self-hosted/teleport
self-hosted/teleport
1
0
Fork 0
mirror of https://github.com/gravitational/teleport synced 2024-10-22 02:03:24 +00:00
Code Issues Packages Projects Releases Wiki Activity
6138 commits 3216 branches 4173 tags 1.3 GiB
Commit graph

6138 commits

This branch
This branch
All branches
Author SHA1 Message Date
Andrej Tokarčík f078e54ab9
RFD 16: Reserve the origin label for system use (#6157) 2021-04-12 10:57:37 -07:00
Andrew Lytvynov 6db37df515
drone: allow ARM builds in reprepro config (#6392) 2021-04-12 09:47:41 -07:00
Joel Wejdenstål 47fa2f98fe
Set status of RFD 18 to implemented. (#6358) 
Co-authored-by: Alexander Klizhentas <klizhentas@gmail.com>
 2021-04-11 08:44:00 -07:00
Alexey Ivanov 80350d70ba
Add new syntax description to the docs (#6384) 
Co-authored-by: Alexander Klizhentas <klizhentas@gmail.com>
 2021-04-09 20:38:48 -07:00
Alexey Ivanov ee4038812a
Rename images to match logical pixels (#6381) 
Co-authored-by: Alexander Klizhentas <klizhentas@gmail.com>
 2021-04-09 20:26:13 -07:00
Ben Arent 583de2f509
Add OpenSSH Video (#6371) 2021-04-09 19:35:19 -07:00
Alexander Klizhentas cfd23e9417
Documents dual authz with Mattermost (#6400) 
Add Cloud SQL guide
Update preview
 2021-04-09 17:45:02 -07:00
Russell Jones 0ea35df10c
Updated CHANGELOG.md. (#6345) 
Co-authored-by: Roman Tkachenko <roman@gravitational.com>
 2021-04-09 10:44:01 -07:00
Alexander Klizhentas 8cb3ba36b5
Update some variables and links (#6367) 2021-04-08 15:56:53 -07:00
Alexander Klizhentas c4cef19dc2
Documents impersonation (#6293) (#6365) 2021-04-08 15:17:42 -07:00
Taylor Wakefield 2d3c03feef
Added Cloud Billing FAQ (#6363) 2021-04-08 11:44:14 -07:00
Andrew Lytvynov 87038e1b08
docs: document per-session MFA feature (#6285) 
* docs: document per-session MFA feature

Also, update general U2F configuration docs to explain server-side
configs better.

* docs: move U2F docs to dedicated guides
 2021-04-08 11:24:13 -07:00
Andrew Lytvynov d23fdcb71e client: load all SSH certs when connecting to proxy 
`tc.SiteName` does not necessarily point to the cluster we're connecting
to (or that we have certs for). For example `tsh login leaf` will set
`tc.SiteName` as `"leaf"` even though we're connecting to root proxy to
fetch leaf certs.
 2021-04-08 16:48:03 +00:00
Gus Luxton 52a29bb63f
helm: Improve linting and add log level override (#6330) 2021-04-08 08:02:29 -07:00
Forrest Marshall e118629367 improve cert rotation periodics 
* Eliminates spurious leaf cluster CA writes.
* Adds jitters to various periodic operations.
 2021-04-07 15:49:27 -07:00
Brian Joerger 5e3f2359a4
Add DialOpts and CallOpts to API client. (#6301) 
* Add DialOpts to client.Config.

* Add callOpts to client and client.WithCallOptions.

* Refactor use of atomic closedFlag.
 2021-04-07 14:23:34 -07:00
Brian Joerger f7b29dd0d2
Fix tctl profile loading logic by adding WithSSHCerts certOption. (#6336) 2021-04-07 11:10:46 -07:00
Joel Wejdenstål 28c7163e13
Always set an AuditLog (#6326) 2021-04-07 11:47:02 +02:00
Brian Joerger c396cb8a5d
Propogate user not found error from authenticater. (#6304) 2021-04-06 18:33:38 -07:00
Andrew Lytvynov 1e7a369b26
web: fix AccessRequest loading on user cert reissue (#6264) 
Load access requests from SSH cert instead of the profile. The profile
only exists on CLI clients, but not in the proxy.

Note: theoretically, SSH cert may be missing in some cases for CLI
clients. We should eventually encode access requests in TLS certs too,
which are always present.
 2021-04-06 16:20:04 -07:00
Alexey Ivanov 3bf8425876
v7.0 syntax update (#6314) 
* Update syntax

# Conflicts:
#	docs/pages/enterprise/sso/ssh-google-workspace.mdx

* Run lint and fix lint errors

* Fix include path
 2021-04-06 12:16:28 -07:00
Lisa Kim 2b57a97b32
[auto] Update webassets in master (#6324) 
cb1041a Update e-ref: Remove verb update check for access request reviews (#258) https://github.com/gravitational/webapps/commit/cb1041a

[source: -w master] [target: -t master]
 2021-04-05 17:51:35 -07:00
Ben Arent a04b377663
Update Google Workspace and Okta Docs (#6267) 
* Update GSuite and Okta Docs
* s/suite/workspace
* Remove use of admin to use editor
 2021-04-05 15:45:08 -07:00
Gus Luxton 300499e253
[auto] Update AMI IDs for 6.0.2 (#6283) 2021-04-02 20:32:46 -07:00
xacrimon 3d663ab2e8 add fix 2021-04-02 18:30:44 -07:00
Steven Martin e5e899da13
Remove unused * from Roles output. This was a leftover from a old message about roles and enterprise version. (#6258) 2021-04-02 18:09:16 -07:00
Brian Joerger 8ecbefb122
Close leaky direct client. (#6297) 2021-04-02 14:04:54 -07:00
Andrew Lytvynov 6d200faecb
tsh: handle missing cluster name in profile (#6257) 
Cluster name can be missing in profiles created by older tsh versions.
Trying to load the client.Key without a cluster name now causes a
failure when using WithAllCerts (because ssh/db/kube certs are
per-cluster).

Also added some output to `tsh status` when no profiles can be loaded.
 2021-04-02 11:00:15 -07:00
Andrej Tokarčík 4fde837c59
Don't use OpaqueAccessDenied with CheckAccessToRule (#6246) 
* Don't use OpaqueAccessDenied with CheckAccessToRule

* Fix tls_test

Co-authored-by: Andrew Lytvynov <andrew@goteleport.com>
 2021-04-01 10:57:14 -07:00
Yurii Matsiuk 7569413f99
Make authToken optional if secret exists (#6273) 
Co-authored-by: Gus Luxton <webvictim@gmail.com>
Signed-off-by: Yurii Matsiuk <ymatsiuk@users.noreply.github.com>
 2021-04-01 14:37:01 -03:00
Gus Luxton 4c9ec23822
Revert "darwin fips builds (#5866)" (#6265) 
* Revert "darwin fips builds (#5866)"

This reverts commit 32ac67db06.

* Remove GO_BINARY references

* Re-add dronegen changes for commands/image

* make dronegen

* Update e ref

* Re-add package signing/notarization for full MacOS builds
 2021-04-01 10:12:53 -07:00
Andrej Tokarčík e525c94e1c
Delete obsolete stored keys in LocalKeyAgent.AddKey (#6251) 
* Delete obsolete stored keys in LocalKeyAgent.AddKey

* Don't panic when no stored key found
 2021-04-01 09:53:15 -07:00
Pierre Beaucamp 1e18bcb76e
Fix regression bug for DynamoDB scaling policy names (#6259) 2021-04-01 07:47:19 -07:00
Alexander Klizhentas 4fbb2ba3a7
Adds encrypted token docs (#6266) (#6269) 
Fixes #5996

Adds section on encrypted SAML tokens. Fixes a couple of typos
and missing schema.

Because schema was missing, the connector did not work.
 2021-03-31 18:55:20 -07:00
Gus Luxton 6a43a92b0b
dronegen: add buildboxes (#6197) 2021-03-31 13:41:51 -07:00
Gus Luxton e85e465ebf
GitLab Instructions for SSO (#6190) (#6262) 
* Add GitLab link for SSO instructions

Co-authored-by: Steven Martin <steven@gravitational.com>
 2021-03-31 13:25:44 -07:00
Gus Luxton a956a0c279
Ensure webassets are present when running 'make full' on a fresh clone (#6231) 2021-03-31 13:11:04 -07:00
Andrew Lytvynov 7be86582de Parse all CAs in CertPoolFromCertAuthorities 
Returning certPool prematurely omits all but the first CA cert.
 2021-03-31 17:44:48 +00:00
Brian Joerger 826ed676fa Refactor ssh.ClientConfig used by tctl and API clients to use the first valid principal as User. 2021-03-30 17:53:29 -07:00
Mike Russell b72c54b231
Update Architecture Overview With Link To User Roles (#6224) 
- updating architecture overview with link to user roles when referring
to user roles in the context of the --roles flag
 2021-03-30 17:35:58 -07:00
Gus Luxton 854da48990
Add lint-api target and fix lint errors (#6169) 2021-03-30 17:02:04 -07:00
Andrew Lytvynov fffe215570
ssh: fix relogin with jumphosts (#6213) 
* ssh: fix relogin with jumphosts

Several fixes to make `tsh ssh -J leaf.proxy.com` work if the root cert
is missing/expired.

* Address review feedback

Correctly parse trusted CAs on GetKey.
Move retry without jumphosts from relogin to UpdateClusterCAs.

* Remove TelpoertClient.AuthMethods override on relogin

It doesn't seem to break anything.
 2021-03-30 14:50:07 -07:00
Gus Luxton 71ef02f70b
drone: use emptyDir for /var/lib/docker filesystem and prevent repetitive docker pulls (#6145) 2021-03-30 14:32:40 -07:00
Gus Luxton f1d34b3058
Remove ARM64 FIPS builds (#6236) 2021-03-30 13:21:14 -07:00
Brian Joerger ee57e539b5
tsh Profile SSH certs fix (#6214) 2021-03-30 12:10:52 -07:00
Andrew Lytvynov f1f02bda04 mfa: fix gRPC unimplemented check in cert reissue 
Our gRPC client is wrapped and converts gRPC status codes into trace
errors. It also doesn't preserve the original gRPC error internally.
 2021-03-30 18:36:36 +00:00
Alexander Klizhentas fbae7ad508
Open Sources Access Controls Docs (#6188) (#6217) 
* Open Sources Access Controls Docs (#6188)

Moves RBAC to a separate access controls section,
adds a couple of guides and prepares
the structure for more content.

* Fix href links
 2021-03-30 10:04:23 -07:00
xacrimon 3f9f33408d add PAM environment with interpolation support 2021-03-30 18:23:38 +02:00
Andrej Tokarčík 52dfeec63e
Cache per-cluster SSH certificates under ~/.tsh (#5938) 
```diff
 ~/.tsh/
 └── keys
    ├── one.example.com            --> Proxy hostname
    │   ├── certs.pem              --> TLS CA certs for the Teleport CA
    │   ├── foo                    --> RSA Private Key for user "foo"
    │   ├── foo.pub                --> Public Key
-   │   ├── foo-cert.pub           --> SSH certificate for proxies and nodes
    │   ├── foo-x509.pem           --> TLS client certificate for Auth Server
+   │   ├── foo-ssh                --> SSH certs for user "foo"
+   │   │   ├── root-cert.pub      --> SSH cert for Teleport cluster "root"
+   │   │   └── leaf-cert.pub      --> SSH cert for Teleport cluster "leaf"
```

When `-J` is provided, this also loads/reissues the SSH cert for the cluster associated with the jumphost's certificate. Fixes #5637.
 2021-03-29 14:14:31 -07:00
Forrest Marshall 7d4c1ea6cf add special resource type for access plugin data 2021-03-29 13:30:48 -07:00