* RFD 0138 - Postgres backend storage
* DeleteRange is fine in a single tx
* required engineering approvers
* delete_batch_size is no longer a tunable
* Address comments
* Use a BRIN index for event creation time
Co-Authored-By: Anton Miniailo <anton@goteleport.com>
* Update approvers
* Switch event_data to bytea
* Go back to json for event_data
* Move non-postgres audit params to the fragment
This matches what we do for azsessions
---------
Co-authored-by: Anton Miniailo <anton@goteleport.com>
* Remove access list gRPC service from OSS, introduce owner/member checks.
The access list gRPC service has been removed from the OSS version of
Teleport. Additionally, methods for checking owner/member access to
access lists have been added, which will be used for determining finer
grained access to access lists by members and owners of access lists.
Additionally, access lists have been added to the editor preset. A small
modification has been added to the authz.AuthorizeWithVerbs to allow
follow on checks in the event of an access denied.
* GCI.
* Revert permissions.go change.
* Prevent creating Kube resources forbidden by `kubernetes_resources`
This PR prevents users from creating resources that their user is
forbidden to access.
This requires parsing the request body to extract the resource name.
Fixes#29245
* Update lib/kube/proxy/forwarder.go
Co-authored-by: Michael Wilson <mike@mdwn.dev>
---------
Co-authored-by: Michael Wilson <mike@mdwn.dev>
* Update Teleport API
* go mod tidy
---------
Co-authored-by: public-renovate-gha[bot] <135069952+public-renovate-gha[bot]@users.noreply.github.com>
Co-authored-by: Tim Ross <tim.ross@goteleport.com>
Co-authored-by: Nic Klaassen <nic@goteleport.com>
* update discovery labels and name overrides
* move all labels into api/types/constants.go
* add name override labels for GKE and AKS that are allowed tag names in
GCP and Azure
* fix kubernetes typos
* support legacy and cloud-agnostic name override labels for AWS
* fix tests
* add tests for creating kube clusters from cloud kube clusters
* fix linter
* replaces unsafe.Pointer(&slice[0]) with unsafe.SliceData(slice)
* Adds utils.UnsafeSliceData
which converts the unsafe.SliceData edge case which returns a sketchy
"a non-nil pointer to an unspecified memory address" to an error.
* Add the AccessList to the cache.
The AccessList has been added into the cache. The AccessList resource
and its supporting resources had to be moved back into api for this so that
it can be properly referenced in api/client/events.go, which is necessary
for cache propagation.
* Address remaining lib/types references.
* Add in additional test to events_test.go.
* GCI.
* Add back in client wrapper so that the cache will work properly.
* Traits ToProto order is deterministic.
* Add in compile time access list client check.
* Add on demand mode to the dynamodb backend
* Resolve comments, CheckAndSetDefaults
* Set on_demand to true by default and add a test
* Set read/write capacity units to zero and disable autoscaling if on_demand is true
* Resolve comments
* Replace on_demand with a billing_mode enum
* Ignore on demand mode if the table is being created or already exists
* rename to use pay_per_request instead of on_demand
* fix missing table case, resolve comments
* Support non-gogo objects for auth service events.
Auth service events will now support non-gogo objects. This was done by
generating the events and associated objects with regular go protobuf
instead of gogo and then correcting the code for the differences in
code generation.
* Correct lock copying in event protobuf.
* Temporarily ignore event.proto in buf breaking.
* Attempt to keep buf breaking from breaking.
* Remove comment.
* Rename gproto to googleproto.
* Rename api/client/proto import to authpb and googleproto to proto.
* Correct comment, add in test exercising proto.Equal.
* GCI.
* Events test actually does work.
* Connect Kube gateway part 2: command provider
* gateway.Database and gateway.Kube interface
* remove cmd.ProviderManager and fix integration test
* revert cluster.RootClusterName change for now as profile may not have key
This PR corrects the behavior of handling namespaces for Kubernetes
per-Resource RBAC.
The new behavior allows accessing the resources withing the namespace
`someNamespace` if a rule `kind: namespace, name: someNamespace` is
defined for `kubernetes_resources`.
It also allows users to see namespaces (list, get or watch requests) if
they have other resources defined for the namepsace without requiring
explicit rules for `kind:namespace, name: someNamespace`.
As an example:
```yaml
allow:
kubernetes_resources:
- kind: namespace
name: someNamespace
- kind: pod
namespace: otherNamespace
name: *
```
Reads as: the user has access to everything in namespace someNamespace
AND to pods in otherNamespace.
```
$ kubectl get ns
someNamespace
otherNamespace
```
Pods:
```
$ kubectl get pods -n someNamespace
pod1
pod2
$ kubectl get pods -n otherNamespace
pod3
pod4
```
Other resources:
```
$ kubectl get secret -n someNamespace
secret1
secret2
$ kubectl get secret -n otherNamespace
REQUEST IS DENIED
```
* Get started on V14 tbot changes
* Update applications.mdx for new config format
* Rearrange databases guide
* Flesh out guidance on migration
* Fill out more of configuration.mdx page
* Add more verbose config explanations
* Add more output documentation
* Use common include file
* Tweak descriptions for destination types
* Rewrite docs for directory dest
* Update language used in Architecture guide
* Add principals to ssh_host docs
* Fix mispelt ssh_host output type
* Update other guides with config v2
* Add version warning to guides re: v2 config
* Add guidance on migration failure
* Remove reference to Application Access/Database Access
* Use database server rather than database service
* Reword for clarity and conciseness
Co-authored-by: lsgunn-teleport <136391445+lsgunn-teleport@users.noreply.github.com>
* Apply suggestions from code review
Co-authored-by: lsgunn-teleport <136391445+lsgunn-teleport@users.noreply.github.com>
* Apply suggestions from code review
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Apply suggestions from code review
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Rename common-output-config.mdx
* Reflow and change title in upgrade guide
* Remove scoped configs
* Apply suggestions from code review
Co-authored-by: lsgunn-teleport <136391445+lsgunn-teleport@users.noreply.github.com>
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Apply suggestions from code review
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
Co-authored-by: lsgunn-teleport <136391445+lsgunn-teleport@users.noreply.github.com>
* Apply suggestions from code review
Co-authored-by: lsgunn-teleport <136391445+lsgunn-teleport@users.noreply.github.com>
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Apply suggestions from code review
Co-authored-by: lsgunn-teleport <136391445+lsgunn-teleport@users.noreply.github.com>
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Use code block for example command
* Dont use list for definitions
* Use full name of ACL
* Add brief description of outputs field
* Fix up host certificate guide
* Reflow FAQ
* Specify fields that need replacing in jenkins guide
* Clarify "join token" in database joining docs
---------
Co-authored-by: lsgunn-teleport <136391445+lsgunn-teleport@users.noreply.github.com>
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* [Docs] Adds section on installing AMIs.
* Teach CSpell about STIG
* Update docs/pages/installation.mdx
Co-authored-by: Steven Martin <steven@goteleport.com>
* Adds links to AMI examples
* reqord
* linter
---------
Co-authored-by: Steven Martin <steven@goteleport.com>
The devbox install action will be used instead of our custom devbox install.
This will ensure caching is used, speeding up this process.
Additionally, the following have been updated:
- buf -> 1.23.1.
- go -> 1.20.5
- clang -> 14.0.6
Finally, packages have been migrated to regular devbox syntax where possible.
* update tsh db resource selection
* add --labels and --query to tsh db subcommands
* tsh db [login | logout | env | config | connect]
* tsh proxy db
* add hasPrefix to predicate lang
* add teleport.dev/discovered-name
* print "discovered name" of databases discovered by discovery service,
which is the name of the database resource in the cloud, when using
tsh db ls without --verbose flag. This avoids printing verbose
uniquely identifying names when discovery service is updated to append
a uniquely identify suffix to discovered databases in AWS/Azure/GCP.
* tsh db ls --verbose ignores the label
* fix db connect string in tsh db ls
* select database by prefix, labels, and/or query predicate.
* chooses active database by exact match if the "prefix" matches exactly
and no labels/predicate is given.
* logout of a subset of databases with tsh db logout.
* print an "ambiguous match" error if prefix/labels/query matches
multiple databases where one is required.
* move all --labels cli flags to cf.Labels from cf.UserHost
* update tsh db tests
* speedup slow tsh db tests
* postgres/mysql profile respect home dir
* rename test cases for consistency
* test database listing uses discovered-name
* test login/env/config/logout with prefix/label/predicate selectors
* test active db filtering logic
* fix tests broken by merge
* Fix lint warning, make these unordered lists
* Change numbered steps, make a couple of edits
* Update the versions mentioned in the upgrade sequence
* Changed to bullets because these aren't discrete steps in the traditional sense
* Remove extra lines
* Fix lint issue
This change adds a service to the auth server that periodically iterates through
stored ServerInfos and updates the labels of associated SSH servers over their
inventory control stream.
The embedding period in the service code was previously set to 1 hour. This change reduces it to 20 minutes, in order to allow the embedding routines to run more frequently for better UX - people won't need to wait an hour to use Assist after a node is added.
* Use the examples directory for example plugin code
Also edit the Access Request plugin API guide to use this directory,
rather than having the reader copy/paste individual code snippets. This
makes the guide easier to follow, and users will have a compilable
example before they proceed through the guide.
* Run make fix-license
* Run make fix-imports
* Fix spelling
* Run go mod tidy
* Extract Access Request plugin example to partials
This way, we can reuse the actual program in the Access Request plugin
API guide and avoid unintended discrepancies and drift.
* Use types.Events.NewWatcher instead of watcherjob
Need to test this out, but it compiles
* Remove outdated information
- Types that are no longer reachable via public interfaces
- The description of the demo implementation that used the old
`watcherjob` package
* Update text to reflect new `run` logic
* Make the example program more modular
Respond to Joerger feedback
* Respond to alexfornuto feedback
* Apply suggestions from code review
Co-authored-by: Brian Joerger <bjoerger@goteleport.com>
* Respond to zmb3 feedback
- Split up "types.go". Reserve a single file for configuration values so
these are visible in a single place within the guide.
- Return an error on an unsuccessful HTTP request when creating or
updating a row
- Simplify requestStates lookup
- Clearly mark values that a user must change
- Update the text of the guide to match changes to the program
* Spell fixes
* Respond to zmb3 feedback
---------
Co-authored-by: Brian Joerger <bjoerger@goteleport.com>
* Move `compareSemVers` function to `shared`
* Set correct `sessionData` path when the app is initialized
* Add `sessionDataDir`, `tempDataDir` and `agentBinaryPath` to `RuntimeSettings`
* Add `downloadAgent`
* Add a download step to CMC setup
* Escape spaces in the agent path only when used in a command
* Run prettier
* Change `sessionData` path for Windows too
* Improve comments
* Rename `AGENT_VERSION` to `CONNECT_CMC_AGENT_VERSION`
* Inspect HTTP status of the download response before using it
* Move `tar-fs` and `@types/tar-fs` to regular deps
* Switch to `execFile`
* Rename `isAgentAlreadyDownloaded` and `BinaryParams`
* Grammar fix
* Remove state from `FileDownloader`
* Remove custom check for the save path
* Deprecate old `compareSemVers` export instead of removing it
* Use vX.Y.Z format
* Improve comment
* Log fetch error and throw an error with status code
* Do not modify process.env in tests
* Add `ConnectMyComputerService`
* Fix comment and log message
* Run setup only when all statuses are ''
* Revert unintentionally removed comment
* Remove logger line
* Share the same promise across multiple callers
* Remove temp file
* Prettier
* Put CMC temp file in a directory
* Simplify `sharePromise` signature
* Rename `binaryName` to `tarballName`
* Use a correct path for cache on Linux