Closes#16612
The guide names the Machine ID getting started guide as a prerequisite,
and the getting started guide shows how to authorize Machine ID to log
in as `root`.
This change edits the playbook example in the Ansible guide to use
`root`, and uses a `Var` component in case the user configured Machine
ID to have another login instead.
Closes#10678
- Clarify the URL to use for the Entity ID and Reply URL, using the
`Var` component to streamline instructions for self-hosted and Cloud
users.
- Clarify the optional nature of SAML token encryption
* Extend Teleport RBAC to suport Kubernetes Verbs
This PR extends Teleport per-Resource RBAC to support Kubernetes verbs
restriction. With this change it's possible to restrict certain actions
allowed by the underlying `kubernetes_users` and `kubernetes_resources`.
Supported verbs:
- `get`
- `create`
- `update`
- `patch`
- `delete`
- `list`
- `watch`
- `deletecollection`
Fixes#27095
* address timr's comments
* assign wildcard to verbs for role <7
* address marco's reviews
Fixes#28449
Change the `docs/pages/includes/s3-iam-policy.mdx` partial to define a
more restrictive list of S3 permissions.
Currently, the partial includes the `s3:*Object` action. This change
expands the wildcard for only the permissions that the Auth Service
needs.
All the possible `s3:*Object` permissions are:
`DeleteObject`
`GetObject`
`PutObject`
`ReplicateObject`
`RestoreObject`
The Auth Service needs `GetObject` for `*Handler.Download` and
`PutObject` for `*Handler.Upload` (lib/events/s3sessions/s3handler.go),
but only uses `DeleteObject` for tests in `*Handler.deleteBucket`. It
doesn't seem to need `ReplicateObject` or `RestoreObject`.
* update to not be SSH-specific
* hard breaks ~80 chars
* undo changes from d80ab5b...
I had adjusted this section to fit as a prereq bullet point. It makes more sense for this to be a unique section at the bottom of SSO pages, so that the reader only changes the default auth method _after_ completing the setup.
* update onelogin SSO guide
* Respond to @ptgott's feedback
* Introduce Access List internal object.
The Access List internal object has been introduced. This object will be used
for backend storage and JSON/YAML unmarshaling.
This PR introduces a few concepts:
* Access List is intended to be created with a builder.
* Access List is a regular struct instead of an interface.
* There are common objects, which are largely copies of their current protobuf
counterparts, that also have builders.
* These common builders can be integrated with regular resource builders, like
the access list builder.
* Linting fixes.
* More linting.
* Remove builder.
* Modify to match most recent proto updates.
* Move IsValidLabelKey back to common.
* Tuning of function named returns, add in tests for IsValidLabelKey, expand IsValidLabelKey comment.
* SetKind/SetVersion at the end of CheckAndSetDefaults.
* Remove pointers from AccessList/Header objects.
* Move SetKind/SetVersion back to beginning of CheckAndSetDefaults.
Teleport assumes that the `google` claim is present in the identity token that the Teleport service shares with Auth server. This is valid for VMs but it's not valid for GKE clusters using Workload identity and other GCP services. Teleport requests the identity token with `format=full` to receive this enhanced token.
Example of an identity token with a `google` claim:
```json
{
"iss": "[TOKEN_ISSUER]",
"iat": [ISSUED_TIME],
"exp": [EXPIRED_TIME],
"aud": "[AUDIENCE]",
"sub": "[SUBJECT]",
"azp": "[AUTHORIZED_PARTY]",
"google": {
"compute_engine": {
"project_id": "[PROJECT_ID]",
"project_number": [PROJECT_NUMBER],
"zone": "[ZONE]",
"instance_id": "[INSTANCE_ID]",
"instance_name": "[INSTANCE_NAME]",
"instance_creation_timestamp": [CREATION_TIMESTAMP],
"instance_confidentiality": [INSTANCE_CONFIDENTIALITY],
}
}
}
```
The problem arises when one tries to use GCP joining for a Teleport service running on a GKE pod. When inside a pod with a binding between the Kubernetes Service account and the Google IAM Service Account, Google's metadata service token does not include the `google` claim. so it fails to join the cluster because of the unknown `project_id`.
To bypass this limitation, this PR extracts the `project_id` from the Google Service Account Email claim
`<service_account_name>@<project_id>.iam.gserviceaccount.com`. We use regex to extract the `project_id` and ensure the email follows the specified format above. Tests were introduced to validate the email.
Fixes#28636
Co-authored-by: Jakub Nyckowski <jakub.nyckowski@goteleport.com>
#28499 missed adding the augmented device certificates retrieved from
DeviceLogin to the local agent which causes TestNodeAccess to fail.
This was not caught in #28499 because TestNodeAccess is in `e` and
tests from `e` are not run on `oss` PRs.
* Test concurrent compare and swaps
The backend test suite was not validating that simultaneous CAS
operations result in only one attempt succeeding. The test now
runs multiple concurrent CAS operations and ensures that only a
single operation succeeds. This shortcoming with the test allowed
the Firestore backend to pass the compliance test while not perfoming
CAS in an atomic manner.
* Firestore backend improvements
1) CAS now utilizes a transaction to ensure the operation is atomic
The original implementation did not use transactions which violated
the atomic guarantees of the CAS operation. The backend compliance
test was able to catch this when it was updated to run concurrent
CAS opertations.
2) Update is limited to updating a value
The original implementation of Update was actually doing a get and
then upsert. However, there are no guarantees that prevent a delete
from occurring between get and upsert, which means Update would
upsert the value instead of failing. Instead of get and then upsert
we now update the document using the (firestore.DocumentRef) Update
method.
3) Watching items from the collection filters out any audit events
If Teleport is configured to use the same collection for backend state
and audit events the collection watcher ends up consuming all audit
events as empty backend items. To avoid this the watcher is now filtering
out any collections which have an empty key since it is not possible
for backend resources to be written without a key this will only
exclude audit events which have a different schema.
4) SearchEvents now filters out backend resources
Similar to above, the Firestore events implementation now excludes
any documents which have an empty session id to prevent backend
resources from getting included in queries for audit events if the
collection is being shared.
* speed up backend test suite
* conditionally delete expired items on get
* fix: cleanup tests
* Edit forScopes configurations and edit guides
Closes#26500
This change requires merging gravitational/docs#326 to add a Team scope
to the docs.
This updates pages within the docs so that:
- Each page's `forScopes` configuration is accurate, especially with
regard to support for Teleport Team.
- All scoped components match the `forScopes` configuration for each
page. For this, I used the linter introduced by
gravitational/docs#327.
* Respond to alexfornuto feedback
* Update assist docs
* Update AI Assist documentation for multiple hosts
The AI Assist documentation was updated to clarify the configuration process for both Proxy and Auth Service hosts.
* Apply suggestions from code review
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
---------
Co-authored-by: Jakub Nyckowski <jakub.nyckowski@goteleport.com>
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* tsh: Implement puttyconfig command to add saved PuTTY sessions to Windows registry
* Addressed comments from code review
* Add support for leaf clusters
* Refactoring from code review
Also moved registry/hostname functions into external packages
* Address more feedback from code review
* Rebase following tsh/common changes
* Fix up putty_config_windows
* Reorder command
* Remove surplus comment
* Use a separate list instead of overloading the 'extra' key
* Address Tim's code review comments
* Address some of Zac's comments
* Refactor formatLocalCommandString to use text/template
* Refactor non-Windows logic into puttyhosts
* Fix subcommand name
* Fix test structure
* Add some more hostnames test cases
* Apply suggestions from code review
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
* Fix up
---------
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
* Clear the refresh websocket timeout when closing Assist
* Missing semicolon to please prettier
* Add comment to remove once the new session implementation is done
* Add new endpoint, types, update types
* Preserve user selected aws rds db
* Rename DownloadScript to ManualDeploy
- Remove duplicate test
- Use discover context instead of passed in props
- Rename util to common
- Move hasMatchingLabels to common.tsx for re-use
* Add another action button and pass autoFocus field
* Implement auto deploy screen
* Implement auto manual view toggler
* Update db view config
* Only allow back on user trait if user manually deployed agent
* Add TODO comment
* Address CRs
* Fix lint/test
* Address CRs
* Revert back to original flow
* Define type for service deploy method
* Address CR and revert a change
- aws field for database has to be empty if the
result comes back empty. this field determines
if the database is hosted by aws
- add a clarifying comment
* Remove optional rds field
* log a warning when db/discovery service init is skipped but the service is enabled
* dont register discovery service event mapping when init is skipped to avoid log spam waiting on DiscoveryReady event
* fix godoc for DiscoveryReady event
Added the `t.Parallel()` function call in each test function to enable parallel test execution. This should reduce the overall time it takes to run all these tests by enabling them to run concurrently.
* Introduce the Access List object.
The Access List object, which is the foundational object for access grants,
has been introduced. Due to the size/complexity of this object, the
implementation in api/types will come in a follow up.
* Use duration, update comments.
* Remove more requested membership bits, clarify what happens for user login state.
* Add in duration type mapping to buf-gogo.gen.yaml.
* Use an array instead of csv string.
* Migrate from legacy to regular protobuf.
* Make common resource header and metadata for use by non-legacy objects.
* Use repeated trait list instead of map for traits, remove V1 suffix since things are in a v1 package anyway.
* Move common bits into separate files.
* Use separate packages for traits, resource header, and metadata.
