mirror of
https://github.com/gravitational/teleport
synced 2024-10-21 09:44:51 +00:00
5bd66a396e
Our auth middleware already attaches a TLS identity as context value. Plumb contexts through and extract the username when recording events. If the received context doesn't have an identity attached, use "system" as username. Lots of noise here due to missing context.Context plumbing :( We should eventually plumb contexts to all those RPC interfaces. Updates #3816 |
||
---|---|---|
.. | ||
main.go | ||
README.md |
Teleport Auth Go Client
Introduction
Teleport Auth Server has an API which hasn't been officially documented (yet).
Both tctl
and tsh
use the Auth API to:
- Request certificates (
tsh login
ortctl auth sign
) - Add nodes and users (
tctl users
andtctl nodes
) - Manipulate cluster state (
tctl
resources)
API Authentication
Auth API clients must perform two-way authentication using x509 certificates:
- They have to validate the auth server x509 certificate to make sure the API endpoint can be trusted.
- They must offer their x509 certificate, which has been previously issued by the auth sever.
Demo
This little program demonstrates how to:
- Authenticate against the Auth API using two certificates.
- Makes an API call to issue a server join token, i.e. an equivalent
of
tctl node add
Before running it, you have to use tctl
to issue an API certificate,
i.e. on the auth server:
$ tctl auth export --type=tls > /var/lib/teleport/ca.cert
This should work as long as you execute it on the same auth server:
$ go get github.com/gravitational/teleport/lib/auth
$ go run main.go
TODO
This Auth server API allows clients to "jump" to API endpoints of all trusted clusters connected to it. We need to add a snippet how to enumerate trusted clusters and connect to their API endpoints later.