When users access a cluster, Teleport caches their credentials to avoid generating a new cert key pair each time they run a command on the cluster. If the user's certificate includes an active access request that was later discarded, the Teleport Kubernetes Proxy continues to use the cached credentials - which include the dropped access request - resulting in subsequent requests being denied by Teleport. The problem persists even if the user assumes another access request that grants him access to the cluster.
This situation happens because Kubernetes Proxy stores in a TTL map the user's certificate to avoid generating and signing it each time the user hits the proxy. The lookup in cache happens using a key that includes the `kubeCluster`, `username`, `certificate_expiration`, `kube_users`, and `kube_groups` but does not include the `active_requests`.
This PR adds the `active_requests` into the cache's key to distinguish different certificate requests for the same user.
Fixes#19884
Since the release of `tsh proxy app` we no longer need a
Teleport-aware Drone CLI and can leverage the standard
drone tool from https://docs.drone.io/cli/install/
This PR includes a new Role resource version that is compatible with V5 spec.
The new resource introduces the `kubernetes_resources` definition that allows operators to limit the Kubernetes resources that each member can access. The `kubernetes_resources` entries must follow the following format: `{"kind":"<kind>", "namespace":"<namespace>","name":"<pod>"}`. Currently, it only supports objects of `kind` `pod`. Valid examples `<namespace>/<name>:
- `*/*`: matches all pods in all namespaces.
- `default/*`: matches all pods in the `default` namespace.
- `*/nginx-*`: matches every pod prefixed with `nginx-` in every namespace.
For older resource versions - V5, V4, V3 - `kubernetes_resources` is automatically populated with `{"kind":"pod","namespace":"*","name":"*"}` to keep compatibility. For the newest version, it's mandatory to define its value otherwise access to pods will be denied.
Part of #18434
This patch performs the (hopefully final) switchover that will make drone
defer to GHA in order to build Teleport ion arm64.
This patch:
- Replaces all of the Dronegen code to generate arm64 builds locally with
steps that invoke the GHA builder workflow
- Changes the release tagging behavior in the Makefile to tag `teleport.e`
with the same tag as teleport. This is required to for Drone to identify
the revision of the arm64 build workflow to invoke
- Updates the e reference to include a revision of `teleport.e` that
contains the builder workflows
Thanks to everyone involved in getting this working.
The `fileStreamer` continues to write events after the server shuts down and races against the `os.RemoveAll` call during the test cleanup causing the test to fail.
Using `node-sync` recording mode to write the events and session recordings directly to AuthClient solves the issue.
Fixes#19847
* Update etcd backend docs to include recommendations
- Update links to currently maintained docs
- Include link to hardware recs including mentioning storage
Closes#19765
The CHANGELOG includes some links to docs pages that use a full URL,
including the `ver` path segment. These links broke once we changed the
docs engine to recognize the `[0-9]+.x` format for versions, rather than
`[0-9]+.[0-9]+`.
If we were to change these links to use the new version format, though,
they would break once we deprecate that version.
This change turns all of the paths in these links to relative paths to
MDX files. In the CHANGELOG.md file, they will now link to pages on
GitHub. In the the docs changelog page, they will link to the current
version of the docs. Users who want to see how the pages looked when we
released the appropraite version can do so by using the version switcher
dropdown.
* Switch golang.org/x/crypto to gravitational fork
* Update golden files
* Add comment to go.mod
* Update api module to use crypto fork.
* Move x/crypto to replaced section in dependabot.yml
Converts usage of `newFixture` to `newFixtureWithoutDiskBasedLogging`
to prevent directory not empty errors caused by `t.TempDir` still
containing upload parts.
Fixes#19826
This creates a more human-readable representation of a role.
Fixes#7549
Signed-off-by: Zac Bergquist <zac.bergquist@goteleport.com>
Co-authored-by: David Heitman <david.heitman@checkr.com>
Consolidates more of the build logic into the build.assets Makefile, transplanted from the workflow file in teleport.e
See comment gravitational/teleport.e#673 (comment)
* Fix listing all nodes in tsh
Usage of channels was flipped, we tried to write to collecting channel,
but nobody was reading from it, so we blocked forever. Now using simpler
version with mutex for synchronization, and doing it for db listings as
well for consistency.
Enable device authorization by plugging into auth.Authorizer and selectively
disabling it for processes that don't (yet) want device authz.
`GenerateUserCerts` is modified to issue device-aware certificates (DB/k8s
access), as well as `CreateAppSession`. The latter is not necessary for DB
access, but it does enable App Access to issue device-aware certs - commands
such as `tsh apps login` and `tsh proxy app` can benefit from those.
DB access is now ready to benefit from trusted devices. k8s access is likely
supported with these changes as well, but I've postponed enabling it after I've
done more testing.
Both `GenerateUserCerts` and `GenerateUserSingleUseCerts` now do early
device-aware authorization; this creates a better UX, as it allows us to return
error messages directly via `tsh`, instead of having to pipe them through
database-specific protocols. Further PRs could improve errors for scenarios
where the existing certificate became lacking due to higher server-side authz
enforcement.
gravitational/teleport.e#514
An accesss request watcher has been added to support access requests that
will require downstream reconciliation based on access request approval. This
will be useful for requests that trigger external APIs in other Teleport
services once they've been approved. This will be useful for the upcoming
Okta integration work.
This PR fixes multiple goroutine and memory leaks when interactive sessions are used.
- When the session terminates, the `multiResizeQueue` never returns, and the resize stream goroutine blocks.
- A goroutine leak exited when the server received resizing events after the connection terminated - this happens with fast exec requests.
- A memory leak existed when users tried to leave the session after the `session.tracker` was closed.
This PR also releases the connection monitor earlier. When the server is under heavy load, it might take a while for the connection to return an `EOF` - which triggers the service monitor automatic release - and the service monitor resources were leaking until the server resumed normal operation.
It also fixes reloads when new parties join and leave the `multiResizeQueue`.
* Correct redirect syntax
Redirects are evaluated in order left-to-right so cloning err from out (`2>&1`) before redirecting stdout (`> /dev/null`) has the effect of sending stderr to fd 1 and stdout to the redirected file.
* Do not expand here document text
Avoids need to escape quotes and variable references in pasted script.
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
* Add a new db engine
* Add tests for new engine
* Update tsh db subcommands
* Refactor error message and suggestions for unsupported tsh commands
* Add dynamodb to test plan
* Add AWS external ID to db config and update protos
This command allows you to modify a resource in place by opening
the resource YAML in your text editor.
The editor is selected by checking the following, in order of
precedence:
- the TELEPORT_EDITOR environment variable
- the VISUAL environment variable
- the EDITOR environment variable
- defaulting to 'vi'
We also prevent renaming resources with this command.
See gravitational/webapps#1465 where we do the same for the web UI.