-
Notifications
You must be signed in to change notification settings - Fork 1.7k
/
teleport.proto
1215 lines (1043 loc) · 42.5 KB
/
teleport.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
// Copyright 2022 Gravitational, Inc
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
package prehog.v1alpha;
import "google/protobuf/duration.proto";
import "google/protobuf/timestamp.proto";
// a successful user login
//
// PostHog event: tp.user.login
message UserLoginEvent {
// anonymized Teleport username, 32 bytes (HMAC-SHA-256) encoded in base64;
// should always be a real user as bots and service accounts with long-term
// credentials don't ever login
//
// PostHog property: tp.user_name
string user_name = 1;
// type of the auth connector used in the login, should be
// "local"/"github"/"saml"/"oidc"
//
// PostHog property: tp.connector_type
string connector_type = 2;
// anonymized device ID, empty or 32 bytes (HMAC-SHA-256) encoded in base64;
// for logins where device trust is enabled
//
// PostHog property: tp.device_id
string device_id = 3;
// the required private key policy for this login.
string required_private_key_policy = 4;
}
message SSOCreateEvent {
// github/saml/oidc
string connector_type = 1;
}
// ResourceCreateEvent is emitted when a resource is created.
message ResourceCreateEvent {
// resource_type is the type of resource ("node", "node.openssh", "db", "k8s", "app").
string resource_type = 1;
// resource_origin is the origin of the resource ("cloud", "kubernetes").
string resource_origin = 2;
// cloud_provider is the cloud provider the resource came from ("AWS", "Azure", "GCP")
// if resource_origin == "cloud".
string cloud_provider = 3;
// database contains additional database information if resource_type == "db".
DiscoveredDatabaseMetadata database = 4;
}
// DiscoveredDatabaseMetadata contains additional database information.
message DiscoveredDatabaseMetadata {
// database type.
string db_type = 1;
// database protocol.
string db_protocol = 2;
}
// the kind of a "resource" as intended by ResourceHeartbeatEvent
enum ResourceKind {
RESOURCE_KIND_UNSPECIFIED = 0;
// PostHog property value: "node"
RESOURCE_KIND_NODE = 1;
// PostHog property value: "app_server"
RESOURCE_KIND_APP_SERVER = 2;
// PostHog property value: "kube_server"
RESOURCE_KIND_KUBE_SERVER = 3;
// PostHog property value: "db_server"
RESOURCE_KIND_DB_SERVER = 4;
// PostHog property value: "windows_desktop"
RESOURCE_KIND_WINDOWS_DESKTOP = 5;
// ServerV3 ("node") heartbeat with a subkind of "openssh" (as opposed to
// empty or "teleport"); not used in keepalives
//
// PostHog property value: "node.openssh"
RESOURCE_KIND_NODE_OPENSSH = 6;
// ServerV3 ("node") heartbeat with a subkind of "openssh-ec2-ice".
// Nodes that map EC2 instances and are accessed using EC2 Instance Connect Endpoint.
// Not used in keepalives.
// This is the SubKind SubKindOpenSSHEICENode in teleport repo.
//
// PostHog property value: "node.openssh_ec2_ice"
RESOURCE_KIND_NODE_OPENSSH_EICE = 7;
}
// a heartbeat for a resource served by a Teleport instance outside of the
// control plane (i.e. not auth, not proxy)
//
// PostHog event: tp.resource.hb
message ResourceHeartbeatEvent {
// anonymized name of the resource, 32 bytes (HMAC-SHA-256); the name is the
// host ID for nodes but the actual user-facing name for other resources, so
// an app or a database served by multiple agents won't be counted multiple
// times
//
// PreHog property: tp.resource_name (in base64)
bytes resource_name = 1;
// kind of the resource (node, app, db)
//
// PostHog property: tp.resource_type (as a string, see ResourceKind)
ResourceKind resource_kind = 2;
// true if the heartbeat has no expiration
//
// PostHog property: tp.is_static
bool static = 3;
}
// an event representing one of several audit events: session.start, port,
// app.session.start, db.session.start, windows.desktop.session.start; i.e. a
// SSH shell or port-forward, kubectl exec or kubectl port-forward, DB, App or
// Desktop connection
//
// an earlier encoding (as "tp.session.start") mixed SSH sessions and kubectl
// execs under a session type of "ssh"
//
// PostHog event: tp.session.start
message SessionStartEvent {
// anonymized Teleport username, 32 bytes (HMAC-SHA-256) encoded in base64
//
// PostHog property: tp.user_name
string user_name = 1;
// type of the session, should be "ssh"/"k8s"/"db"/"app"/"desktop" (matching
// the values for api/types.SessionKind) or "app_tcp", "ssh_port_v2" or
// "k8s_port" for TCP Application Access connections, SSH port forwards and
// kubectl port-forward respectively; a type of "ssh_port" represents either a
// SSH port forwarding connection or a kubectl port-forward (not used in new
// events)
//
// PostHog property: tp.session_type
string session_type = 2;
// if session_type == "db" the database struct contains additional information
// about database session.
//
// PostHog property: tp.database
SessionStartDatabaseMetadata database = 3;
// if session_type == "desktop" the desktop struct contains additional
// information about the desktop session
SessionStartDesktopMetadata desktop = 4;
}
// SessionStartDatabaseMetadata contains additional information about database session.
message SessionStartDatabaseMetadata {
// database type.
string db_type = 1;
// database protocol.
string db_protocol = 2;
// database origin source.
string db_origin = 3;
}
// SessionStartDesktop Metadata contains additional information about
// a desktop session.
message SessionStartDesktopMetadata {
// desktop type ("ad" or "non-ad")
string desktop_type = 1;
// Indicates how the desktop was enrolled in Teleport
// ("config-file" for statically defined hosts, or "dynamic" for
// hosts discovered via LDAP).
string origin = 2;
// If desktop type is "ad" this field contains the anonymized Active
// Directory domain that the desktop belongs to.
string windows_domain = 3;
// If true, and desktop type is "non-ad" automatic user creation is
// enabled for the session. (This does not mean that the user will
// be created, as Teleport does not know whether the user already exists.)
bool allow_user_creation = 4;
}
// the issuance of a user certificate from the user CA
//
// PostHog event: tp.certificate.issued
message UserCertificateIssuedEvent {
// anonymized Teleport username, 32 bytes (HMAC-SHA-256) encoded in base64; it
// can be the username of a bot user rather than of a regular user
//
// PostHog property: tp.user_name
string user_name = 1;
// the TTL of the issued certificate, typically 8 or 12 hours
//
// PostHog property: tp.ttl_minutes (in minutes, rounded up)
google.protobuf.Duration ttl = 2;
// If true, the certificate was requested by a bot (i.e. Machine ID) user.
// PostHog property: tp.is_bot
bool is_bot = 3;
// If true, the certificate usage is restricted to database access.
// PostHog property: tp.usage_database
bool usage_database = 4;
// If true, the certificate usage is restricted to app access.
// PostHog property: tp.usage_app
bool usage_app = 5;
// If true, the certificate usage is restricted to Kubernetes access.
// PostHog property: tp.usage_kubernetes
bool usage_kubernetes = 6;
// If true, the certificate usage is restricted to desktop access.
// PostHog property: tp.usage_desktop
bool usage_desktop = 7;
// the private key policy associated with these user certificates.
string private_key_policy = 8;
}
// UIBannerClickEvent is a usage event sent by the UI when the upgrade
// banner is clicked.
message UIBannerClickEvent {
// anonymized
string user_name = 1;
// cluster alert name
string alert = 2;
}
// UIOnboardCompleteGoToDashboardClickEvent is a UI event sent when initial
// registration is complete.
message UIOnboardCompleteGoToDashboardClickEvent {
// anonymized
string user_name = 1;
}
// UIOnboardAddFirstResourceClickEvent is a UI event sent when a user clicks the
// "add first resource" button.
message UIOnboardAddFirstResourceClickEvent {
// anonymized
string user_name = 1;
}
// UIOnboardAddFirstResourceLaterClickEvent is a UI event sent when a user
// clicks the "add first resource later" button.
message UIOnboardAddFirstResourceLaterClickEvent {
// anonymized
string user_name = 1;
}
// UIOnboardSetCredentialSubmitEvent is a UI event sent during registration when
// users configure their credentials.
message UIOnboardSetCredentialSubmitEvent {
// anonymized
string user_name = 1;
}
// UIOnboardRegisterChallengeSubmitEvent is a UI event sent during registration
// when the MFA challenge is completed.
message UIOnboardRegisterChallengeSubmitEvent {
// anonymized
string user_name = 1;
string mfa_type = 2;
string login_flow = 3;
}
// UIOnboardQuestionnaireSubmitEvent is a UI event sent during registration when
// user submits their onboarding questionnaire.
message UIOnboardQuestionnaireSubmitEvent {
// anonymized
string user_name = 1;
}
// UIRecoveryCodesContinueClickEvent is a UI event sent during
// registration when the user configures cluster recovery codes.
message UIRecoveryCodesContinueClickEvent {
// anonymized
string user_name = 1;
}
// UIRecoveryCodesCopyClickEvent is a UI event sent during
// registration when the user copies recovery codes.
message UIRecoveryCodesCopyClickEvent {
// anonymized
string user_name = 1;
}
// UIRecoveryCodesPrintClickEvent is a UI event sent during
// registration when the user prints recovery codes.
message UIRecoveryCodesPrintClickEvent {
// anonymized
string user_name = 1;
}
// DiscoverMetadata contains common metadata for Discover related events.
message DiscoverMetadata {
// Uniquely identifies Discover wizard "session". Will allow to correlate
// events within the same Discover wizard run.
string id = 1;
// anonymized
string user_name = 2;
// SSO indicates whether the user is from an SSO provider.
bool sso = 3;
}
// DiscoverResource represents a resource type.
enum DiscoverResource {
DISCOVER_RESOURCE_UNSPECIFIED = 0;
DISCOVER_RESOURCE_SERVER = 1;
DISCOVER_RESOURCE_KUBERNETES = 2;
DISCOVER_RESOURCE_DATABASE_POSTGRES_SELF_HOSTED = 3;
DISCOVER_RESOURCE_DATABASE_MYSQL_SELF_HOSTED = 4;
DISCOVER_RESOURCE_DATABASE_MONGODB_SELF_HOSTED = 5;
DISCOVER_RESOURCE_DATABASE_POSTGRES_RDS = 6;
DISCOVER_RESOURCE_DATABASE_MYSQL_RDS = 7;
DISCOVER_RESOURCE_APPLICATION_HTTP = 8;
DISCOVER_RESOURCE_APPLICATION_TCP = 9;
DISCOVER_RESOURCE_WINDOWS_DESKTOP = 10;
DISCOVER_RESOURCE_DATABASE_SQLSERVER_RDS = 11;
DISCOVER_RESOURCE_DATABASE_POSTGRES_REDSHIFT = 12;
DISCOVER_RESOURCE_DATABASE_SQLSERVER_SELF_HOSTED = 13;
DISCOVER_RESOURCE_DATABASE_REDIS_SELF_HOSTED = 14;
DISCOVER_RESOURCE_DATABASE_POSTGRES_GCP = 15;
DISCOVER_RESOURCE_DATABASE_MYSQL_GCP = 16;
DISCOVER_RESOURCE_DATABASE_SQLSERVER_GCP = 17;
DISCOVER_RESOURCE_DATABASE_POSTGRES_REDSHIFT_SERVERLESS = 18;
DISCOVER_RESOURCE_DATABASE_POSTGRES_AZURE = 19;
DISCOVER_RESOURCE_DATABASE_DYNAMODB = 20;
DISCOVER_RESOURCE_DATABASE_CASSANDRA_KEYSPACES = 21;
DISCOVER_RESOURCE_DATABASE_CASSANDRA_SELF_HOSTED = 22; // Cassandra & ScyllaDb
DISCOVER_RESOURCE_DATABASE_ELASTICSEARCH_SELF_HOSTED = 23;
DISCOVER_RESOURCE_DATABASE_REDIS_ELASTICACHE = 24; // Elasticache & MemoryDb
DISCOVER_RESOURCE_DATABASE_REDIS_MEMORYDB = 25;
DISCOVER_RESOURCE_DATABASE_REDIS_AZURE_CACHE = 26;
DISCOVER_RESOURCE_DATABASE_REDIS_CLUSTER_SELF_HOSTED = 27;
DISCOVER_RESOURCE_DATABASE_MYSQL_AZURE = 28;
DISCOVER_RESOURCE_DATABASE_SQLSERVER_AZURE = 29;
DISCOVER_RESOURCE_DATABASE_SQLSERVER_MICROSOFT = 30;
DISCOVER_RESOURCE_DATABASE_COCKROACHDB_SELF_HOSTED = 31;
DISCOVER_RESOURCE_DATABASE_MONGODB_ATLAS = 32;
DISCOVER_RESOURCE_DATABASE_SNOWFLAKE = 33;
DISCOVER_RESOURCE_DOC_DATABASE_RDS_PROXY = 34;
DISCOVER_RESOURCE_DOC_DATABASE_HIGH_AVAILABILITY = 35;
DISCOVER_RESOURCE_DOC_DATABASE_DYNAMIC_REGISTRATION = 36;
DISCOVER_RESOURCE_SAML_APPLICATION = 37;
DISCOVER_RESOURCE_EC2_INSTANCE = 38;
}
// DiscoverResourceMetadata contains common metadata identifying resource type being added.
message DiscoverResourceMetadata {
// Resource type that is being added.
DiscoverResource resource = 1;
}
// DiscoverStatus represents a Discover Step outcome.
enum DiscoverStatus {
DISCOVER_STATUS_UNSPECIFIED = 0;
// The user tried to complete the action and it succeeded.
DISCOVER_STATUS_SUCCESS = 1;
// The system skipped the step.
// For example:
// When setting up a Database and there's already a Database Service proxying the DB.
// In this case the Database Agent installation is skipped.
DISCOVER_STATUS_SKIPPED = 2;
// The user tried to complete the action and it failed.
DISCOVER_STATUS_ERROR = 3;
// The user did not complete the action and left the wizard.
DISCOVER_STATUS_ABORTED = 4;
}
// DiscoverStepStatus contains fields that track a particular step outcome,
// for example connection test failed or succeeded, or user aborted the step.
message DiscoverStepStatus {
// Indicates the step outcome.
DiscoverStatus status = 1;
// Contains error details in case of Error Status.
// We have to be careful to not include any identifyable infomation like server addresses here.
string error = 2;
}
// UIDiscoverStartedEvent is emitted when the wizard opens.
message UIDiscoverStartedEvent {
DiscoverMetadata metadata = 1;
DiscoverStepStatus status = 2;
}
// UIDiscoverResourceSelectionEvent is emitted when user selected resource type to add
// and proceeded to the next step.
message UIDiscoverResourceSelectionEvent {
DiscoverMetadata metadata = 1;
DiscoverResourceMetadata resource = 2;
DiscoverStepStatus status = 3;
}
// UIDiscoverIntegrationAWSOIDCConnectEvent is emitted when a user is finished with the step
// that asks user to setup aws integration or select from a list of existing
// aws integrations.
message UIDiscoverIntegrationAWSOIDCConnectEvent {
DiscoverMetadata metadata = 1;
DiscoverResourceMetadata resource = 2;
DiscoverStepStatus status = 3;
}
// UIDiscoverDatabaseRDSEnrollEvent is emitted when a user is finished with
// the step that asks user to select from a list of RDS databases.
message UIDiscoverDatabaseRDSEnrollEvent {
DiscoverMetadata metadata = 1;
DiscoverResourceMetadata resource = 2;
DiscoverStepStatus status = 3;
int64 selected_resources_count = 4;
}
// UIDiscoverDeployServiceEvent is emitted after the user installs a Teleport Agent.
// For SSH this is the Teleport 'install-node' script.
//
// For Kubernetes this is the teleport-agent helm chart installation.
//
// For Database Access this step is the installation of the teleport 'install-db' script.
// It can be skipped if the cluster already has a Database Service capable of proxying the database.
message UIDiscoverDeployServiceEvent {
DiscoverMetadata metadata = 1;
DiscoverResourceMetadata resource = 2;
DiscoverStepStatus status = 3;
// DeployMethod describes the method used to deploy a service.
enum DeployMethod {
// DEPLOY_METHOD_UNSPECIFIED means there was an existing service
// so deploying step got skipped.
DEPLOY_METHOD_UNSPECIFIED = 0;
// DEPLOY_METHOD_AUTO means Teleport deployed a service for the user.
DEPLOY_METHOD_AUTO = 1;
// DEPLOY_METHOD_MANUAL means a user deployed a service by themselves.
DEPLOY_METHOD_MANUAL = 2;
}
DeployMethod deploy_method = 4;
// DeployType describes the type of deployment.
enum DeployType {
// DEPLOY_METHOD_UNSPECIFIED means there was an existing service
// so deploying step got skipped.
DEPLOY_TYPE_UNSPECIFIED = 0;
// DEPLOY_TYPE_INSTALL_SCRIPT means service was deployed using an
// install script.
DEPLOY_TYPE_INSTALL_SCRIPT = 1;
// DEPLOY_TYPE_AMAZON_ECS means service was deployed using amazon's
// elastic container service.
DEPLOY_TYPE_AMAZON_ECS = 2;
}
DeployType deploy_type = 5;
}
// UIDiscoverDatabaseRegisterEvent is emitted when a user is finished with the step that registers a database resource.
message UIDiscoverDatabaseRegisterEvent {
DiscoverMetadata metadata = 1;
DiscoverResourceMetadata resource = 2;
DiscoverStepStatus status = 3;
}
// UIDiscoverDatabaseConfigureMTLSEvent is emitted when a user is finished with the step that configures mutual TLS for a self-hosted database.
message UIDiscoverDatabaseConfigureMTLSEvent {
DiscoverMetadata metadata = 1;
DiscoverResourceMetadata resource = 2;
DiscoverStepStatus status = 3;
}
// UIDiscoverDesktopActiveDirectoryToolsInstallEvent is emitted when the user is finished with the step that asks user to run the install Active Directory tools script for the Desktop flow.
message UIDiscoverDesktopActiveDirectoryToolsInstallEvent {
DiscoverMetadata metadata = 1;
DiscoverResourceMetadata resource = 2;
DiscoverStepStatus status = 3;
}
// UIDiscoverDesktopActiveDirectoryConfigureEvent is emitted when the user is finished with the step that asks user to run the Configure Active Directory script for the Desktop flow.
message UIDiscoverDesktopActiveDirectoryConfigureEvent {
DiscoverMetadata metadata = 1;
DiscoverResourceMetadata resource = 2;
DiscoverStepStatus status = 3;
}
// UIDiscoverAutoDiscoveredResourcesEvent is emitted when the user is finished with the step that auto discovers resources (waiting until resources show up).
// resources_count field must reflect the latest amount of discovered resources (get the number after user is finished with this step).
message UIDiscoverAutoDiscoveredResourcesEvent {
DiscoverMetadata metadata = 1;
DiscoverResourceMetadata resource = 2;
DiscoverStepStatus status = 3;
int64 resources_count = 4;
}
// UIDiscoverEC2InstanceSelectionEvent is emitted when the user is finished with the step that asks the user to select an EC2 Instance to enroll.
message UIDiscoverEC2InstanceSelectionEvent {
DiscoverMetadata metadata = 1;
DiscoverResourceMetadata resource = 2;
DiscoverStepStatus status = 3;
}
// UIDiscoverDeployEICEEvent is emitted when the user deploys an EC2 Instance Connect Endpoint.
message UIDiscoverDeployEICEEvent {
DiscoverMetadata metadata = 1;
DiscoverResourceMetadata resource = 2;
DiscoverStepStatus status = 3;
}
// UIDiscoverCreateNodeEvent is emitted when the node is created in Teleport.
message UIDiscoverCreateNodeEvent {
DiscoverMetadata metadata = 1;
DiscoverResourceMetadata resource = 2;
DiscoverStepStatus status = 3;
}
// UIDiscoverDatabaseConfigureIAMPolicyEvent is emitted when a user is finished with the step that configures IAM policy for an RDS database.
message UIDiscoverDatabaseConfigureIAMPolicyEvent {
DiscoverMetadata metadata = 1;
DiscoverResourceMetadata resource = 2;
DiscoverStepStatus status = 3;
}
// UIDiscoverPrincipalsConfigureEvent is emitted when a user is finished with the step that allows user to update their principals (setting up access).
message UIDiscoverPrincipalsConfigureEvent {
DiscoverMetadata metadata = 1;
DiscoverResourceMetadata resource = 2;
DiscoverStepStatus status = 3;
}
// UIDiscoverTestConnectionEvent emitted on the "Test Connection" screen
// when the user clicked tested connection to their resource.
message UIDiscoverTestConnectionEvent {
DiscoverMetadata metadata = 1;
DiscoverResourceMetadata resource = 2;
DiscoverStepStatus status = 3;
}
// UIDiscoverCompletedEvent is emitted when user completes the Discover wizard.
message UIDiscoverCompletedEvent {
DiscoverMetadata metadata = 1;
DiscoverResourceMetadata resource = 2;
DiscoverStepStatus status = 3;
}
// RoleCreateEvent is emitted when user creates a custom role.
message RoleCreateEvent {
// anonymized
string user_name = 1;
// anonymized
string role_name = 2;
}
// BotCreateEvent is emitted when user creates a bot.
message BotCreateEvent {
// user_name is the anonymized name of the user who created the bot
string user_name = 1;
// anonymized
string bot_user_name = 2;
// role_name is the anonymized name of the bot role that was created.
string role_name = 3;
// role_count is the number of roles that the bot role can impersonate on
// creation.
int64 role_count = 4;
// join_method is the join method of the token associated with the bot on
// creation.
string join_method = 5;
// bot_name is the anonymised name of the bot.
string bot_name = 6;
}
// BotJoinEvent is emitted when a bot joins a Teleport cluster.
message BotJoinEvent {
// bot_name is the anonymised name of the bot.
string bot_name = 1;
// join_method is the join method of the token associated with the bot on
// creation. This will be the string value of `api/types.JoinMethod`.
string join_method = 2;
// join_token_name is the anonymised name of the token used to join
// the cluster.
string join_token_name = 3;
}
// UICreateNewRoleClickEvent is an event that can be triggered during custom role creation
message UICreateNewRoleClickEvent {
//anonymized
string user_name = 1;
}
// UICreateNewRoleSaveClickEvent is an event that can be triggered during custom role creation
message UICreateNewRoleSaveClickEvent {
//anonymized
string user_name = 1;
}
// UICreateNewRoleCancelClickEvent is an event that can be triggered during custom role creation
message UICreateNewRoleCancelClickEvent {
//anonymized
string user_name = 1;
}
// UICreateNewRoleViewDocumentationClickEvent is an event that can be triggered during custom role creation
message UICreateNewRoleViewDocumentationClickEvent {
//anonymized
string user_name = 1;
}
// UICallToActionClickEvent is a click in a Teleport Web UI's CTA
message UICallToActionClickEvent {
//anonymized
string user_name = 1;
CTA cta = 2;
}
// CTA represents teleport web UI's call to action buttons
enum CTA {
CTA_UNSPECIFIED = 0;
CTA_AUTH_CONNECTOR = 1;
CTA_ACTIVE_SESSIONS = 2;
CTA_ACCESS_REQUESTS = 3;
CTA_PREMIUM_SUPPORT = 4;
CTA_TRUSTED_DEVICES = 5;
CTA_UPGRADE_BANNER = 6;
CTA_BILLING_SUMMARY = 7;
CTA_ACCESS_LIST = 8;
CTA_ACCESS_MONITORING = 9;
CTA_EXTERNAL_AUDIT_STORAGE = 10;
}
// a request forwarded to a kube cluster's API server (other than exec and
// port-forward)
//
// PostHog event: tp.kube.request
message KubeRequestEvent {
// anonymized Teleport username, 32 bytes (HMAC-SHA-256) encoded in base64
//
// PostHog property: tp.user_name
string user_name = 1;
}
// an sftp event, represents a single operation on a file
//
// PostHog event: tp.sftp
message SFTPEvent {
// anonymized Teleport username, 32 bytes (HMAC-SHA-256) encoded in base64
//
// PostHog property: tp.user_name
string user_name = 1;
// matching SFTPAction in teleport/api/types/events/events.proto
int32 action = 2;
}
message AgentMetadataEvent {
string version = 1;
string host_id = 2;
repeated string services = 3;
string os = 4;
string os_version = 5;
string host_architecture = 6;
string glibc_version = 7;
repeated string install_methods = 8;
string container_runtime = 9;
string container_orchestrator = 10;
string cloud_environment = 11;
// external_upgrader is the name of the registered external upgrader. if non-empty, this field indicates
// that the associated agent is enrolled in automatic upgrades.
string external_upgrader = 12;
}
// AssistCompletionEvent is an event that is emitted
// when a single completion occurs in the Teleport Assist,
// i.e. a user submits a prompt, and receives an answer from the Assist
message AssistCompletionEvent {
// anonymized
string user_name = 1;
// ConversationId is the UUID that identifies a single Assist conversation
string conversation_id = 2;
// TotalTokens is the total amount of token used to satisfy this request
int64 total_tokens = 3;
// PromptTokens is the amount of estimated tokens used by the prompt
int64 prompt_tokens = 4;
// CompletionTokens is the amount of tokens that the completion response consists of
int64 completion_tokens = 5;
}
// AssistExecutionEvent is an event that is emitted when an Assist command
// execution is triggered by the user.
message AssistExecutionEvent {
// UserName is anonymized user name
string user_name = 1;
// ConversationId is the UUID that identifies a single Assist conversation
string conversation_id = 2;
// NodeCount is the number of nodes the command was executed on
int64 node_count = 3;
// TotalTokens is the total amount of token used to generate the command summary
int64 total_tokens = 4;
// PromptTokens is the amount of estimated tokens used by the prompt to generate the command summary
int64 prompt_tokens = 5;
// CompletionTokens is the amount of tokens that the summary completion response consists of
int64 completion_tokens = 6;
}
// AssistNewConversationEvent is an event that is emitted for each new Assist
// conversation and contains the conversation category.
message AssistNewConversationEvent {
// UserName is anonymized user name
string user_name = 1;
// Category is the conversation category. This represents what kind of request
// the user is asking Assist.
string category = 2;
}
// AssistAccessRequest is an event that is emitted when a user requests access
// to a resource via Assist.
message AssistAccessRequestEvent {
// UserName is anonymized user name
string user_name = 1;
// ResourceType describes the type of resource the user is requesting access to, e.g. "node", "db", "k8s" or "role".
string resource_type = 2;
// TotalTokens is the total amount of token used to generate the command summary
int64 total_tokens = 4;
// PromptTokens is the amount of estimated tokens used by the prompt to generate the command summary
int64 prompt_tokens = 5;
// CompletionTokens is the amount of tokens that the summary completion response consists of
int64 completion_tokens = 6;
}
// AssistAction is an event that is emitted when a user triggers an action (SSH command generation, output explain, etc.)
// via Assist.
message AssistActionEvent {
// UserName is anonymized user name
string user_name = 1;
// Action is the action that was triggered, e.g. "ssh-explain", "ssh-command-generate", etc.
string action = 2;
// TotalTokens is the total amount of token used to generate the command summary
int64 total_tokens = 4;
// PromptTokens is the amount of estimated tokens used by the prompt to generate the command summary
int64 prompt_tokens = 5;
// CompletionTokens is the amount of tokens that the summary completion response consists of
int64 completion_tokens = 6;
}
// AccessListMetadata contains common metadata for Access List related events.
message AccessListMetadata {
// id uniquely identifies an Access List. Will allow correlation of events within an access list.
string id = 1;
}
// AccessListCreate is an event that is emitted when an access list is created.
message AccessListCreateEvent {
// user_name is the anonymized user name
string user_name = 1;
AccessListMetadata metadata = 2;
}
// AccessListUpdate is an event that is emitted when an access list is updated.
message AccessListUpdateEvent {
// user_name is the anonymized user name
string user_name = 1;
AccessListMetadata metadata = 2;
}
// AccessListDelete is an event that is emitted when an access list is deleted.
message AccessListDeleteEvent {
// user_name is the anonymized user name
string user_name = 1;
AccessListMetadata metadata = 2;
}
// AccessListMemberCreate is an event that is emitted when a member is added to an access list.
message AccessListMemberCreateEvent {
// user_name is the anonymized user name
string user_name = 1;
AccessListMetadata metadata = 2;
}
// AccessListMemberUpdate is an event that is emitted when a member is updated in an access list.
message AccessListMemberUpdateEvent {
// user_name is the anonymized user name
string user_name = 1;
AccessListMetadata metadata = 2;
}
// AccessListMemberDelete is an event that is emitted when a member is removed from an access list.
message AccessListMemberDeleteEvent {
// user_name is anonymized user name
string user_name = 1;
AccessListMetadata metadata = 2;
}
// AccessListGrantsToUser is an event that is emitted when access list permissions are granted to a user
// on login.
message AccessListGrantsToUserEvent {
// user_name is the anonymized user name
string user_name = 1;
// count_roles_granted is the number of roles granted to a user.
int32 count_roles_granted = 2;
// count_traits_granted is the number of traits granted to a user.
int32 count_traits_granted = 3;
}
// IntegrationEnrollKind represents the types of integration that
// can be enrolled.
enum IntegrationEnrollKind {
INTEGRATION_ENROLL_KIND_UNSPECIFIED = 0;
INTEGRATION_ENROLL_KIND_SLACK = 1;
INTEGRATION_ENROLL_KIND_AWS_OIDC = 2;
INTEGRATION_ENROLL_KIND_PAGERDUTY = 3;
INTEGRATION_ENROLL_KIND_EMAIL = 4;
INTEGRATION_ENROLL_KIND_JIRA = 5;
INTEGRATION_ENROLL_KIND_DISCORD = 6;
INTEGRATION_ENROLL_KIND_MATTERMOST = 7;
INTEGRATION_ENROLL_KIND_MS_TEAMS = 8;
INTEGRATION_ENROLL_KIND_OPSGENIE = 9;
INTEGRATION_ENROLL_KIND_OKTA = 10;
INTEGRATION_ENROLL_KIND_JAMF = 11;
INTEGRATION_ENROLL_KIND_MACHINE_ID = 12;
INTEGRATION_ENROLL_KIND_MACHINE_ID_GITHUB_ACTIONS = 13;
INTEGRATION_ENROLL_KIND_MACHINE_ID_CIRCLECI = 14;
INTEGRATION_ENROLL_KIND_MACHINE_ID_GITLAB = 15;
INTEGRATION_ENROLL_KIND_MACHINE_ID_JENKINS = 16;
INTEGRATION_ENROLL_KIND_MACHINE_ID_ANSIBLE = 17;
INTEGRATION_ENROLL_KIND_MACHINE_ID_AWS = 18;
INTEGRATION_ENROLL_KIND_MACHINE_ID_GCP = 19;
INTEGRATION_ENROLL_KIND_MACHINE_ID_AZURE = 20;
INTEGRATION_ENROLL_KIND_MACHINE_ID_SPACELIFT = 21;
INTEGRATION_ENROLL_KIND_MACHINE_ID_KUBERNETES = 22;
}
// IntegrationEnrollMetadata contains common metadata
// for Integration Enroll related events.
message IntegrationEnrollMetadata {
// id is used as a unique identifier to correlate events within the
// same enroll wizard run.
string id = 1;
// kind identifies what type of integration the user clicked on to enroll.
IntegrationEnrollKind kind = 2;
// user_name is anonymized.
string user_name = 3;
}
// UIIntegrationEnrollEvent is an event that is emitted when a user
// clicks on a integration to enroll.
message UIIntegrationEnrollStartEvent {
IntegrationEnrollMetadata metadata = 1;
}
// UIIntegrationEnrollEvent is an event that is emitted when a user
// completed enrolling an integration.
message UIIntegrationEnrollCompleteEvent {
IntegrationEnrollMetadata metadata = 1;
}
// EditorChangeEvent is an event that is emitted when a user role set changes resulting in
// a editor role being added on removed
message EditorChangeEvent {
// anonymized user name
string user_name = 1;
EditorChangeStatus status = 2;
}
// EditorChangeStatus is the possible value of an EditorChangeEvent event status
enum EditorChangeStatus {
EDITOR_CHANGE_STATUS_UNSPECIFIED = 0;
// Status when the editor role is granted
EDITOR_CHANGE_STATUS_ROLE_GRANTED = 1;
// Status when the editor role is removed
EDITOR_CHANGE_STATUS_ROLE_REMOVED = 2;
}
// Device authentication event
message DeviceAuthenticateEvent {
// anonymized device ID, 32 bytes (HMAC-SHA-256) encoded in base64
//
// PostHog property: tp.device_id
string device_id = 1;
// anonymized username, 32 bytes (HMAC-SHA-256) encoded in base64
//
// PostHog property: tp.user_name
string user_name = 2;
// device OS type
//
// PostHog property: tp.device_os_type
string device_os_type = 3;
}
// Device Enrollment event
//
// PostHost event: tp.device.enroll
message DeviceEnrollEvent {
// anonymized device ID, 32 bytes (HMAC-SHA-256) encoded in base64
//
// PostHog property: tp.device_id
string device_id = 1;
// anonymized username, 32 bytes (HMAC-SHA-256) encoded in base64
//
// PostHog property: tp.user_name
string user_name = 2;
// device OS type
//
// PostHog property: tp.device_os_type
string device_os_type = 3;
// device origin
//
// PostHog property: tp.device_origin
string device_origin = 4;
}
// FeatureRecommendationEvent captures event emitted when a feature is recommended to user or
// when user completes the desired CTA for the feature.
//
// PostHost event: tp.ui.feature.recommendation
message FeatureRecommendationEvent {
// anonymized Teleport username, 32 bytes (HMAC-SHA-256) encoded in base64;
//
// PostHog property: tp.user_name
string user_name = 1;
// feature is name of the Teleport feature.
//
// PostHog property: tp.feature
Feature feature = 2;
// feature_recommendation_status records recommendation state, which can be 'NOTIFIED' (feature is recommended)
// OR 'DONE' (user completes desired CTA)
//
// PostHost property: tp.feature_recommendation_status
FeatureRecommendationStatus feature_recommendation_status = 3;
}
// Feature is name of Teleport feature
enum Feature {
FEATURE_UNSPECIFIED = 0;
FEATURE_TRUSTED_DEVICES = 1;
}
// FeatureRecommendationStatus is feature recommendation status.
enum FeatureRecommendationStatus {
FEATURE_RECOMMENDATION_STATUS_UNSPECIFIED = 0;
// FEATURE_RECOMMENDATION_STATUS_NOTIFIED is emitted when a feature is recommended (notified in UI) to user.
FEATURE_RECOMMENDATION_STATUS_NOTIFIED = 1;
// FEATURE_RECOMMENDATION_STATUS_DONE is emitted when user completes the desired CTA.
FEATURE_RECOMMENDATION_STATUS_DONE = 2;
}
// LicenseLimitEvent is emitted when access to Teleport feature
// is denied based on license limits
//
// PostHost event: tp.license.limit
message LicenseLimitEvent {
// PostHost property: tp.license_limit
LicenseLimit license_limit = 1;
}
// LicenseLimit indicates event type that triggered LicenseLimitEvent.
enum LicenseLimit {
LICENSE_LIMIT_UNSPECIFIED = 0;
// LICENSE_LIMIT_DEVICE_TRUST_TEAM_JAMF is emitted if license does not
// allow Jamf integration (e.g. Team Plan)
LICENSE_LIMIT_DEVICE_TRUST_TEAM_JAMF = 1;
// LICENSE_LIMIT_DEVICE_TRUST_TEAM_USAGE is emitted when allowed enrolled device
// limit is reached
LICENSE_LIMIT_DEVICE_TRUST_TEAM_USAGE = 2;
}
// DesktopDirectoryShareEvent is emitted when directory sharing is used
// in a Teleport desktop session.
message DesktopDirectoryShareEvent {
// anonymized desktop addr, used to uniquely idenfity the desktop
//
// PostHog property: tp.desktop
string desktop = 1;
// anonymized Teleport username, 32 bytes (HMAC-SHA-256) encoded in base64;
//
// PostHog property: tp.user_name