mirror of
https://github.com/gravitational/teleport
synced 2024-10-21 09:44:51 +00:00
5bd66a396e
Our auth middleware already attaches a TLS identity as context value. Plumb contexts through and extract the username when recording events. If the received context doesn't have an identity attached, use "system" as username. Lots of noise here due to missing context.Context plumbing :( We should eventually plumb contexts to all those RPC interfaces. Updates #3816 |
||
|---|---|---|
| .. | ||
| main.go | ||
| README.md | ||
Teleport Auth Go Client
Introduction
Teleport Auth Server has an API which hasn't been officially documented (yet).
Both tctl and tsh use the Auth API to:
- Request certificates (
tsh loginortctl auth sign) - Add nodes and users (
tctl usersandtctl nodes) - Manipulate cluster state (
tctlresources)
API Authentication
Auth API clients must perform two-way authentication using x509 certificates:
- They have to validate the auth server x509 certificate to make sure the API endpoint can be trusted.
- They must offer their x509 certificate, which has been previously issued by the auth sever.
Demo
This little program demonstrates how to:
- Authenticate against the Auth API using two certificates.
- Makes an API call to issue a server join token, i.e. an equivalent
of
tctl node add
Before running it, you have to use tctl to issue an API certificate,
i.e. on the auth server:
$ tctl auth export --type=tls > /var/lib/teleport/ca.cert
This should work as long as you execute it on the same auth server:
$ go get github.com/gravitational/teleport/lib/auth
$ go run main.go
TODO
This Auth server API allows clients to "jump" to API endpoints of all trusted clusters connected to it. We need to add a snippet how to enumerate trusted clusters and connect to their API endpoints later.