. Examples: ping, adfs. |
|
||||
| `--ignore-missing-roles` | | Ignore missing roles referenced in `--attributes-to-roles`. |
|
||||
|
||||
|
||||
Supported presets:
|
||||
|
||||
| Name | Description | Display |
|
||||
|
@ -2292,7 +2286,6 @@ Supported presets:
|
|||
| `ad` | Azure Active Directory | Microsoft |
|
||||
| `adfs` | Active Directory Federation Services | ADFS |
|
||||
|
||||
|
||||
#### Global flags
|
||||
|
||||
These flags are available for all commands: `--debug, --config`. Run
|
||||
|
@ -2535,7 +2528,6 @@ $ tctl edit role/sre
|
|||
$ TELEPORT_EDITOR=nano tctl edit user/alice
|
||||
```
|
||||
|
||||
|
||||
### tctl status
|
||||
|
||||
Report cluster status:
|
||||
|
@ -2598,7 +2590,6 @@ $ tctl alerts create \
|
|||
|
||||
Register a device.
|
||||
|
||||
|
||||
```code
|
||||
$ tctl devices add --os=OS --asset-tag=SERIAL_NUMBER
|
||||
```
|
||||
|
@ -2656,7 +2647,6 @@ tsh device enroll --token=(=devicetrust.enroll_token=)
|
|||
|
||||
List registered devices.
|
||||
|
||||
|
||||
```code
|
||||
$ tctl devices ls
|
||||
```
|
||||
|
@ -2878,7 +2868,6 @@ $ tbot init \
|
|||
--reader-user=jenkins
|
||||
```
|
||||
|
||||
|
||||
### tbot db
|
||||
|
||||
Connects to databases using native clients and queries database information. This is best used for testing and validation purposes;
|
||||
|
@ -2986,7 +2975,6 @@ Note that this decreases security:
|
|||
Refer to the [database guide](../machine-id/guides/databases.mdx) for more information on
|
||||
using database proxies.
|
||||
|
||||
|
||||
#### Flags
|
||||
|
||||
| Flag | Description |
|
||||
|
|
|
@ -346,7 +346,6 @@ For possible values, [see the Teleport Configuration Reference](../../reference/
|
|||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
|
||||
## `separatePostgresListener`
|
||||
|
||||
| Type | Default value | Required? | `teleport.yaml` equivalent |
|
||||
|
@ -528,7 +527,6 @@ else [`clusterName`](#clusterName) is used. Default port is 3036.
|
|||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
|
||||
## `postgresPublicAddr`
|
||||
|
||||
| Type | Default value | Required? | `teleport.yaml` equivalent |
|
||||
|
@ -1877,7 +1875,6 @@ A list of extra environment variables to be set on the main Teleport container.
|
|||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
|
||||
## `extraVolumes`
|
||||
|
||||
| Type | Default value |
|
||||
|
|
|
@ -1345,7 +1345,6 @@ Ensures that this number of replicas is available during voluntary disruptions,
|
|||
|----------|---------------|
|
||||
| `string` | `nil` |
|
||||
|
||||
|
||||
`clusterRoleBindingName` can be optionally used to override the name of the Kubernetes `ClusterRoleBinding` used by the `teleport-kube-agent` chart's `ServiceAccount`.
|
||||
|
||||
<Tabs>
|
||||
|
@ -1775,7 +1774,6 @@ the Teleport pod.
|
|||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
|
||||
## `extraLabels.roleBinding`
|
||||
|
||||
| Type | Default value |
|
||||
|
|
|
@ -45,7 +45,6 @@ following use cases:
|
|||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
|
||||
## HTTP CONNECT proxies
|
||||
|
||||
Some networks funnel all connections through a proxy server where they can be
|
||||
|
|
|
@ -35,7 +35,6 @@ The language also supports the following functions:
|
|||
| `equals(<field>, <field2>)` | checks if the value from `<field2>` is equal to the value from `<field>` |
|
||||
| `equals(<field>, "<value>")` | checks if `<value>` is equal to the value from `<field>` |
|
||||
|
||||
|
||||
## Resource filtering
|
||||
|
||||
Both the [`tsh`](cli.mdx#tsh) and [`tctl`](cli.mdx#tctl) CLI tools allow you to filter nodes,
|
||||
|
@ -68,5 +67,4 @@ The language also supports the following functions:
|
|||
| `!exists(labels["env"])` | resources without a label key `env`; label value unchecked |
|
||||
| `search("foo", "bar", "some phrase")` | fuzzy match against common resource fields |
|
||||
|
||||
|
||||
See some [examples](cli.mdx#filter-examples) of the different ways you can filter resources.
|
||||
|
|
|
@ -19,7 +19,6 @@ Supported resources:
|
|||
- [teleport_trusted_cluster](#teleport_trusted_cluster)
|
||||
- [teleport_user](#teleport_user)
|
||||
|
||||
|
||||
## Provider configuration
|
||||
|
||||
Add the following configuration section to your `terraform` configuration block:
|
||||
|
@ -37,7 +36,6 @@ terraform {
|
|||
|
||||
The provider supports the following options:
|
||||
|
||||
|
||||
| Name | Type | Description | Environment Variable |
|
||||
| ---------------------- | ------ | ------------------------------------------------------------------------------ | ---------------------------------- |
|
||||
| `addr` | string | Teleport auth or proxy address in "host:port" format. | `TF_TELEPORT_ADDR` |
|
||||
|
@ -55,7 +53,6 @@ The provider supports the following options:
|
|||
| `retry_cap_duration` | string | Max duration between retries. [Format](https://pkg.go.dev/time#ParseDuration) | `TF_TELEPORT_RETRY_CAP_DURATION` |
|
||||
| `retry_max_tries` | string | Max number of retries. | `TF_TELEPORT_RETRY_MAX_TRIES` |
|
||||
|
||||
|
||||
You need to specify at least one of:
|
||||
|
||||
- `cert_path`, `key_path`,`root_ca_path` and `addr` to connect using key files.
|
||||
|
@ -87,7 +84,6 @@ provider "teleport" {
|
|||
| sub_kind | string | | SubKind is an optional resource subkind. |
|
||||
| version | string | | Version is the resource version. |
|
||||
|
||||
|
||||
### metadata
|
||||
|
||||
Metadata is the app resource metadata.
|
||||
|
@ -100,7 +96,6 @@ Metadata is the app resource metadata.
|
|||
| name | string | * | Name is an object name |
|
||||
| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. |
|
||||
|
||||
|
||||
### spec
|
||||
|
||||
Spec is the app resource spec.
|
||||
|
@ -115,7 +110,6 @@ Spec is the app resource spec.
|
|||
| rewrite | object | | Rewrite is a list of rewriting rules to apply to requests and responses. |
|
||||
| uri | string | | URI is the web app endpoint. |
|
||||
|
||||
|
||||
#### spec.aws
|
||||
|
||||
AWS contains additional options for AWS applications.
|
||||
|
@ -124,7 +118,6 @@ AWS contains additional options for AWS applications.
|
|||
|-------------|--------|----------|-------------------------------------------------------------------------|
|
||||
| external_id | string | | ExternalID is the AWS External ID used when assuming roles in this app. |
|
||||
|
||||
|
||||
#### spec.dynamic_labels
|
||||
|
||||
DynamicLabels are the app's command labels.
|
||||
|
@ -135,7 +128,6 @@ DynamicLabels are the app's command labels.
|
|||
| period | duration | | Period is a time between command runs |
|
||||
| result | string | | Result captures standard output |
|
||||
|
||||
|
||||
#### spec.rewrite
|
||||
|
||||
Rewrite is a list of rewriting rules to apply to requests and responses.
|
||||
|
@ -145,7 +137,6 @@ Rewrite is a list of rewriting rules to apply to requests and responses.
|
|||
| headers | object | | Headers is a list of headers to inject when passing the request over to the application. |
|
||||
| redirect | array of strings | | Redirect defines a list of hosts which will be rewritten to the public address of the application if they occur in the "Location" header. |
|
||||
|
||||
|
||||
##### spec.rewrite.headers
|
||||
|
||||
Headers is a list of headers to inject when passing the request over to the application.
|
||||
|
@ -155,7 +146,6 @@ Headers is a list of headers to inject when passing the request over to the appl
|
|||
| name | string | | Name is the http header name. |
|
||||
| value | string | | Value is the http header value. |
|
||||
|
||||
|
||||
Example:
|
||||
|
||||
```
|
||||
|
@ -185,7 +175,6 @@ resource "teleport_app" "example" {
|
|||
| sub_kind | string | | SubKind is an optional resource sub kind, used in some resources |
|
||||
| version | string | | Version is a resource version |
|
||||
|
||||
|
||||
### metadata
|
||||
|
||||
Metadata is resource metadata
|
||||
|
@ -197,7 +186,6 @@ Metadata is resource metadata
|
|||
| labels | map of strings | | Labels is a set of labels |
|
||||
| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. |
|
||||
|
||||
|
||||
### spec
|
||||
|
||||
Spec is an AuthPreference specification
|
||||
|
@ -218,7 +206,6 @@ Spec is an AuthPreference specification
|
|||
| u2f | object | | U2F are the settings for the U2F device. |
|
||||
| webauthn | object | | Webauthn are the settings for server-side Web Authentication support. |
|
||||
|
||||
|
||||
#### spec.device_trust
|
||||
|
||||
DeviceTrust holds settings related to trusted device verification. Requires Teleport Enterprise.
|
||||
|
@ -227,7 +214,6 @@ DeviceTrust holds settings related to trusted device verification. Requires Tele
|
|||
|------|--------|----------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| mode | string | | Mode of verification for trusted devices. The following modes are supported: - "off": disables both device authentication and authorization. - "optional": allows both device authentication and authorization, but doesn't enforce the presence of device extensions for sensitive endpoints. - "required": enforces the presence of device extensions for sensitive endpoints. Mode is always "off" for OSS. Defaults to "optional" for Enterprise. |
|
||||
|
||||
|
||||
#### spec.idp
|
||||
|
||||
IDP is a set of options related to accessing IdPs within Teleport. Requires Teleport Enterprise.
|
||||
|
@ -236,7 +222,6 @@ IDP is a set of options related to accessing IdPs within Teleport. Requires Tele
|
|||
|------|--------|----------|----------------------------------------------------|
|
||||
| saml | object | | SAML are options related to the Teleport SAML IdP. |
|
||||
|
||||
|
||||
##### spec.idp.saml
|
||||
|
||||
SAML are options related to the Teleport SAML IdP.
|
||||
|
@ -245,7 +230,6 @@ SAML are options related to the Teleport SAML IdP.
|
|||
|---------|------|----------|-------------|
|
||||
| enabled | bool | | |
|
||||
|
||||
|
||||
#### spec.u2f
|
||||
|
||||
U2F are the settings for the U2F device.
|
||||
|
@ -256,7 +240,6 @@ U2F are the settings for the U2F device.
|
|||
| device_attestation_cas | array of strings | | DeviceAttestationCAs contains the trusted attestation CAs for U2F devices. |
|
||||
| facets | array of strings | | Facets returns the facets for universal second factor. Deprecated: Kept for backwards compatibility reasons, but Facets have no effect since Teleport v10, when Webauthn replaced the U2F implementation. |
|
||||
|
||||
|
||||
#### spec.webauthn
|
||||
|
||||
Webauthn are the settings for server-side Web Authentication support.
|
||||
|
@ -267,7 +250,6 @@ Webauthn are the settings for server-side Web Authentication support.
|
|||
| attestation_denied_cas | array of strings | | Deny list of device attestation CAs in PEM format. If present, only devices whose attestation certificates don't match the certificates specified here may be registered (existing registrations are unchanged). If supplied in conjunction with AttestationAllowedCAs, then both conditions need to be true for registration to be allowed (the device MUST match an allowed CA and MUST NOT match a denied CA). By default no devices are denied. |
|
||||
| rp_id | string | | RPID is the ID of the Relying Party. It should be set to the domain name of the Teleport installation. IMPORTANT: RPID must never change in the lifetime of the cluster, because it's recorded in the registration data on the WebAuthn device. If the RPID changes, all existing WebAuthn key registrations will become invalid and all users who use WebAuthn as the second factor will need to re-register. |
|
||||
|
||||
|
||||
Example:
|
||||
|
||||
```
|
||||
|
@ -301,7 +283,6 @@ resource "teleport_auth_preference" "example" {
|
|||
| traits | map of string arrays | | |
|
||||
| user_name | string | | The name of the generated bot user |
|
||||
|
||||
|
||||
Example:
|
||||
|
||||
```
|
||||
|
@ -352,7 +333,6 @@ resource "teleport_bot" "example" {
|
|||
| sub_kind | string | | SubKind is an optional resource sub kind, used in some resources |
|
||||
| version | string | | Version is a resource version |
|
||||
|
||||
|
||||
### metadata
|
||||
|
||||
Metadata is resource metadata
|
||||
|
@ -364,7 +344,6 @@ Metadata is resource metadata
|
|||
| labels | map of strings | | Labels is a set of labels |
|
||||
| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. |
|
||||
|
||||
|
||||
### spec
|
||||
|
||||
Spec is a ClusterNetworkingConfig specification
|
||||
|
@ -382,7 +361,6 @@ Spec is a ClusterNetworkingConfig specification
|
|||
| tunnel_strategy | object | | TunnelStrategyV1 determines the tunnel strategy used in the cluster. |
|
||||
| web_idle_timeout | duration | | WebIdleTimeout sets global cluster default setting for the web UI idle timeouts. |
|
||||
|
||||
|
||||
#### spec.tunnel_strategy
|
||||
|
||||
TunnelStrategyV1 determines the tunnel strategy used in the cluster.
|
||||
|
@ -392,25 +370,18 @@ TunnelStrategyV1 determines the tunnel strategy used in the cluster.
|
|||
| agent_mesh | object | | |
|
||||
| proxy_peering | object | | |
|
||||
|
||||
|
||||
##### spec.tunnel_strategy.agent_mesh
|
||||
|
||||
|
||||
|
||||
| Name | Type | Required | Description |
|
||||
|--------|------|----------|---------------------------------------------------------------|
|
||||
| active | bool | | Automatically generated field preventing empty message errors |
|
||||
|
||||
|
||||
##### spec.tunnel_strategy.proxy_peering
|
||||
|
||||
|
||||
|
||||
| Name | Type | Required | Description |
|
||||
|------------------------|--------|----------|-------------|
|
||||
| agent_connection_count | number | | |
|
||||
|
||||
|
||||
Example:
|
||||
|
||||
```
|
||||
|
@ -440,7 +411,6 @@ resource "teleport_cluster_networking_config" "example" {
|
|||
| sub_kind | string | | SubKind is an optional resource subkind. |
|
||||
| version | string | | Version is the resource version. |
|
||||
|
||||
|
||||
### metadata
|
||||
|
||||
Metadata is the database metadata.
|
||||
|
@ -453,7 +423,6 @@ Metadata is the database metadata.
|
|||
| name | string | * | Name is an object name |
|
||||
| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. |
|
||||
|
||||
|
||||
### spec
|
||||
|
||||
Spec is the database spec.
|
||||
|
@ -471,7 +440,6 @@ Spec is the database spec.
|
|||
| tls | object | | TLS is the TLS configuration used when establishing connection to target database. Allows to provide custom CA cert or override server name. |
|
||||
| uri | string | * | URI is the database connection endpoint. |
|
||||
|
||||
|
||||
#### spec.ad
|
||||
|
||||
AD is the Active Directory configuration for the database.
|
||||
|
@ -485,7 +453,6 @@ AD is the Active Directory configuration for the database.
|
|||
| ldap_cert | string | | LDAPCert is a certificate from Windows LDAP/AD, optional; only for x509 Authentication. |
|
||||
| spn | string | | SPN is the service principal name for the database. |
|
||||
|
||||
|
||||
#### spec.aws
|
||||
|
||||
AWS contains AWS specific settings for RDS/Aurora/Redshift databases.
|
||||
|
@ -503,7 +470,6 @@ AWS contains AWS specific settings for RDS/Aurora/Redshift databases.
|
|||
| region | string | | Region is a AWS cloud region. |
|
||||
| secret_store | object | | SecretStore contains secret store configurations. |
|
||||
|
||||
|
||||
##### spec.aws.elasticache
|
||||
|
||||
ElastiCache contains AWS ElastiCache Redis specific metadata.
|
||||
|
@ -515,7 +481,6 @@ ElastiCache contains AWS ElastiCache Redis specific metadata.
|
|||
| transit_encryption_enabled | bool | | TransitEncryptionEnabled indicates whether in-transit encryption (TLS) is enabled. |
|
||||
| user_group_ids | array of strings | | UserGroupIDs is a list of user group IDs. |
|
||||
|
||||
|
||||
##### spec.aws.memorydb
|
||||
|
||||
MemoryDB contains AWS MemoryDB specific metadata.
|
||||
|
@ -527,7 +492,6 @@ MemoryDB contains AWS MemoryDB specific metadata.
|
|||
| endpoint_type | string | | EndpointType is the type of the endpoint. |
|
||||
| tls_enabled | bool | | TLSEnabled indicates whether in-transit encryption (TLS) is enabled. |
|
||||
|
||||
|
||||
##### spec.aws.rds
|
||||
|
||||
RDS contains RDS specific metadata.
|
||||
|
@ -539,7 +503,6 @@ RDS contains RDS specific metadata.
|
|||
| instance_id | string | | InstanceID is the RDS instance identifier. |
|
||||
| resource_id | string | | ResourceID is the RDS instance resource identifier (db-xxx). |
|
||||
|
||||
|
||||
##### spec.aws.rdsproxy
|
||||
|
||||
RDSProxy contains AWS Proxy specific metadata.
|
||||
|
@ -550,7 +513,6 @@ RDSProxy contains AWS Proxy specific metadata.
|
|||
| name | string | | Name is the identifier of an RDS Proxy. |
|
||||
| resource_id | string | | ResourceID is the RDS instance resource identifier (prx-xxx). |
|
||||
|
||||
|
||||
##### spec.aws.redshift
|
||||
|
||||
Redshift contains Redshift specific metadata.
|
||||
|
@ -559,7 +521,6 @@ Redshift contains Redshift specific metadata.
|
|||
|------------|--------|----------|-----------------------------------------------|
|
||||
| cluster_id | string | | ClusterID is the Redshift cluster identifier. |
|
||||
|
||||
|
||||
##### spec.aws.redshift_serverless
|
||||
|
||||
RedshiftServerless contains AWS Redshift Serverless specific metadata.
|
||||
|
@ -570,7 +531,6 @@ RedshiftServerless contains AWS Redshift Serverless specific metadata.
|
|||
| workgroup_id | string | | WorkgroupID is the workgroup ID. |
|
||||
| workgroup_name | string | | WorkgroupName is the workgroup name. |
|
||||
|
||||
|
||||
##### spec.aws.secret_store
|
||||
|
||||
SecretStore contains secret store configurations.
|
||||
|
@ -580,7 +540,6 @@ SecretStore contains secret store configurations.
|
|||
| key_prefix | string | | KeyPrefix specifies the secret key prefix. |
|
||||
| kms_key_id | string | | KMSKeyID specifies the AWS KMS key for encryption. |
|
||||
|
||||
|
||||
#### spec.azure
|
||||
|
||||
Azure contains Azure specific database metadata.
|
||||
|
@ -592,7 +551,6 @@ Azure contains Azure specific database metadata.
|
|||
| redis | object | | Redis contains Azure Cache for Redis specific database metadata. |
|
||||
| resource_id | string | | ResourceID is the Azure fully qualified ID for the resource. |
|
||||
|
||||
|
||||
##### spec.azure.redis
|
||||
|
||||
Redis contains Azure Cache for Redis specific database metadata.
|
||||
|
@ -601,7 +559,6 @@ Redis contains Azure Cache for Redis specific database metadata.
|
|||
|-------------------|--------|----------|-----------------------------------------------------------------|
|
||||
| clustering_policy | string | | ClusteringPolicy is the clustering policy for Redis Enterprise. |
|
||||
|
||||
|
||||
#### spec.dynamic_labels
|
||||
|
||||
DynamicLabels is the database dynamic labels.
|
||||
|
@ -612,7 +569,6 @@ DynamicLabels is the database dynamic labels.
|
|||
| period | duration | | Period is a time between command runs |
|
||||
| result | string | | Result captures standard output |
|
||||
|
||||
|
||||
#### spec.gcp
|
||||
|
||||
GCP contains parameters specific to GCP Cloud SQL databases.
|
||||
|
@ -622,7 +578,6 @@ GCP contains parameters specific to GCP Cloud SQL databases.
|
|||
| instance_id | string | | InstanceID is the Cloud SQL instance ID. |
|
||||
| project_id | string | | ProjectID is the GCP project ID the Cloud SQL instance resides in. |
|
||||
|
||||
|
||||
#### spec.mysql
|
||||
|
||||
MySQL is an additional section with MySQL database options.
|
||||
|
@ -631,7 +586,6 @@ MySQL is an additional section with MySQL database options.
|
|||
|----------------|--------|----------|-------------------------------------------------------------------------------------------------------|
|
||||
| server_version | string | | ServerVersion is the server version reported by DB proxy if the runtime information is not available. |
|
||||
|
||||
|
||||
#### spec.tls
|
||||
|
||||
TLS is the TLS configuration used when establishing connection to target database. Allows to provide custom CA cert or override server name.
|
||||
|
@ -642,7 +596,6 @@ TLS is the TLS configuration used when establishing connection to target databas
|
|||
| mode | number | | Mode is a TLS connection mode. See DatabaseTLSMode for details. |
|
||||
| server_name | string | | ServerName allows to provide custom hostname. This value will override the servername/hostname on a certificate during validation. |
|
||||
|
||||
|
||||
Example:
|
||||
|
||||
```
|
||||
|
@ -673,7 +626,6 @@ resource "teleport_database" "example" {
|
|||
| sub_kind | string | | SubKind is an optional resource sub kind, used in some resources. |
|
||||
| version | string | | Version is a resource version. |
|
||||
|
||||
|
||||
### metadata
|
||||
|
||||
Metadata holds resource metadata.
|
||||
|
@ -686,7 +638,6 @@ Metadata holds resource metadata.
|
|||
| name | string | * | Name is an object name |
|
||||
| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. |
|
||||
|
||||
|
||||
### spec
|
||||
|
||||
Spec is an Github connector specification.
|
||||
|
@ -701,7 +652,6 @@ Spec is an Github connector specification.
|
|||
| teams_to_logins | object | | TeamsToLogins maps Github team memberships onto allowed logins/roles. DELETE IN 11.0.0 Deprecated: use GithubTeamsToRoles instead. |
|
||||
| teams_to_roles | object | | TeamsToRoles maps Github team memberships onto allowed roles. |
|
||||
|
||||
|
||||
#### spec.teams_to_logins
|
||||
|
||||
TeamsToLogins maps Github team memberships onto allowed logins/roles. DELETE IN 11.0.0 Deprecated: use GithubTeamsToRoles instead.
|
||||
|
@ -714,7 +664,6 @@ TeamsToLogins maps Github team memberships onto allowed logins/roles. DELETE IN
|
|||
| organization | string | | Organization is a Github organization a user belongs to. |
|
||||
| team | string | | Team is a team within the organization a user belongs to. |
|
||||
|
||||
|
||||
#### spec.teams_to_roles
|
||||
|
||||
TeamsToRoles maps Github team memberships onto allowed roles.
|
||||
|
@ -725,7 +674,6 @@ TeamsToRoles maps Github team memberships onto allowed roles.
|
|||
| roles | array of strings | | Roles is a list of allowed logins for this org/team. |
|
||||
| team | string | | Team is a team within the organization a user belongs to. |
|
||||
|
||||
|
||||
Example:
|
||||
|
||||
```
|
||||
|
@ -769,7 +717,6 @@ resource "teleport_github_connector" "github" {
|
|||
| sub_kind | string | | SubKind is an optional resource sub kind, used in some resources. |
|
||||
| version | string | | Version is a resource version. |
|
||||
|
||||
|
||||
### metadata
|
||||
|
||||
Metadata holds resource metadata.
|
||||
|
@ -782,7 +729,6 @@ Metadata holds resource metadata.
|
|||
| name | string | * | Name is an object name |
|
||||
| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. |
|
||||
|
||||
|
||||
### spec
|
||||
|
||||
Spec is an OIDC connector specification.
|
||||
|
@ -805,7 +751,6 @@ Spec is an OIDC connector specification.
|
|||
| scope | array of strings | | Scope specifies additional scopes set by provider. |
|
||||
| username_claim | string | | UsernameClaim specifies the name of the claim from the OIDC connector to be used as the user's username. |
|
||||
|
||||
|
||||
#### spec.claims_to_roles
|
||||
|
||||
ClaimsToRoles specifies a dynamic mapping from claims to roles.
|
||||
|
@ -816,7 +761,6 @@ ClaimsToRoles specifies a dynamic mapping from claims to roles.
|
|||
| roles | array of strings | | Roles is a list of static teleport roles to match. |
|
||||
| value | string | | Value is a claim value to match. |
|
||||
|
||||
|
||||
Example:
|
||||
|
||||
```
|
||||
|
@ -859,7 +803,6 @@ resource "teleport_oidc_connector" "example" {
|
|||
| sub_kind | string | | SubKind is an optional resource sub kind, used in some resources |
|
||||
| version | string | | Version is version |
|
||||
|
||||
|
||||
### metadata
|
||||
|
||||
Metadata is resource metadata
|
||||
|
@ -872,7 +815,6 @@ Metadata is resource metadata
|
|||
| name | string | | Name is an object name |
|
||||
| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. |
|
||||
|
||||
|
||||
### spec
|
||||
|
||||
Spec is a provisioning token V2 spec
|
||||
|
@ -891,7 +833,6 @@ Spec is a provisioning token V2 spec
|
|||
| suggested_agent_matcher_labels | map of string arrays | | |
|
||||
| suggested_labels | map of string arrays | | |
|
||||
|
||||
|
||||
#### spec.allow
|
||||
|
||||
Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.
|
||||
|
@ -903,7 +844,6 @@ Allow is a list of TokenRules, nodes using this token must match one allow rule
|
|||
| aws_regions | array of strings | | AWSRegions is used for the EC2 join method and is a list of AWS regions a node is allowed to join from. |
|
||||
| aws_role | string | | AWSRole is used for the EC2 join method and is the the ARN of the AWS role that the auth server will assume in order to call the ec2 API. |
|
||||
|
||||
|
||||
#### spec.azure
|
||||
|
||||
Azure allows the configuration of options specific to the "azure" join method.
|
||||
|
@ -912,7 +852,6 @@ Azure allows the configuration of options specific to the "azure" join method.
|
|||
|-------|--------|----------|-----------------------------------------------------------------------------------------------|
|
||||
| allow | object | | Allow is a list of Rules, nodes using this token must match one allow rule to use this token. |
|
||||
|
||||
|
||||
##### spec.azure.allow
|
||||
|
||||
Allow is a list of Rules, nodes using this token must match one allow rule to use this token.
|
||||
|
@ -922,7 +861,6 @@ Allow is a list of Rules, nodes using this token must match one allow rule to us
|
|||
| resource_groups | array of strings | | ResourceGroups is a list of Azure resource groups the node is allowed to join from. |
|
||||
| subscription | string | | Subscription is the Azure subscription. |
|
||||
|
||||
|
||||
#### spec.circleci
|
||||
|
||||
CircleCI allows the configuration of options specific to the "circleci" join method.
|
||||
|
@ -932,7 +870,6 @@ CircleCI allows the configuration of options specific to the "circleci" join met
|
|||
| allow | object | | Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. |
|
||||
| organization_id | string | | |
|
||||
|
||||
|
||||
##### spec.circleci.allow
|
||||
|
||||
Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.
|
||||
|
@ -942,7 +879,6 @@ Allow is a list of TokenRules, nodes using this token must match one allow rule
|
|||
| context_id | string | | |
|
||||
| project_id | string | | |
|
||||
|
||||
|
||||
#### spec.github
|
||||
|
||||
GitHub allows the configuration of options specific to the "github" join method.
|
||||
|
@ -952,7 +888,6 @@ GitHub allows the configuration of options specific to the "github" join method.
|
|||
| allow | object | | Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. |
|
||||
| enterprise_server_host | string | | EnterpriseServerHost allows joining from runners associated with a GitHub Enterprise Server instance. When unconfigured, tokens will be validated against github.com, but when configured to the host of a GHES instance, then the tokens will be validated against host. This value should be the hostname of the GHES instance, and should not include the scheme or a path. The instance must be accessible over HTTPS at this hostname and the certificate must be trusted by the Auth Server. |
|
||||
|
||||
|
||||
##### spec.github.allow
|
||||
|
||||
Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.
|
||||
|
@ -968,7 +903,6 @@ Allow is a list of TokenRules, nodes using this token must match one allow rule
|
|||
| sub | string | | Sub also known as Subject is a string that roughly uniquely indentifies the workload. The format of this varies depending on the type of github action run. |
|
||||
| workflow | string | | The name of the workflow. |
|
||||
|
||||
|
||||
#### spec.kubernetes
|
||||
|
||||
Kubernetes allows the configuration of options specific to the "kubernetes" join method.
|
||||
|
@ -977,7 +911,6 @@ Kubernetes allows the configuration of options specific to the "kubernetes" join
|
|||
|-------|--------|----------|-----------------------------------------------------------------------------------------------|
|
||||
| allow | object | | Allow is a list of Rules, nodes using this token must match one allow rule to use this token. |
|
||||
|
||||
|
||||
##### spec.kubernetes.allow
|
||||
|
||||
Allow is a list of Rules, nodes using this token must match one allow rule to use this token.
|
||||
|
@ -986,7 +919,6 @@ Allow is a list of Rules, nodes using this token must match one allow rule to us
|
|||
|-----------------|--------|----------|-----------------------------------------------------------------------------------------------------------------------------|
|
||||
| service_account | string | | ServiceAccount is the namespaced name of the Kubernetes service account. Its format is "namespace:service-account". |
|
||||
|
||||
|
||||
Example:
|
||||
|
||||
```
|
||||
|
@ -1019,7 +951,6 @@ resource "teleport_provision_token" "example" {
|
|||
| sub_kind | string | | SubKind is an optional resource sub kind, used in some resources |
|
||||
| version | string | | Version is version |
|
||||
|
||||
|
||||
### metadata
|
||||
|
||||
Metadata is resource metadata
|
||||
|
@ -1032,7 +963,6 @@ Metadata is resource metadata
|
|||
| name | string | * | Name is an object name |
|
||||
| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. |
|
||||
|
||||
|
||||
### spec
|
||||
|
||||
Spec is a role specification
|
||||
|
@ -1043,7 +973,6 @@ Spec is a role specification
|
|||
| deny | object | | Deny is the set of conditions evaluated to deny access. Deny takes priority over allow. |
|
||||
| options | object | | Options is for OpenSSH options like agent forwarding. |
|
||||
|
||||
|
||||
#### spec.allow
|
||||
|
||||
Allow is the set of conditions evaluated to grant access.
|
||||
|
@ -1076,7 +1005,6 @@ Allow is the set of conditions evaluated to grant access.
|
|||
| windows_desktop_labels | map of string arrays | | |
|
||||
| windows_desktop_logins | array of strings | | WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops. |
|
||||
|
||||
|
||||
##### spec.allow.impersonate
|
||||
|
||||
Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means.
|
||||
|
@ -1087,7 +1015,6 @@ Impersonate specifies what users and roles this role is allowed to impersonate b
|
|||
| users | array of strings | | Users is a list of resources this role is allowed to impersonate, could be an empty list or a Wildcard pattern |
|
||||
| where | string | | Where specifies optional advanced matcher |
|
||||
|
||||
|
||||
##### spec.allow.join_sessions
|
||||
|
||||
JoinSessions specifies policies to allow users to join other sessions.
|
||||
|
@ -1099,7 +1026,6 @@ JoinSessions specifies policies to allow users to join other sessions.
|
|||
| name | string | | Name is the name of the policy. |
|
||||
| roles | array of strings | | Roles is a list of roles that you can join the session of. |
|
||||
|
||||
|
||||
##### spec.allow.kubernetes_resources
|
||||
|
||||
KubernetesResources is the Kubernetes Resources this Role grants access to.
|
||||
|
@ -1110,11 +1036,8 @@ KubernetesResources is the Kubernetes Resources this Role grants access to.
|
|||
| name | string | | Name is the resource name. It supports wildcards. |
|
||||
| namespace | string | | Namespace is the resource namespace. It supports wildcards. |
|
||||
|
||||
|
||||
##### spec.allow.request
|
||||
|
||||
|
||||
|
||||
| Name | Type | Required | Description |
|
||||
|---------------------|----------------------|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| annotations | map of string arrays | | |
|
||||
|
@ -1124,7 +1047,6 @@ KubernetesResources is the Kubernetes Resources this Role grants access to.
|
|||
| suggested_reviewers | array of strings | | SuggestedReviewers is a list of reviewer suggestions. These can be teleport usernames, but that is not a requirement. |
|
||||
| thresholds | object | | Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used. |
|
||||
|
||||
|
||||
###### spec.allow.request.claims_to_roles
|
||||
|
||||
ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.
|
||||
|
@ -1135,7 +1057,6 @@ ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.
|
|||
| roles | array of strings | | Roles is a list of static teleport roles to match. |
|
||||
| value | string | | Value is a claim value to match. |
|
||||
|
||||
|
||||
###### spec.allow.request.thresholds
|
||||
|
||||
Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used.
|
||||
|
@ -1147,7 +1068,6 @@ Thresholds is a list of thresholds, one of which must be met in order for review
|
|||
| filter | string | | Filter is an optional predicate used to determine which reviews count toward this threshold. |
|
||||
| name | string | | Name is the optional human-readable name of the threshold. |
|
||||
|
||||
|
||||
##### spec.allow.require_session_join
|
||||
|
||||
RequireSessionJoin specifies policies for required users to start a session.
|
||||
|
@ -1161,7 +1081,6 @@ RequireSessionJoin specifies policies for required users to start a session.
|
|||
| name | string | | Name is the name of the policy. |
|
||||
| on_leave | string | | OnLeave is the behaviour that's used when the policy is no longer fulfilled for a live session. |
|
||||
|
||||
|
||||
##### spec.allow.review_requests
|
||||
|
||||
ReviewRequests defines conditions for submitting access reviews.
|
||||
|
@ -1173,7 +1092,6 @@ ReviewRequests defines conditions for submitting access reviews.
|
|||
| roles | array of strings | | Roles is the name of roles which may be reviewed. |
|
||||
| where | string | | Where is an optional predicate which further limits which requests are reviewable. |
|
||||
|
||||
|
||||
###### spec.allow.review_requests.claims_to_roles
|
||||
|
||||
ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.
|
||||
|
@ -1184,7 +1102,6 @@ ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.
|
|||
| roles | array of strings | | Roles is a list of static teleport roles to match. |
|
||||
| value | string | | Value is a claim value to match. |
|
||||
|
||||
|
||||
##### spec.allow.rules
|
||||
|
||||
Rules is a list of rules and their access levels. Rules are a high level construct used for access control.
|
||||
|
@ -1196,7 +1113,6 @@ Rules is a list of rules and their access levels. Rules are a high level constru
|
|||
| verbs | array of strings | | Verbs is a list of verbs |
|
||||
| where | string | | Where specifies optional advanced matcher |
|
||||
|
||||
|
||||
#### spec.deny
|
||||
|
||||
Deny is the set of conditions evaluated to deny access. Deny takes priority over allow.
|
||||
|
@ -1229,7 +1145,6 @@ Deny is the set of conditions evaluated to deny access. Deny takes priority over
|
|||
| windows_desktop_labels | map of string arrays | | |
|
||||
| windows_desktop_logins | array of strings | | WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops. |
|
||||
|
||||
|
||||
##### spec.deny.impersonate
|
||||
|
||||
Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means.
|
||||
|
@ -1240,7 +1155,6 @@ Impersonate specifies what users and roles this role is allowed to impersonate b
|
|||
| users | array of strings | | Users is a list of resources this role is allowed to impersonate, could be an empty list or a Wildcard pattern |
|
||||
| where | string | | Where specifies optional advanced matcher |
|
||||
|
||||
|
||||
##### spec.deny.join_sessions
|
||||
|
||||
JoinSessions specifies policies to allow users to join other sessions.
|
||||
|
@ -1252,7 +1166,6 @@ JoinSessions specifies policies to allow users to join other sessions.
|
|||
| name | string | | Name is the name of the policy. |
|
||||
| roles | array of strings | | Roles is a list of roles that you can join the session of. |
|
||||
|
||||
|
||||
##### spec.deny.kubernetes_resources
|
||||
|
||||
KubernetesResources is the Kubernetes Resources this Role grants access to.
|
||||
|
@ -1263,11 +1176,8 @@ KubernetesResources is the Kubernetes Resources this Role grants access to.
|
|||
| name | string | | Name is the resource name. It supports wildcards. |
|
||||
| namespace | string | | Namespace is the resource namespace. It supports wildcards. |
|
||||
|
||||
|
||||
##### spec.deny.request
|
||||
|
||||
|
||||
|
||||
| Name | Type | Required | Description |
|
||||
|---------------------|----------------------|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| annotations | map of string arrays | | |
|
||||
|
@ -1277,7 +1187,6 @@ KubernetesResources is the Kubernetes Resources this Role grants access to.
|
|||
| suggested_reviewers | array of strings | | SuggestedReviewers is a list of reviewer suggestions. These can be teleport usernames, but that is not a requirement. |
|
||||
| thresholds | object | | Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used. |
|
||||
|
||||
|
||||
###### spec.deny.request.claims_to_roles
|
||||
|
||||
ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.
|
||||
|
@ -1288,7 +1197,6 @@ ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.
|
|||
| roles | array of strings | | Roles is a list of static teleport roles to match. |
|
||||
| value | string | | Value is a claim value to match. |
|
||||
|
||||
|
||||
###### spec.deny.request.thresholds
|
||||
|
||||
Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used.
|
||||
|
@ -1300,7 +1208,6 @@ Thresholds is a list of thresholds, one of which must be met in order for review
|
|||
| filter | string | | Filter is an optional predicate used to determine which reviews count toward this threshold. |
|
||||
| name | string | | Name is the optional human-readable name of the threshold. |
|
||||
|
||||
|
||||
##### spec.deny.require_session_join
|
||||
|
||||
RequireSessionJoin specifies policies for required users to start a session.
|
||||
|
@ -1314,7 +1221,6 @@ RequireSessionJoin specifies policies for required users to start a session.
|
|||
| name | string | | Name is the name of the policy. |
|
||||
| on_leave | string | | OnLeave is the behaviour that's used when the policy is no longer fulfilled for a live session. |
|
||||
|
||||
|
||||
##### spec.deny.review_requests
|
||||
|
||||
ReviewRequests defines conditions for submitting access reviews.
|
||||
|
@ -1326,7 +1232,6 @@ ReviewRequests defines conditions for submitting access reviews.
|
|||
| roles | array of strings | | Roles is the name of roles which may be reviewed. |
|
||||
| where | string | | Where is an optional predicate which further limits which requests are reviewable. |
|
||||
|
||||
|
||||
###### spec.deny.review_requests.claims_to_roles
|
||||
|
||||
ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.
|
||||
|
@ -1337,7 +1242,6 @@ ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.
|
|||
| roles | array of strings | | Roles is a list of static teleport roles to match. |
|
||||
| value | string | | Value is a claim value to match. |
|
||||
|
||||
|
||||
##### spec.deny.rules
|
||||
|
||||
Rules is a list of rules and their access levels. Rules are a high level construct used for access control.
|
||||
|
@ -1349,7 +1253,6 @@ Rules is a list of rules and their access levels. Rules are a high level constru
|
|||
| verbs | array of strings | | Verbs is a list of verbs |
|
||||
| where | string | | Where specifies optional advanced matcher |
|
||||
|
||||
|
||||
#### spec.options
|
||||
|
||||
Options is for OpenSSH options like agent forwarding.
|
||||
|
@ -1381,7 +1284,6 @@ Options is for OpenSSH options like agent forwarding.
|
|||
| require_mfa_type | number | | RequireMFAType is the type of MFA requirement enforced for this user. |
|
||||
| ssh_file_copy | bool | | |
|
||||
|
||||
|
||||
##### spec.options.cert_extensions
|
||||
|
||||
CertExtensions specifies the key/values
|
||||
|
@ -1393,7 +1295,6 @@ CertExtensions specifies the key/values
|
|||
| type | number | | Type represents the certificate type being extended, only ssh is supported at this time. |
|
||||
| value | string | | Value specifies the valueg to be used in the cert extension. |
|
||||
|
||||
|
||||
##### spec.options.idp
|
||||
|
||||
IDP is a set of options related to accessing IdPs within Teleport. Requires Teleport Enterprise.
|
||||
|
@ -1402,7 +1303,6 @@ IDP is a set of options related to accessing IdPs within Teleport. Requires Tele
|
|||
|------|--------|----------|----------------------------------------------------|
|
||||
| saml | object | | SAML are options related to the Teleport SAML IdP. |
|
||||
|
||||
|
||||
###### spec.options.idp.saml
|
||||
|
||||
SAML are options related to the Teleport SAML IdP.
|
||||
|
@ -1411,7 +1311,6 @@ SAML are options related to the Teleport SAML IdP.
|
|||
|---------|------|----------|-------------|
|
||||
| enabled | bool | | |
|
||||
|
||||
|
||||
##### spec.options.record_session
|
||||
|
||||
RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false.
|
||||
|
@ -1422,7 +1321,6 @@ RecordDesktopSession indicates whether desktop access sessions should be recorde
|
|||
| desktop | bool | | |
|
||||
| ssh | string | | SSH indicates the session mode used on SSH sessions. |
|
||||
|
||||
|
||||
Example:
|
||||
|
||||
```
|
||||
|
@ -1487,7 +1385,6 @@ resource "teleport_role" "example" {
|
|||
| sub_kind | string | | SubKind is an optional resource sub kind, used in some resources. |
|
||||
| version | string | | Version is a resource version. |
|
||||
|
||||
|
||||
### metadata
|
||||
|
||||
Metadata holds resource metadata.
|
||||
|
@ -1500,7 +1397,6 @@ Metadata holds resource metadata.
|
|||
| name | string | * | Name is an object name |
|
||||
| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. |
|
||||
|
||||
|
||||
### spec
|
||||
|
||||
Spec is an SAML connector specification.
|
||||
|
@ -1522,7 +1418,6 @@ Spec is an SAML connector specification.
|
|||
| signing_key_pair | object | | SigningKeyPair is an x509 key pair used to sign AuthnRequest. |
|
||||
| sso | string | | SSO is the URL of the identity provider's SSO service. |
|
||||
|
||||
|
||||
#### spec.assertion_key_pair
|
||||
|
||||
EncryptionKeyPair is a key pair used for decrypting SAML assertions.
|
||||
|
@ -1532,7 +1427,6 @@ EncryptionKeyPair is a key pair used for decrypting SAML assertions.
|
|||
| cert | string | | Cert is a PEM-encoded x509 certificate. |
|
||||
| private_key | string | | PrivateKey is a PEM encoded x509 private key. |
|
||||
|
||||
|
||||
#### spec.attributes_to_roles
|
||||
|
||||
AttributesToRoles is a list of mappings of attribute statements to roles.
|
||||
|
@ -1543,7 +1437,6 @@ AttributesToRoles is a list of mappings of attribute statements to roles.
|
|||
| roles | array of strings | | Roles is a list of static teleport roles to map to. |
|
||||
| value | string | | Value is an attribute statement value to match. |
|
||||
|
||||
|
||||
#### spec.signing_key_pair
|
||||
|
||||
SigningKeyPair is an x509 key pair used to sign AuthnRequest.
|
||||
|
@ -1553,7 +1446,6 @@ SigningKeyPair is an x509 key pair used to sign AuthnRequest.
|
|||
| cert | string | | Cert is a PEM-encoded x509 certificate. |
|
||||
| private_key | string | | PrivateKey is a PEM encoded x509 private key. |
|
||||
|
||||
|
||||
Example:
|
||||
|
||||
```
|
||||
|
@ -1611,7 +1503,6 @@ resource "teleport_saml_connector" "example" {
|
|||
| sub_kind | string | | SubKind is an optional resource sub kind, used in some resources |
|
||||
| version | string | | Version is a resource version |
|
||||
|
||||
|
||||
### metadata
|
||||
|
||||
Metadata is resource metadata
|
||||
|
@ -1623,7 +1514,6 @@ Metadata is resource metadata
|
|||
| labels | map of strings | | Labels is a set of labels |
|
||||
| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. |
|
||||
|
||||
|
||||
### spec
|
||||
|
||||
Spec is a SessionRecordingConfig specification
|
||||
|
@ -1633,7 +1523,6 @@ Spec is a SessionRecordingConfig specification
|
|||
| mode | string | | Mode controls where (or if) the session is recorded. |
|
||||
| proxy_checks_host_keys | bool | | |
|
||||
|
||||
|
||||
Example:
|
||||
|
||||
```
|
||||
|
@ -1663,7 +1552,6 @@ resource "teleport_session_recording_config" "example" {
|
|||
| sub_kind | string | | SubKind is an optional resource sub kind, used in some resources. |
|
||||
| version | string | | Version is a resource version. |
|
||||
|
||||
|
||||
### metadata
|
||||
|
||||
Metadata holds resource metadata.
|
||||
|
@ -1676,7 +1564,6 @@ Metadata holds resource metadata.
|
|||
| name | string | * | Name is an object name |
|
||||
| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. |
|
||||
|
||||
|
||||
### spec
|
||||
|
||||
Spec is a Trusted Cluster specification.
|
||||
|
@ -1690,7 +1577,6 @@ Spec is a Trusted Cluster specification.
|
|||
| tunnel_addr | string | | ReverseTunnelAddress is the address of the SSH proxy server of the cluster to join. If not set, it is derived from <metadata.name>:<default reverse tunnel port>. |
|
||||
| web_proxy_addr | string | | ProxyAddress is the address of the web proxy server of the cluster to join. If not set, it is derived from <metadata.name>:<default web proxy server port>. |
|
||||
|
||||
|
||||
#### spec.role_map
|
||||
|
||||
RoleMap specifies role mappings to remote roles.
|
||||
|
@ -1700,7 +1586,6 @@ RoleMap specifies role mappings to remote roles.
|
|||
| local | array of strings | | Local specifies local roles to map to |
|
||||
| remote | string | | Remote specifies remote role name to map from |
|
||||
|
||||
|
||||
Example:
|
||||
|
||||
```
|
||||
|
@ -1738,7 +1623,6 @@ resource "teleport_trusted_cluster" "cluster" {
|
|||
| sub_kind | string | | SubKind is an optional resource sub kind, used in some resources |
|
||||
| version | string | | Version is version |
|
||||
|
||||
|
||||
### metadata
|
||||
|
||||
Metadata is resource metadata
|
||||
|
@ -1751,7 +1635,6 @@ Metadata is resource metadata
|
|||
| name | string | * | Name is an object name |
|
||||
| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. |
|
||||
|
||||
|
||||
### spec
|
||||
|
||||
Spec is a user specification
|
||||
|
@ -1764,7 +1647,6 @@ Spec is a user specification
|
|||
| saml_identities | object | | SAMLIdentities lists associated SAML identities that let user log in using externally verified identity |
|
||||
| traits | map of string arrays | | |
|
||||
|
||||
|
||||
#### spec.github_identities
|
||||
|
||||
GithubIdentities list associated Github OAuth2 identities that let user log in using externally verified identity
|
||||
|
@ -1774,7 +1656,6 @@ GithubIdentities list associated Github OAuth2 identities that let user log in u
|
|||
| connector_id | string | | ConnectorID is id of registered OIDC connector, e.g. 'google-example.com' |
|
||||
| username | string | | Username is username supplied by external identity provider |
|
||||
|
||||
|
||||
#### spec.oidc_identities
|
||||
|
||||
OIDCIdentities lists associated OpenID Connect identities that let user log in using externally verified identity
|
||||
|
@ -1784,7 +1665,6 @@ OIDCIdentities lists associated OpenID Connect identities that let user log in u
|
|||
| connector_id | string | | ConnectorID is id of registered OIDC connector, e.g. 'google-example.com' |
|
||||
| username | string | | Username is username supplied by external identity provider |
|
||||
|
||||
|
||||
#### spec.saml_identities
|
||||
|
||||
SAMLIdentities lists associated SAML identities that let user log in using externally verified identity
|
||||
|
@ -1794,7 +1674,6 @@ SAMLIdentities lists associated SAML identities that let user log in using exter
|
|||
| connector_id | string | | ConnectorID is id of registered OIDC connector, e.g. 'google-example.com' |
|
||||
| username | string | | Username is username supplied by external identity provider |
|
||||
|
||||
|
||||
Example:
|
||||
|
||||
```
|
||||
|
|
|
@ -207,7 +207,6 @@ Extensions: permit-agent-forwarding, permit-port-forwarding, permit-pty
|
|||
In this example, `tele-admin` is now logged into the `tele.example.com` cluster
|
||||
through Teleport SSH.
|
||||
|
||||
|
||||
</ScopedBlock>
|
||||
<ScopedBlock scope={["cloud"]}>
|
||||
|
||||
|
|
|
@ -220,7 +220,6 @@ mainSteps:
|
|||
runCommand:
|
||||
- /bin/sh /tmp/installTeleport.sh "{{ token }}"
|
||||
|
||||
|
||||
4. Attach IAM policies to "yourUser-discovery-role".
|
||||
|
||||
Confirm? [y/N]: y
|
||||
|
|
|
@ -15,7 +15,6 @@ when gradually transitioning large server fleets to Teleport.
|
|||
![Teleport OpenSSH Recording Proxy](../../../img/server-access/openssh-proxy.svg)
|
||||
</Figure>
|
||||
|
||||
|
||||
<ScopedBlock scope={["cloud"]}>
|
||||
|
||||
Teleport Cloud only supports session recording at the Node level. If you are
|
||||
|
|
|
@ -175,7 +175,6 @@ $ cat /etc/motd
|
|||
![Teleport SSH with updated MOTD](../../../img/motd/teleport-with-updated-MOTD.png)
|
||||
</Figure>
|
||||
|
||||
|
||||
## Create local Unix users on login
|
||||
|
||||
Teleport has the ability to create local Unix users on login. This is
|
||||
|
@ -240,7 +239,6 @@ identity information.
|
|||
|
||||
</Admonition>
|
||||
|
||||
|
||||
Next, update `/etc/teleport.yaml` to call the above PAM stack by both enabling PAM and
|
||||
setting the service_name.
|
||||
|
||||
|
|
|
@ -24,7 +24,6 @@ older clients can use `ssh.exe` from either [Git for Windows][git] or
|
|||
Microsoft's [Win32-OpenSSH project][win32-openssh].
|
||||
</Admonition>
|
||||
|
||||
|
||||
## Step 1/3. First-time setup
|
||||
|
||||
Configure your local SSH client to access Teleport Nodes, assigning the `--proxy` flag to the address of your Teleport Proxy Service (e.g., `mytenant.teleport.sh` for Teleport Cloud users).
|
||||
|
@ -37,7 +36,6 @@ $ tsh login --proxy proxy.foo.example.com --user alice
|
|||
$ tsh config --proxy proxy.foo.example.com
|
||||
```
|
||||
|
||||
|
||||
Append the resulting configuration snippet into your SSH config file located
|
||||
in the path below:
|
||||
|
||||
|
|
|
@ -29,7 +29,6 @@ Head over to the Teleport page on [DigitalOcean Marketplace](https://marketplace
|
|||
![Teleport 1-Click droplet page](../../img/quickstart/digitalocean/1click-droplet-page.png)
|
||||
</Figure>
|
||||
|
||||
|
||||
Once you click the button, DigitalOcean redirects you to the control panel to configure resources for the Teleport droplet. This step is similar to how you create a regular [droplet in DigitalOcean](https://docs.digitalocean.com/products/droplets/how-to/create/). Teleport is very lightweight, and if you are just trying out Teleport, you can select the $5 droplet. Make sure you select "SSH keys" as the SSH authentication method as it is more secure than a password.
|
||||
<Figure align="left" bordered caption="Create a droplet">
|
||||
![Create a droplet](../../img/quickstart/digitalocean/create-droplet.png)
|
||||
|
@ -88,14 +87,12 @@ Open the link copied in the previous step in the browser to complete the setup p
|
|||
![Set up user](../../img/quickstart/digitalocean/setup-user.png)
|
||||
</Figure>
|
||||
|
||||
|
||||
Once you set up a password and provide a valid TOTP code, the user setup process will be complete, and you will be redirected to Teleport Web UI:
|
||||
|
||||
<Figure align="left" bordered caption="Teleport Web UI">
|
||||
![Teleport Web UI](../../img/quickstart/digitalocean/webui.png)
|
||||
</Figure>
|
||||
|
||||
|
||||
Congrats! You've completed setting up Teleport.
|
||||
|
||||
## Next steps
|
||||
|
|
Loading…
Reference in a new issue