fixes#1546, fixes#1535
This commit fixes error message in case if token
is generated for trusted cluster and allows
admins to provide custom tokens:
tctl nodes add --roles=node --token=custom --ttl=100h
This commit makes sure that trusted cluster resource
name is the same name as the cluster name it conects to.
If user supplies name of the trusted cluster resource
that is different from the cluster name, the warning
will be issued and trusted cluster will be renamed.
Upgrade procedure renames existing trusted clusters
in place.
If user supplies trusted cluster without role
mappings, or with role mappings referring to
non-existent roles that do not exist, the
error will be returned.
Add support for extra principals for proxy.
Proxy section already supports public_addr
property that is used during tctl users add
output.
Use the value from this property to update
host SSH certificate for proxy service.
proxy_service:
public_addr: example.com:3024
With the configuration above, proxy host
certificate will contain example.com principal
in the SSH principals list.
Support configuration for web and reverse tunnel
proxies to listen on the same port.
* Default config are not changed for backwards compatibility.
* If administrator configures web and reverse tunnel
addresses to be on the same port, multiplexing is turned on
* In trusted clusters configuration reverse_tunnel_addr
defaults to web_addr.
* Session events are delivered in continuous
batches in a guaranteed order with every event
and print event ordered from session start.
* Each auth server writes to a separate folder
on disk to make sure that no two processes write
to the same file at a time.
* When retrieving sessions, auth servers fetch
and merge results recorded by each auth server.
* Migrations and compatibility modes are in place
for older clients not aware of the new format,
but compatibility mode is not NFS friendly.
* On disk migrations are launched automatically
during auth server upgrades.
This commit adds remote cluster resource that specifies
connection and trust of the remote trusted cluster to the local
cluster. Deleting remote cluster resource deletes trust
established between clusters on the local cluster side
and terminates all reverse tunnel connections.
Migrations make sure that remote cluster resources exist
after upgrade of the auth server.
This commit introduced mutual TLS authentication
for auth server API server.
Auth server multiplexes HTTP over SSH - existing
protocol and HTTP over TLS - new protocol
on the same listening socket.
Nodes and users authenticate with 2.5.0 Teleport
using TLS mutual TLS except backwards-compatibility
cases.
This commit aadds multiplexer library of SSH/TLS on the same
listener socket. The multiplexer detects the protocol by the first
3 bytes of the incoming connection and forwards wrapped
connection either to the SSH ot TLS listeners.
The library also supports PROXY line protocol
and wraps connection information with connection details
from the proxy line received by the server
* Allow external audit log plugins
* Add support for auth API server plugins
* Add license file path configuration parameter (not used in open-source)
* Extend audit log with user login events
This commit improves error handling and improves rule evaluatons
by introducing rule priorities.
Roles are now checked for syntax errors in 'where' and 'actions'
sections what was not done before.
In case if several equivalent rules are specified, new rule
evaluations are now going into effect:
More specific rule will be matched first.
* Rule matching wildcard resource is less specific
than same rule matching specific resourc
* Rule that has wildcard verbs is less specific
than the same rules matching specific verb
* Rule that has where section is more specific
than the same rule without where section
* Rule that has actions list is more specific than
rule without actions list.