This new API can be used to play back sessions of any type.
The player accepts a session ID and a streamer, and provides
the caller with an API for playback controls (speed, play/pause,
seek, etc) as well as a channel that receives events with the
proper timing delay applied.
The design for this change is discussed in RFD 91.
Updates #10578
Updates #10579
Updates gravitational/teleport-private#665
Updates gravitational/teleport-private#1024
This change improves the output of tsh ssh when running on multiple
nodes. Stdout and stderr are now labeled with the hostname of the
node they came from. The --log-dir flag on tsh ssh will create a
directory where the separated output of each command will be stored.
Edit the guide based on testing for v14.
- Add a missing section introduction paragraph in Step 1.
- Use ordered lists for most instructions. We have started rolling this
convention out across the docs for clarity.
- Remove a redundant `create-namespace` flag in `helm install`.
- Remove `Var` components that failed to render in example command
output. While it's possible to get these to render by removing the `#`
that begins their lines, these variables aren't useful in this case.
- Remove redundant `#` characters in `code` snippet output lines. These
are no longer necessary for indicating that a line is an example
return value.
- Use the imperative mood in `helm-repo-add.mdx`, since we use this
partial in how-to guides.
We are asking for a region when configuring the AWS IAM OIDC IdP.
The region is actually irrelevant for the configuration: IAM resources
are global.
This can cause some confusion for the user:
- is the integration only for this region?
Our recommended way to run this script is in AWS CloudShell which has an
env var (AWS_REGION) that the Go AWS SDK uses to decide which region to
use.
If the user is running this script elsehwere, where they don't have the
env var set, an error message will be shown:
... please set the AWS_REGION evironment variable.
Which should be helpful enough for them to fix the issue.
* Use remoteClient for remoteSite to ensure the correct authorization mechanism is used for openssh leaf nodes.
* Use remoteClient only for auth handler access point.
* Resolve nomenclature comments.
* Update integration test to cover same-name role mapping logic.
* Add nil check.
* Apply suggestions from code review
Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
---------
Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
* Add permissions for friendly names
* Only show updated permissions for Slack
* Remove duplicate impersonation instructions
* Use preview_as_roles for access plugin permissions
* Capitalize Access Requests
* Remove redundant node setup in GitHub workflows
The Node setup step in both the `lint-ui.yaml` and `unit-tests-ui.yaml` GitHub workflows has been removed. It appears to be unnecessary as we pass Node version information in an earlier step and it may cause complications. Simplifying these workflows should reduce potential points of failure.
* Trigger CI build
* Add print node version
`examples/go-client` and `integrations/kube-agent-updater` appear to be the only usage of gRPC using a version older than 1.58.3
examples/go-client is primarily addressed through updating the `api` module.
The `boring` crate will compile BoringSSL on demand.
Remove unneeded Clang 7 build and replace Clang 10 with Clang 12.
BoringSSL in FIPS mode explicitly requires Clang 12.0.0, while libbpf
and related tools only require Clang 10+, so standardized everything
on Clang 12.0.0 so that we don't need multiple Clang installations.
This also required libbpf to be bumped, as 1.0.1 no longer compiled.
Both 1.1.x and 1.2.x seem to build fine, so went ahead and bumped to
1.2.2 (latest libbpf). As a result, `aquasecurity/libbpfgo` was also
bumped to match the new version.
Additionally, add a few missing git commit hash validations that were
noticed as all the `Dockerfile`s were being reviewed/updated.
Adds an implementation of the teleport.users.v1.UsersService RPC
service. Logic was copied from lib/auth/auth.go and
lib/auth/auth_with_roles.go but not removed in favor of the new
service yet. Follow up work will consolidate the legacy code to
call into the new users service.
* Replace audit_retention_period with retention_period
* Override a zero retention period with the default value
* Update docs to reflect which backends respect the retention_period
* Remove unused json tags from dynamo events config
---------
Co-authored-by: Musaed Albrikan <mabrikan@gmail.com>
* Remove "Preview" designation
Teleport is moving away from the concept of a preview feature. This
change reflects this move on the docs site.
* Respond to zmb3 feedback
Restore the "Preview" note to the AI Assist page.
Originally there was a default limit of 100 max concurrent streams, however in 2017 the GRPC team removed this default: https://github.com/grpc/grpc-go/pull/1624
With the recent HTTP/2 Rapid Reset DoS, it is now being encouraged to re-introduce a limit. The fix requires this value to be configured in fact: https://github.com/grpc/grpc-go/pull/6703
* Explain template variables wherever they appear
Closes#13377
Wherever a page in the docs mentions the `internal` or `external`
template variables as they apply to Teleport roles, link to the Teleport
Access Controls Reference
(docs/pages/access-controls/reference.mdx#roles).
A separate change (#32696) will expand the Access Controls Reference to
include more information on the `external` and `internal` template
variables.
* Respond to zmb3 feedback
Refer to `internal` and `external` as traits instead of template
variables.
* Apply suggestions from code review
Co-authored-by: Gus Luxton <gus@goteleport.com>
* Linter fixes
---------
Co-authored-by: Gus Luxton <gus@goteleport.com>
The context here is meant to be the process's close context, but
the deferred closure was capturing future changes to the variable.
As a result, we would often see failures in the logs:
DEBU Failed to close stream. error:[context canceled]
* Extract `useUnifiedResourcesFetch` hook
* Set correct deps
* Reset the entire `UnifiedResources` component in Web UI when the `clusterId` changes
* Avoid passing unified request params to `useKeyBasedPagination`
* Rename `EmptySearchResults` to `NoResources`
The component is rendered when there are no resources,
not when the search returns nothing.
* Introduce `UnifiedResourcesQueryParams` type, which contains the only properties that the user can modify in the unified resource view
* Remove `data-testid`
* Improve comments and moved the hook
* Use `clear` function explicitly to reset `useUnifiedResourcesFetch` state
* Document what triggers the initial fetch request in `useInfiniteScroll`
* Rename `Wrapper` to `ClusterResources`
* Use a custom `AbortError` class that both Web UI and Connect can throw
* Revert "Use a custom `AbortError` class that both Web UI and Connect can throw"
This reverts commit f548c6989f.
* Handle gRPC abort errors in `isAbortError`
Auth connectors, users, and roles have all recently had their APIs
extended to support create and update but were still only emitting
create events. This adds new update events and update metadata
and emits them instead of the create events.
A recent change on Azure Side forces the server id to include the
`.default` suffix.
Fixes#33920
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
* add template vars/functions reference
* Update docs/pages/access-controls/reference.mdx
* replace details blocks with headers
With unopened details blocks the headers cannot be directly linked to, negating their usefullness as H4s
* partial updates
* Clarify predicate language contexts
Teleport roles make use of different but similar predicate languages.
Clarify these languages by giving each one a section within the Access
Controls reference.
This also clarifies other aspects of predicates in Teleport roles:
- Explain the dot vs. bracket syntax in `external` variables
- Add a note re: OIDC claim data types
To make room for the new organization, this also changes other aspects
of the page's structure:
- Some paragraphs in the introductory section were more appropriate in
the section re: managing access to Teleport RBAC resources.
- Make the intro and title more readable.
- Move an out-of-place H3 regarding SAML to the `external` trait
section.
* Respond to lsgunn-teleport feedback
- Readability improvements.
* Respond to zmb3 feedback
- Replace "predicate" uses with more suitable terms.
- Clarify wording.
- Move the section that explains `app_labels` below the one that
explains `app_labels_expression`.
* Respond to nklaassen feedback
Restore the original label expressions H3
* Linter fixes
---------
Co-authored-by: alexfornuto <alex.fornuto@goteleport.com>
* Use the correct error when inspecting Kubernetes session
This PR fixes the audit log report for Kubernetes sessions that returned
errors. The previous functions was using the incorrect error variable.
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
* append error to the session recorder
* correct session leave code
* avoid emisleading debug error when owner joins the session
---------
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
As per https://github.com/actions/create-github-app-token#inputs,
we should be using `app-id` and `private-key`.
This has been showing up in warnings in our runs for some time now:
Warning: Input 'app_id' has been deprecated with message
'app_id' is deprecated and will be removed in a future version.
Use 'app-id' instead.
Warning: Input 'private_key' has been deprecated with message:
'private_key' is deprecated and will be removed in a future version.
Use 'private-key' instead.
* Replace mermaid diagram, add guided instructions, remove includes with the get context command
* Change strings to pass linter
* Update diagram text, collapse sign in steps, add Kubernetes where missing.
* Remove manual enrollment, add new next steps, modify wording around running commands
* Rename Getting Started to Enroll s Kubernetes Cluster
* Change link to registering clusters toppic
- Fix clashing reference page titles ("Teleport CLI Reference" and
"teleport CLI reference").
- Add missing redirects: The Teleport blog encountered 404s navigating
to three pages. This change adds redirects for these pages in case
other sites link to them as well.
Listing users is different from most existing list operations
because multiple resource types are stored under the users prefix.
Care was taken to ensure that these extra resources(passwords,
mfa devices, etc) do not cause lising to omit any users.
* Update Oracle DB docs and messaging
update the docs and `tctl auth sign` instructions to call out the need to have the file permissions set to the oracle user
* Update oracle-self-hosted.mdx
* Update oracle-self-hosted.mdx
* Update docs/pages/database-access/guides/oracle-self-hosted.mdx
Co-authored-by: Marek Smoliński <marek@goteleport.com>
* Update tool/tctl/common/auth_command.go
Co-authored-by: Marek Smoliński <marek@goteleport.com>
* Update auth_command.go
---------
Co-authored-by: Marek Smoliński <marek@goteleport.com>
* Wait for restoring persisted state in initUi
* DocumentsReopen: Show number of open tabs and cluster name
* Move the comment for pluralize
* Log errors in AppInitializer
* Create useLogger hook
* Rename functions which initialize the app
* Don't wait for startup modals before showing UI
#32653 refactored github connector marshaling so that enterprise
could call the oss marshaler instead of maintaining a copy of it
in two repos. However, the check on the EndpointURL was not omitted
in ent builds.