Andrej Tokarčík
f078e54ab9
RFD 16: Reserve the origin
label for system use ( #6157 )
2021-04-12 10:57:37 -07:00
Andrew Lytvynov
6db37df515
drone: allow ARM builds in reprepro config ( #6392 )
2021-04-12 09:47:41 -07:00
Joel Wejdenstål
47fa2f98fe
Set status of RFD 18 to implemented. ( #6358 )
...
Co-authored-by: Alexander Klizhentas <klizhentas@gmail.com>
2021-04-11 08:44:00 -07:00
Alexey Ivanov
80350d70ba
Add new syntax description to the docs ( #6384 )
...
Co-authored-by: Alexander Klizhentas <klizhentas@gmail.com>
2021-04-09 20:38:48 -07:00
Alexey Ivanov
ee4038812a
Rename images to match logical pixels ( #6381 )
...
Co-authored-by: Alexander Klizhentas <klizhentas@gmail.com>
2021-04-09 20:26:13 -07:00
Ben Arent
583de2f509
Add OpenSSH Video ( #6371 )
2021-04-09 19:35:19 -07:00
Alexander Klizhentas
cfd23e9417
Documents dual authz with Mattermost ( #6400 )
...
Add Cloud SQL guide
Update preview
2021-04-09 17:45:02 -07:00
Russell Jones
0ea35df10c
Updated CHANGELOG.md. ( #6345 )
...
Co-authored-by: Roman Tkachenko <roman@gravitational.com>
2021-04-09 10:44:01 -07:00
Alexander Klizhentas
8cb3ba36b5
Update some variables and links ( #6367 )
2021-04-08 15:56:53 -07:00
Alexander Klizhentas
c4cef19dc2
Documents impersonation ( #6293 ) ( #6365 )
2021-04-08 15:17:42 -07:00
Taylor Wakefield
2d3c03feef
Added Cloud Billing FAQ ( #6363 )
2021-04-08 11:44:14 -07:00
Andrew Lytvynov
87038e1b08
docs: document per-session MFA feature ( #6285 )
...
* docs: document per-session MFA feature
Also, update general U2F configuration docs to explain server-side
configs better.
* docs: move U2F docs to dedicated guides
2021-04-08 11:24:13 -07:00
Andrew Lytvynov
d23fdcb71e
client: load all SSH certs when connecting to proxy
...
`tc.SiteName` does not necessarily point to the cluster we're connecting
to (or that we have certs for). For example `tsh login leaf` will set
`tc.SiteName` as `"leaf"` even though we're connecting to root proxy to
fetch leaf certs.
2021-04-08 16:48:03 +00:00
Gus Luxton
52a29bb63f
helm: Improve linting and add log level override ( #6330 )
2021-04-08 08:02:29 -07:00
Forrest Marshall
e118629367
improve cert rotation periodics
...
* Eliminates spurious leaf cluster CA writes.
* Adds jitters to various periodic operations.
2021-04-07 15:49:27 -07:00
Brian Joerger
5e3f2359a4
Add DialOpts and CallOpts to API client. ( #6301 )
...
* Add DialOpts to client.Config.
* Add callOpts to client and client.WithCallOptions.
* Refactor use of atomic closedFlag.
2021-04-07 14:23:34 -07:00
Brian Joerger
f7b29dd0d2
Fix tctl profile loading logic by adding WithSSHCerts certOption. ( #6336 )
2021-04-07 11:10:46 -07:00
Joel Wejdenstål
28c7163e13
Always set an AuditLog ( #6326 )
2021-04-07 11:47:02 +02:00
Brian Joerger
c396cb8a5d
Propogate user not found error from authenticater. ( #6304 )
2021-04-06 18:33:38 -07:00
Andrew Lytvynov
1e7a369b26
web: fix AccessRequest loading on user cert reissue ( #6264 )
...
Load access requests from SSH cert instead of the profile. The profile
only exists on CLI clients, but not in the proxy.
Note: theoretically, SSH cert may be missing in some cases for CLI
clients. We should eventually encode access requests in TLS certs too,
which are always present.
2021-04-06 16:20:04 -07:00
Alexey Ivanov
3bf8425876
v7.0 syntax update ( #6314 )
...
* Update syntax
# Conflicts:
# docs/pages/enterprise/sso/ssh-google-workspace.mdx
* Run lint and fix lint errors
* Fix include path
2021-04-06 12:16:28 -07:00
Lisa Kim
2b57a97b32
[auto] Update webassets in master ( #6324 )
...
cb1041a Update e-ref: Remove verb update check for access request reviews (#258 ) https://github.com/gravitational/webapps/commit/cb1041a
[source: -w master] [target: -t master]
2021-04-05 17:51:35 -07:00
Ben Arent
a04b377663
Update Google Workspace and Okta Docs ( #6267 )
...
* Update GSuite and Okta Docs
* s/suite/workspace
* Remove use of admin to use editor
2021-04-05 15:45:08 -07:00
Gus Luxton
300499e253
[auto] Update AMI IDs for 6.0.2 ( #6283 )
2021-04-02 20:32:46 -07:00
xacrimon
3d663ab2e8
add fix
2021-04-02 18:30:44 -07:00
Steven Martin
e5e899da13
Remove unused * from Roles output. This was a leftover from a old message about roles and enterprise version. ( #6258 )
2021-04-02 18:09:16 -07:00
Brian Joerger
8ecbefb122
Close leaky direct client. ( #6297 )
2021-04-02 14:04:54 -07:00
Andrew Lytvynov
6d200faecb
tsh: handle missing cluster name in profile ( #6257 )
...
Cluster name can be missing in profiles created by older tsh versions.
Trying to load the client.Key without a cluster name now causes a
failure when using WithAllCerts (because ssh/db/kube certs are
per-cluster).
Also added some output to `tsh status` when no profiles can be loaded.
2021-04-02 11:00:15 -07:00
Andrej Tokarčík
4fde837c59
Don't use OpaqueAccessDenied with CheckAccessToRule ( #6246 )
...
* Don't use OpaqueAccessDenied with CheckAccessToRule
* Fix tls_test
Co-authored-by: Andrew Lytvynov <andrew@goteleport.com>
2021-04-01 10:57:14 -07:00
Yurii Matsiuk
7569413f99
Make authToken optional if secret exists ( #6273 )
...
Co-authored-by: Gus Luxton <webvictim@gmail.com>
Signed-off-by: Yurii Matsiuk <ymatsiuk@users.noreply.github.com>
2021-04-01 14:37:01 -03:00
Gus Luxton
4c9ec23822
Revert "darwin fips builds ( #5866 )" ( #6265 )
...
* Revert "darwin fips builds (#5866 )"
This reverts commit 32ac67db06
.
* Remove GO_BINARY references
* Re-add dronegen changes for commands/image
* make dronegen
* Update e ref
* Re-add package signing/notarization for full MacOS builds
2021-04-01 10:12:53 -07:00
Andrej Tokarčík
e525c94e1c
Delete obsolete stored keys in LocalKeyAgent.AddKey ( #6251 )
...
* Delete obsolete stored keys in LocalKeyAgent.AddKey
* Don't panic when no stored key found
2021-04-01 09:53:15 -07:00
Pierre Beaucamp
1e18bcb76e
Fix regression bug for DynamoDB scaling policy names ( #6259 )
2021-04-01 07:47:19 -07:00
Alexander Klizhentas
4fbb2ba3a7
Adds encrypted token docs ( #6266 ) ( #6269 )
...
Fixes #5996
Adds section on encrypted SAML tokens. Fixes a couple of typos
and missing schema.
Because schema was missing, the connector did not work.
2021-03-31 18:55:20 -07:00
Gus Luxton
6a43a92b0b
dronegen: add buildboxes ( #6197 )
2021-03-31 13:41:51 -07:00
Gus Luxton
e85e465ebf
GitLab Instructions for SSO ( #6190 ) ( #6262 )
...
* Add GitLab link for SSO instructions
Co-authored-by: Steven Martin <steven@gravitational.com>
2021-03-31 13:25:44 -07:00
Gus Luxton
a956a0c279
Ensure webassets are present when running 'make full' on a fresh clone ( #6231 )
2021-03-31 13:11:04 -07:00
Andrew Lytvynov
7be86582de
Parse all CAs in CertPoolFromCertAuthorities
...
Returning certPool prematurely omits all but the first CA cert.
2021-03-31 17:44:48 +00:00
Brian Joerger
826ed676fa
Refactor ssh.ClientConfig used by tctl and API clients to use the first valid principal as User.
2021-03-30 17:53:29 -07:00
Mike Russell
b72c54b231
Update Architecture Overview With Link To User Roles ( #6224 )
...
- updating architecture overview with link to user roles when referring
to user roles in the context of the --roles flag
2021-03-30 17:35:58 -07:00
Gus Luxton
854da48990
Add lint-api
target and fix lint errors ( #6169 )
2021-03-30 17:02:04 -07:00
Andrew Lytvynov
fffe215570
ssh: fix relogin with jumphosts ( #6213 )
...
* ssh: fix relogin with jumphosts
Several fixes to make `tsh ssh -J leaf.proxy.com` work if the root cert
is missing/expired.
* Address review feedback
Correctly parse trusted CAs on GetKey.
Move retry without jumphosts from relogin to UpdateClusterCAs.
* Remove TelpoertClient.AuthMethods override on relogin
It doesn't seem to break anything.
2021-03-30 14:50:07 -07:00
Gus Luxton
71ef02f70b
drone: use emptyDir for /var/lib/docker filesystem and prevent repetitive docker pulls ( #6145 )
2021-03-30 14:32:40 -07:00
Gus Luxton
f1d34b3058
Remove ARM64 FIPS builds ( #6236 )
2021-03-30 13:21:14 -07:00
Brian Joerger
ee57e539b5
tsh Profile SSH certs fix ( #6214 )
2021-03-30 12:10:52 -07:00
Andrew Lytvynov
f1f02bda04
mfa: fix gRPC unimplemented check in cert reissue
...
Our gRPC client is wrapped and converts gRPC status codes into trace
errors. It also doesn't preserve the original gRPC error internally.
2021-03-30 18:36:36 +00:00
Alexander Klizhentas
fbae7ad508
Open Sources Access Controls Docs ( #6188 ) ( #6217 )
...
* Open Sources Access Controls Docs (#6188 )
Moves RBAC to a separate access controls section,
adds a couple of guides and prepares
the structure for more content.
* Fix href links
2021-03-30 10:04:23 -07:00
xacrimon
3f9f33408d
add PAM environment with interpolation support
2021-03-30 18:23:38 +02:00
Andrej Tokarčík
52dfeec63e
Cache per-cluster SSH certificates under ~/.tsh ( #5938 )
...
```diff
~/.tsh/
└── keys
├── one.example.com --> Proxy hostname
│ ├── certs.pem --> TLS CA certs for the Teleport CA
│ ├── foo --> RSA Private Key for user "foo"
│ ├── foo.pub --> Public Key
- │ ├── foo-cert.pub --> SSH certificate for proxies and nodes
│ ├── foo-x509.pem --> TLS client certificate for Auth Server
+ │ ├── foo-ssh --> SSH certs for user "foo"
+ │ │ ├── root-cert.pub --> SSH cert for Teleport cluster "root"
+ │ │ └── leaf-cert.pub --> SSH cert for Teleport cluster "leaf"
```
When `-J` is provided, this also loads/reissues the SSH cert for the cluster associated with the jumphost's certificate. Fixes #5637 .
2021-03-29 14:14:31 -07:00
Forrest Marshall
7d4c1ea6cf
add special resource type for access plugin data
2021-03-29 13:30:48 -07:00