* Access list backend service and marshal/unmarshal.
The access list backend service and marshaling/unmarshaling functions have
been implemented. This will allow for CRUD operations for access lists.
* Test audit marshal/unmarshal.
* Fix configuration typo.
* GCI.
* Add in access list marshaling test.
* Remove unused header parse.
This PR moves the creation of the `lock` file right before the login
call is attempted instead of creating it for any call.
This fixes a problem where we create the lock file even if no login is
required which limits the number of parallel kubectl invocations.
* DeployService: auto upsert IAM Join Token
When using the DeployService, the deployed services (database service
only for now) will join the Teleport Cluster using the IAM Join Method.
In order to do so, we require an IAM Token that allows the AWS Account
ID and ARN of the assumed-role.
Instead of asking the user to create it, we do it for them.
This PR creates or updates the IAM Join Token.
* AccountID is optional when calling DeployService
* dry code when upserting the token
Closes#16612
The guide names the Machine ID getting started guide as a prerequisite,
and the getting started guide shows how to authorize Machine ID to log
in as `root`.
This change edits the playbook example in the Ansible guide to use
`root`, and uses a `Var` component in case the user configured Machine
ID to have another login instead.
Closes#10678
- Clarify the URL to use for the Entity ID and Reply URL, using the
`Var` component to streamline instructions for self-hosted and Cloud
users.
- Clarify the optional nature of SAML token encryption
* Extend Teleport RBAC to suport Kubernetes Verbs
This PR extends Teleport per-Resource RBAC to support Kubernetes verbs
restriction. With this change it's possible to restrict certain actions
allowed by the underlying `kubernetes_users` and `kubernetes_resources`.
Supported verbs:
- `get`
- `create`
- `update`
- `patch`
- `delete`
- `list`
- `watch`
- `deletecollection`
Fixes#27095
* address timr's comments
* assign wildcard to verbs for role <7
* address marco's reviews
Fixes#28449
Change the `docs/pages/includes/s3-iam-policy.mdx` partial to define a
more restrictive list of S3 permissions.
Currently, the partial includes the `s3:*Object` action. This change
expands the wildcard for only the permissions that the Auth Service
needs.
All the possible `s3:*Object` permissions are:
`DeleteObject`
`GetObject`
`PutObject`
`ReplicateObject`
`RestoreObject`
The Auth Service needs `GetObject` for `*Handler.Download` and
`PutObject` for `*Handler.Upload` (lib/events/s3sessions/s3handler.go),
but only uses `DeleteObject` for tests in `*Handler.deleteBucket`. It
doesn't seem to need `ReplicateObject` or `RestoreObject`.
* update to not be SSH-specific
* hard breaks ~80 chars
* undo changes from d80ab5b...
I had adjusted this section to fit as a prereq bullet point. It makes more sense for this to be a unique section at the bottom of SSO pages, so that the reader only changes the default auth method _after_ completing the setup.
* update onelogin SSO guide
* Respond to @ptgott's feedback
* Introduce Access List internal object.
The Access List internal object has been introduced. This object will be used
for backend storage and JSON/YAML unmarshaling.
This PR introduces a few concepts:
* Access List is intended to be created with a builder.
* Access List is a regular struct instead of an interface.
* There are common objects, which are largely copies of their current protobuf
counterparts, that also have builders.
* These common builders can be integrated with regular resource builders, like
the access list builder.
* Linting fixes.
* More linting.
* Remove builder.
* Modify to match most recent proto updates.
* Move IsValidLabelKey back to common.
* Tuning of function named returns, add in tests for IsValidLabelKey, expand IsValidLabelKey comment.
* SetKind/SetVersion at the end of CheckAndSetDefaults.
* Remove pointers from AccessList/Header objects.
* Move SetKind/SetVersion back to beginning of CheckAndSetDefaults.
Teleport assumes that the `google` claim is present in the identity token that the Teleport service shares with Auth server. This is valid for VMs but it's not valid for GKE clusters using Workload identity and other GCP services. Teleport requests the identity token with `format=full` to receive this enhanced token.
Example of an identity token with a `google` claim:
```json
{
"iss": "[TOKEN_ISSUER]",
"iat": [ISSUED_TIME],
"exp": [EXPIRED_TIME],
"aud": "[AUDIENCE]",
"sub": "[SUBJECT]",
"azp": "[AUTHORIZED_PARTY]",
"google": {
"compute_engine": {
"project_id": "[PROJECT_ID]",
"project_number": [PROJECT_NUMBER],
"zone": "[ZONE]",
"instance_id": "[INSTANCE_ID]",
"instance_name": "[INSTANCE_NAME]",
"instance_creation_timestamp": [CREATION_TIMESTAMP],
"instance_confidentiality": [INSTANCE_CONFIDENTIALITY],
}
}
}
```
The problem arises when one tries to use GCP joining for a Teleport service running on a GKE pod. When inside a pod with a binding between the Kubernetes Service account and the Google IAM Service Account, Google's metadata service token does not include the `google` claim. so it fails to join the cluster because of the unknown `project_id`.
To bypass this limitation, this PR extracts the `project_id` from the Google Service Account Email claim
`<service_account_name>@<project_id>.iam.gserviceaccount.com`. We use regex to extract the `project_id` and ensure the email follows the specified format above. Tests were introduced to validate the email.
Fixes#28636
Co-authored-by: Jakub Nyckowski <jakub.nyckowski@goteleport.com>
#28499 missed adding the augmented device certificates retrieved from
DeviceLogin to the local agent which causes TestNodeAccess to fail.
This was not caught in #28499 because TestNodeAccess is in `e` and
tests from `e` are not run on `oss` PRs.
* Test concurrent compare and swaps
The backend test suite was not validating that simultaneous CAS
operations result in only one attempt succeeding. The test now
runs multiple concurrent CAS operations and ensures that only a
single operation succeeds. This shortcoming with the test allowed
the Firestore backend to pass the compliance test while not perfoming
CAS in an atomic manner.
* Firestore backend improvements
1) CAS now utilizes a transaction to ensure the operation is atomic
The original implementation did not use transactions which violated
the atomic guarantees of the CAS operation. The backend compliance
test was able to catch this when it was updated to run concurrent
CAS opertations.
2) Update is limited to updating a value
The original implementation of Update was actually doing a get and
then upsert. However, there are no guarantees that prevent a delete
from occurring between get and upsert, which means Update would
upsert the value instead of failing. Instead of get and then upsert
we now update the document using the (firestore.DocumentRef) Update
method.
3) Watching items from the collection filters out any audit events
If Teleport is configured to use the same collection for backend state
and audit events the collection watcher ends up consuming all audit
events as empty backend items. To avoid this the watcher is now filtering
out any collections which have an empty key since it is not possible
for backend resources to be written without a key this will only
exclude audit events which have a different schema.
4) SearchEvents now filters out backend resources
Similar to above, the Firestore events implementation now excludes
any documents which have an empty session id to prevent backend
resources from getting included in queries for audit events if the
collection is being shared.
* speed up backend test suite
* conditionally delete expired items on get
* fix: cleanup tests
* Edit forScopes configurations and edit guides
Closes#26500
This change requires merging gravitational/docs#326 to add a Team scope
to the docs.
This updates pages within the docs so that:
- Each page's `forScopes` configuration is accurate, especially with
regard to support for Teleport Team.
- All scoped components match the `forScopes` configuration for each
page. For this, I used the linter introduced by
gravitational/docs#327.
* Respond to alexfornuto feedback
* Update assist docs
* Update AI Assist documentation for multiple hosts
The AI Assist documentation was updated to clarify the configuration process for both Proxy and Auth Service hosts.
* Apply suggestions from code review
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
---------
Co-authored-by: Jakub Nyckowski <jakub.nyckowski@goteleport.com>
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* tsh: Implement puttyconfig command to add saved PuTTY sessions to Windows registry
* Addressed comments from code review
* Add support for leaf clusters
* Refactoring from code review
Also moved registry/hostname functions into external packages
* Address more feedback from code review
* Rebase following tsh/common changes
* Fix up putty_config_windows
* Reorder command
* Remove surplus comment
* Use a separate list instead of overloading the 'extra' key
* Address Tim's code review comments
* Address some of Zac's comments
* Refactor formatLocalCommandString to use text/template
* Refactor non-Windows logic into puttyhosts
* Fix subcommand name
* Fix test structure
* Add some more hostnames test cases
* Apply suggestions from code review
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
* Fix up
---------
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
* Clear the refresh websocket timeout when closing Assist
* Missing semicolon to please prettier
* Add comment to remove once the new session implementation is done