-
Notifications
You must be signed in to change notification settings - Fork 1.7k
/
authservice.proto
3052 lines (2692 loc) · 141 KB
/
authservice.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
// Copyright 2021-2022 Gravitational, Inc
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
package proto;
import "gogoproto/gogo.proto";
import "google/protobuf/empty.proto";
import "google/protobuf/timestamp.proto";
import "teleport/attestation/v1/attestation.proto";
import "teleport/legacy/client/proto/certs.proto";
import "teleport/legacy/client/proto/event.proto";
import "teleport/legacy/types/events/events.proto";
import "teleport/legacy/types/types.proto";
import "teleport/legacy/types/webauthn/webauthn.proto";
import "teleport/legacy/types/wrappers/wrappers.proto";
import "teleport/usageevents/v1/usageevents.proto";
option go_package = "github.com/gravitational/teleport/api/client/proto";
option (gogoproto.goproto_getters_all) = true;
option (gogoproto.marshaler_all) = true;
option (gogoproto.unmarshaler_all) = true;
// Watch specifies watch parameters
message Watch {
// Kinds specifies object kinds to watch
repeated types.WatchKind Kinds = 1 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "kinds,omitempty"
];
bool AllowPartialSuccess = 2 [(gogoproto.jsontag) = "allow_partial_success,omitempty"];
}
// HostCertsRequest specifies certificate-generation parameters
// for a server.
message HostCertsRequest {
reserved 12; // system_role_assertion_id
reserved "UnstableSystemRoleAssertionID";
// HostID is a unique ID of the host.
string HostID = 1 [(gogoproto.jsontag) = "host_id"];
// NodeName is a user-friendly host name.
string NodeName = 2 [(gogoproto.jsontag) = "node_name"];
// Role is a system role assigned to the host.
string Role = 3 [
(gogoproto.jsontag) = "role",
(gogoproto.casttype) = "github.com/gravitational/teleport/api/types.SystemRole"
];
// AdditionalPrincipals is a list of additional principals
// to include in OpenSSH and X509 certificates
repeated string AdditionalPrincipals = 4 [(gogoproto.jsontag) = "additional_principals,omitempty"];
// DNSNames is a list of DNS names to include in x509 certificates.
repeated string DNSNames = 5 [(gogoproto.jsontag) = "dns_names,omitempty"];
// PublicTLSKey is a PEM encoded public key, which the auth server will use
// to create a signed TLS certificate. This field is required.
bytes PublicTLSKey = 6 [(gogoproto.jsontag) = "public_tls_key"];
// PublicSSHKey is a SSH encoded public key, which the auth server will use
// to create a signed SSH certificate. This field is required.
bytes PublicSSHKey = 7 [(gogoproto.jsontag) = "public_ssh_key"];
// RemoteAddr is the IP address of the remote host requesting a certificate.
// RemoteAddr is used to replace 0.0.0.0 in the list of additional principals.
string RemoteAddr = 8 [(gogoproto.jsontag) = "remote_addr"];
// Rotation allows clients to send the certificate authority rotation state
// expected by the client so that auth servers can avoid the situation when
// clients request certs assuming one state and auth servers issue another.
types.Rotation Rotation = 9 [(gogoproto.jsontag) = "rotation,omitempty"];
// NoCache is argument that only local callers can supply to bypass cache
bool NoCache = 10 [(gogoproto.jsontag) = "-"];
// SystemRoles is a list of system roles held by the host. Most host certs are
// single-role and only specify the Role field. The SystemRoles field is only
// currently used on Instance certs, which need to express all roles held by
// the instance.
repeated string SystemRoles = 11 [
(gogoproto.jsontag) = "system_roles,omitempty",
(gogoproto.casttype) = "github.com/gravitational/teleport/api/types.SystemRole"
];
}
// OpenSSHCertRequest specifies certificate-generation parameters
// for a certificates used to connect to Agentless nodes.
message OpenSSHCertRequest {
reserved 1; // Username, jsontag "username"
reserved "Username";
// PublicKey is the public key to sign.
bytes PublicKey = 2 [(gogoproto.jsontag) = "public_key"];
// TTL is the duration the certificate will be valid for.
int64 TTL = 3 [
(gogoproto.jsontag) = "ttl",
(gogoproto.casttype) = "Duration"
];
// Cluster is the Teleport cluster name the target node is connected to.
string Cluster = 4 [(gogoproto.jsontag) = "cluster"];
// User is the Teleport user the certificate will be generated for.
types.UserV2 User = 5 [(gogoproto.jsontag) = "user"];
// Roles are the roles of the Teleport user the certificate will be
// generated for.
repeated types.RoleV6 Roles = 6 [(gogoproto.jsontag) = "roles"];
}
// OpenSSHCert is a SSH certificate signed by OpenSSH CA.
message OpenSSHCert {
bytes Cert = 1 [(gogoproto.jsontag) = "cert"];
}
// UserCertRequest specifies certificate-generation parameters
// for a user.
message UserCertsRequest {
// PublicKey is a public key to be signed.
bytes PublicKey = 1 [(gogoproto.jsontag) = "public_key"];
// Username of key owner.
string Username = 2 [(gogoproto.jsontag) = "username"];
// Expires is a desired time of the expiry of the certificate, could
// be adjusted based on the permissions
google.protobuf.Timestamp Expires = 3 [
(gogoproto.stdtime) = true,
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "expires,omitempty"
];
// Format encodes the desired SSH Certificate format (either old ssh
// compatibility
// format to remove some metadata causing trouble with old SSH servers)
// or standard SSH cert format with custom extensions
string Format = 4 [(gogoproto.jsontag) = "format,omitempty"];
// RouteToCluster is an optional cluster name to add to the certificate,
// so that requests originating with this certificate will be redirected
// to this cluster
string RouteToCluster = 5 [(gogoproto.jsontag) = "route_to_cluster,omitempty"];
// AccessRequests is an optional list of request IDs indicating requests whose
// escalated privileges should be added to the certificate.
repeated string AccessRequests = 6 [(gogoproto.jsontag) = "access_requests,omitempty"];
// KubernetesCluster specifies the target kubernetes cluster for TLS
// identities. This can be empty on older Teleport clients.
string KubernetesCluster = 7 [(gogoproto.jsontag) = "kubernetes_cluster,omitempty"];
// RouteToDatabase specifies the target database proxy name to encode into
// certificate so database client requests are routed appropriately.
RouteToDatabase RouteToDatabase = 8 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "route_to_database,omitempty"
];
// NodeName is the name of the SSH node that this user certificate will be
// scoped to.
string NodeName = 9 [(gogoproto.jsontag) = "node_name,omitempty"];
enum CertUsage {
// All means a request for both SSH and TLS certificates for the
// overall user session. These certificates are not specific to any SSH
// node, Kubernetes cluster, database or web app.
All = 0;
// SSH means a request for an SSH certificate for access to a specific
// SSH node, as specified by NodeName.
SSH = 1;
// Kubernetes means a request for a TLS certificate for access to a
// specific Kubernetes cluster, as specified by KubernetesCluster.
Kubernetes = 2;
// Database means a request for a TLS certificate for access to a
// specific database, as specified by RouteToDatabase.
Database = 3;
// App means a request for a TLS certificate for access to a specific
// web app, as specified by RouteToApp.
App = 4;
// WindowsDesktop means a request for a TLS certificate for access to a specific
// windows desktop.
WindowsDesktop = 5;
}
// CertUsage limits the resulting user certificate to a single protocol.
CertUsage Usage = 10 [(gogoproto.jsontag) = "usage,omitempty"];
// RouteToApp specifies application to issue certificate for.
RouteToApp RouteToApp = 11 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "route_to_app,omitempty"
];
// RoleRequests specify an alternative set of named roles to apply to the
// certificate, assuming the requestor is allowed to impersonate said roles
// directly. An empty set of requests returns the user's normal set of
// roles.
repeated string RoleRequests = 12 [(gogoproto.jsontag) = "role_requests,omitempty"];
// RouteToWindowsDesktop specifies the target windows desktop name to encode into
// certificate so windows desktop client requests are routed appropriately.
RouteToWindowsDesktop RouteToWindowsDesktop = 13 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "route_to_windows_desktop,omitempty"
];
// UseRoleRequests is used to ensure a certificate request is intended to
// use role impersonation, even if the list of role requests is empty.
bool UseRoleRequests = 14 [(gogoproto.jsontag) = "use_role_requests,omitempty"];
// DropAccessRequests is an optional list of request IDs indicating requests
// whose escalated privileges should be removed from the certificate.
// IDs pointing at non-existent requests are ignored.
//
// If present, the roles and traits in the generated cert will be based on
// the state of the user resource on the backend, active requests (not being
// dropped) and new access requests specified through AccessRequests (if any).
//
// This means that technically sending UserCertsRequest with bogus IDs in
// DropAccessRequests can be used to refresh the role list based on backend
// state. A better long-term solution would be to add a dedicated field for
// this to avoid sending bogus IDs.
repeated string DropAccessRequests = 15 [(gogoproto.jsontag) = "drop_access_requests,omitempty"];
// ConnectionDiagnosticID is the ID of the ConnectionDiagnostic resource we should use to add
// traces as we pass certain checkpoints.
string ConnectionDiagnosticID = 16 [(gogoproto.jsontag) = "connection_diagnostic_id,omitempty"];
// Requester is the name of the service that sent the request.
enum Requester {
// UNSPECIFIED is set when the requester in unknown.
UNSPECIFIED = 0;
// TSH_DB_LOCAL_PROXY_TUNNEL is set when the request was sent by a tsh db local proxy tunnel.
TSH_DB_LOCAL_PROXY_TUNNEL = 1;
// TSH_KUBE_LOCAL_PROXY is set when the request was sent by a tsh kube local proxy.
TSH_KUBE_LOCAL_PROXY = 2;
// TSH_KUBE_LOCAL_PROXY_HEADLESS is set when the request was sent by a tsh kube local proxy in headless mode.
TSH_KUBE_LOCAL_PROXY_HEADLESS = 3;
}
// RequesterName identifies who sent the request.
Requester RequesterName = 17 [(gogoproto.jsontag) = "requester_name"];
// MFAResponse is a response to a challenge from a user's MFA device.
// An optional field, that when provided, the response will be validated
// and the ID of the validated MFA device will be stored in the certificate.
MFAAuthenticateResponse MFAResponse = 18 [(gogoproto.jsontag) = "mfa_response,omitempty"];
// SSHLogin is the OS Login for the SSH session that the certificate will be used for.
// This login is used when performing RBAC checks to determine if MFA is required
// to access the resource.
string SSHLogin = 19;
// AttestationStatement is an attestation statement for the given public key.
teleport.attestation.v1.AttestationStatement attestation_statement = 20;
}
// RouteToDatabase combines parameters for database service routing information.
message RouteToDatabase {
// ServiceName is the Teleport database proxy service name the cert is for.
string ServiceName = 1 [(gogoproto.jsontag) = "service_name"];
// Protocol is the type of the database the cert is for.
string Protocol = 2 [(gogoproto.jsontag) = "protocol"];
// Username is an optional database username to embed.
string Username = 3 [(gogoproto.jsontag) = "username,omitempty"];
// Database is an optional database name to embed.
string Database = 4 [(gogoproto.jsontag) = "database,omitempty"];
}
// RouteToWindowsDesktop combines parameters for windows desktop routing information.
message RouteToWindowsDesktop {
// WindowsDesktop is the Windows Desktop server name to embed.
string WindowsDesktop = 1 [(gogoproto.jsontag) = "windows_desktop"];
// Login is the Windows desktop user login to embed.
string Login = 2 [(gogoproto.jsontag) = "login"];
}
// RouteToApp contains parameters for application access certificate requests.
message RouteToApp {
// Name is the application name certificate is being requested for.
string Name = 1 [(gogoproto.jsontag) = "name"];
// SessionID is the ID of the application session.
string SessionID = 2 [(gogoproto.jsontag) = "session_id"];
// PublicAddr is the application public address.
string PublicAddr = 3 [(gogoproto.jsontag) = "public_addr"];
// ClusterName is the cluster where the application resides.
string ClusterName = 4 [(gogoproto.jsontag) = "cluster_name"];
// AWSRoleARN is the AWS role to assume when accessing AWS API.
string AWSRoleARN = 5 [(gogoproto.jsontag) = "aws_role_arn,omitempty"];
// AzureIdentity is the Azure identity to assume when accessing Azure API.
string AzureIdentity = 6 [(gogoproto.jsontag) = "azure_identity,omitempty"];
// GCPServiceAccount is the GCP service account to assume when accessing GCP API.
string GCPServiceAccount = 7 [(gogoproto.jsontag) = "gcp_service_account,omitempty"];
}
// GetUserRequest specifies parameters for the GetUser method.
message GetUserRequest {
// Name is the name of the desired user.
string Name = 1 [(gogoproto.jsontag) = "name"];
// WithSecrets specifies whether to load associated secrets.
bool WithSecrets = 2 [(gogoproto.jsontag) = "with_secrets,omitempty"];
}
// GetUsersRequest specifies parameters for the GetUsers method.
message GetUsersRequest {
// WithSecrets specifies whether to load associated secrets.
bool WithSecrets = 1 [(gogoproto.jsontag) = "with_secrets"];
}
// ChangePasswordRequest specifies the parameters for the ChangePassword method.
message ChangePasswordRequest {
string User = 1 [(gogoproto.jsontag) = "name"];
bytes OldPassword = 2 [(gogoproto.jsontag) = "old_password"];
bytes NewPassword = 3 [(gogoproto.jsontag) = "new_password"];
string SecondFactorToken = 4 [(gogoproto.jsontag) = "second_factor_token"];
webauthn.CredentialAssertionResponse Webauthn = 5 [(gogoproto.jsontag) = "webauthn"];
}
// PluginDataSeq is a sequence of plugin data.
message PluginDataSeq {
repeated types.PluginDataV3 PluginData = 1 [(gogoproto.jsontag) = "plugin_data"];
}
// RequestStateSetter encodes the parameters necessary to update the
// state of a privilege escalation request.
message RequestStateSetter {
// ID is the request ID being targeted
string ID = 1 [(gogoproto.jsontag) = "id"];
// State is the desired state to be set
types.RequestState State = 2 [(gogoproto.jsontag) = "state"];
// Delegator is an optional indicator of who delegated this
// state update (used by plugins to indicate which user approved
// or denied the request).
string Delegator = 3 [(gogoproto.jsontag) = "delegator,omitempty"];
// Reason is an optional message indicating the reason for the
// resolution (approval, denail , etc...).
string Reason = 4 [(gogoproto.jsontag) = "reason,omitempty"];
// Annotations are key/value pairs received from plugins during request
// resolution. They are currently only used to provide additional logging
// information.
wrappers.LabelValues Annotations = 5 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "annotations,omitempty",
(gogoproto.customtype) = "github.com/gravitational/teleport/api/types/wrappers.Traits"
];
// Roles, if present, overrides the existing set of roles associated
// with the access request.
repeated string Roles = 6 [(gogoproto.jsontag) = "roles,omitempty"];
// AssumeStartTime is the time the requested roles can be assumed.
google.protobuf.Timestamp AssumeStartTime = 7 [
(gogoproto.stdtime) = true,
(gogoproto.nullable) = true,
(gogoproto.jsontag) = "assume_start_time,omitempty"
];
}
// RequestID is the unique identifier of an access request.
message RequestID {
string ID = 1 [(gogoproto.jsontag) = "id"];
}
// GetResetPasswordTokenRequest is a request to get a reset password token.
message GetResetPasswordTokenRequest {
string TokenID = 1 [(gogoproto.jsontag) = "token"];
}
// CreateResetPasswordTokenRequest is a request to create a reset password token.
message CreateResetPasswordTokenRequest {
// Name is the user name.
string Name = 1 [(gogoproto.jsontag) = "name"];
// Type is a token type.
string Type = 2 [(gogoproto.jsontag) = "type"];
// TTL specifies how long the generated token is valid for.
int64 TTL = 3 [
(gogoproto.jsontag) = "ttl",
(gogoproto.casttype) = "Duration"
];
}
// RenewableCertsRequest is a request to generate a first set of renewable
// certificates from a bot join token.
message RenewableCertsRequest {
// Token is a bot join token.
string Token = 1 [(gogoproto.jsontag) = "token"];
// PublicKey is a public key to be signed.
bytes PublicKey = 2 [(gogoproto.jsontag) = "public_key"];
}
// CreateBotRequest is used to create a bot User and associated resources.
message CreateBotRequest {
// Name is the name of the bot, i.e. the unprefixed User name.
string Name = 1 [(gogoproto.jsontag) = "name"];
// TTL is the desired TTL for the token if one is created. If unset, a
// server default is used.
int64 TTL = 2 [
(gogoproto.jsontag) = "ttl",
(gogoproto.casttype) = "Duration"
];
// TokenID is an optional token name of an EC2/IAM join token should be
// used. If unset, a new random token is created and its name returned.
string TokenID = 3 [(gogoproto.jsontag) = "token_id"];
// Roles is a list of roles the created bot should be allowed to assume
// via role impersonation.
repeated string Roles = 4 [(gogoproto.jsontag) = "roles"];
// Traits are used to populate role variables. These will propagate to
// role impersonated certificates generated by the bot.
wrappers.LabelValues Traits = 5 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "traits,omitempty",
(gogoproto.customtype) = "github.com/gravitational/teleport/api/types/wrappers.Traits"
];
}
// CreateBotResponse returns details for bootstrapping a new bot.
message CreateBotResponse {
// UserName is the name of the associated bot user.
string UserName = 1 [(gogoproto.jsontag) = "user_name"];
// RoleName is the name of the associated bot role.
string RoleName = 2 [(gogoproto.jsontag) = "role_name"];
// TokenID is the name of the join token for the bot.
string TokenID = 3 [(gogoproto.jsontag) = "token_id"];
// TokenTTL is the TTL for the token. If it differs from the requested TTL,
// it may have been limited by server policy.
int64 TokenTTL = 4 [
(gogoproto.jsontag) = "ttl",
(gogoproto.casttype) = "Duration"
];
// JoinMethod is the join method the bot must use to join the cluster.
string JoinMethod = 5 [
(gogoproto.jsontag) = "join_method",
(gogoproto.casttype) = "github.com/gravitational/teleport/api/types.JoinMethod"
];
}
// DeleteBotRequest is a request to delete a bot user
message DeleteBotRequest {
// Name is the name of the bot, i.e. the unprefixed User name.
string Name = 1 [(gogoproto.jsontag) = "name"];
}
// GetBotUsersRequest specifies parameters for the GetUsers method.
message GetBotUsersRequest {
// GetBotUsers currently takes no parameters.
}
// PingRequest is the input value for the Ping method.
message PingRequest {
// Ping method currently takes no parameters
}
// PingResponse contains data about the teleport auth server.
message PingResponse {
// ClusterName is the name of the teleport cluster.
string ClusterName = 1 [(gogoproto.jsontag) = "cluster_name"];
// ServerVersion is the version of the auth server.
string ServerVersion = 2 [(gogoproto.jsontag) = "server_version"];
// ServerFeatures are the features supported by the auth server.
Features ServerFeatures = 3 [(gogoproto.jsontag) = "server_features"];
// ProxyPublicAddr is the server's public proxy address.
string ProxyPublicAddr = 4 [(gogoproto.jsontag) = "proxy_public_addr"];
// IsBoring signals whether or not the server was compiled with BoringCrypto.
bool IsBoring = 5 [(gogoproto.jsontag) = "is_boring"];
// RemoteAddr is the client peer addr as seen from the auth server (used to assist
// instances in guessing their external IP when none is configured).
string RemoteAddr = 7 [(gogoproto.jsontag) = "remote_addr"];
// LoadAllCAs signals whether or not tsh should load all CAs when trying
// to ssh into a node.
bool LoadAllCAs = 8 [(gogoproto.jsontag) = "load_all_cas"];
reserved 6; // LicenseWarnings, jsontag "license_warnings"
reserved "LicenseWarnings";
}
// ProductType is the type of product.
enum ProductType {
PRODUCT_TYPE_UNKNOWN = 0;
// PRODUCT_TYPE_TEAM is Teleport Team product.
PRODUCT_TYPE_TEAM = 1;
// PRODUCT_TYPE_EUB is Teleport Enterprise Usage Based product.
PRODUCT_TYPE_EUB = 2;
}
// Features are auth server features.
message Features {
// Kubernetes enables Kubernetes Access product
bool Kubernetes = 1 [(gogoproto.jsontag) = "kubernetes"];
// App enables Application Access product
bool App = 2 [(gogoproto.jsontag) = "app"];
// DB enables database access product
bool DB = 3 [(gogoproto.jsontag) = "db"];
// OIDC enables OIDC connectors
bool OIDC = 4 [(gogoproto.jsontag) = "oidc"];
// SAML enables SAML connectors
bool SAML = 5 [(gogoproto.jsontag) = "saml"];
// AccessControls enables FIPS access controls
bool AccessControls = 6 [(gogoproto.jsontag) = "access_controls"];
// Currently this flag is to gate actions from OSS clusters.
//
// Determining support for access request is currently determined by:
// 1) Enterprise + [Features.IdentityGovernanceSecurity] == true, new flag
// introduced with Enterprise Usage Based (EUB) product.
// 2) Enterprise + [Features.IsUsageBasedBilling] == false, legacy support
// where before EUB, it was unlimited.
//
// AdvancedAccessWorkflows is currently set to true for all
// enterprise editions (team, cloud, on-prem). Historically, access request
// was only available for enterprise cloud and enterprise on-prem.
bool AdvancedAccessWorkflows = 7 [(gogoproto.jsontag) = "advanced_access_workflows"];
// Cloud enables some cloud-related features
bool Cloud = 8 [(gogoproto.jsontag) = "cloud"];
// HSM enables PKCS#11 HSM support
bool HSM = 9 [(gogoproto.jsontag) = "hsm"];
// Desktop enables desktop access product
bool Desktop = 10 [(gogoproto.jsontag) = "desktop"];
reserved 11; // bool ModeratedSessions
reserved 12; // bool MachineID
reserved 13; // bool ResourceAccessRequests
// RecoveryCodes enables recovery codes
bool RecoveryCodes = 14 [(gogoproto.jsontag) = "recovery_codes"];
// Plugins enables hosted plugins
bool Plugins = 15 [(gogoproto.jsontag) = "plugins"];
// AutomaticUpgrades enables Automatic Upgrades for the agents/services.
bool AutomaticUpgrades = 16 [(gogoproto.jsontag) = "automatic_upgrades"];
// IsUsageBased enables some usage-based billing features
bool IsUsageBased = 17 [(gogoproto.jsontag) = "is_usage_based"];
// Assist enables the Assistant feature
bool Assist = 18 [(gogoproto.jsontag) = "assist"];
// DeviceTrust holds its namesake feature settings.
DeviceTrustFeature DeviceTrust = 19 [(gogoproto.jsontag) = "device_trust,omitempty"];
// FeatureHiding enables hiding features from being discoverable for users who don't have the necessary permissions.
bool FeatureHiding = 20 [(gogoproto.jsontag) = "feature_hiding,omitempty"];
// AccessRequests holds its namesake feature settings.
AccessRequestsFeature AccessRequests = 21 [(gogoproto.jsontag) = "access_requests,omitempty"];
// CustomTheme holds the name of WebUI custom theme.
string CustomTheme = 22 [(gogoproto.jsontag) = "custom_theme,omitempty"];
// IdentityGovernance indicates whether IGS related features are enabled:
// access list, access request, access monitoring, device trust.
bool IdentityGovernance = 23 [(gogoproto.jsontag) = "identity_governance,omitempty"];
// AccessGraph indicates whether Teleport Access Graph is enabled.
bool AccessGraph = 24 [(gogoproto.jsontag) = "access_graph,omitempty"];
// AccessListFeature holds its namesake feature settings.
AccessListFeature AccessList = 25 [(gogoproto.jsontag) = "access_list,omitempty"];
// AccessMonitoringFeature holds its namesake feature settings.
AccessMonitoringFeature AccessMonitoring = 26 [(gogoproto.jsontag) = "access_monitoring,omitempty"];
// ProductType describes the product being used.
ProductType ProductType = 27 [(gogoproto.jsontag) = "product_type,omitempty"];
}
// DeviceTrustFeature holds the Device Trust feature general and usage-based
// settings.
// Limits have no affect if [Features.IdentityGovernance] is enabled.
message DeviceTrustFeature {
// Currently this flag is to gate actions from OSS clusters.
//
// Determining support for device trust is currently determined by:
// 1) Enterprise + [Features.IdentityGovernanceSecurity] == true, new flag
// introduced with Enterprise Usage Based (EUB) product.
// 2) Enterprise + [Features.IsUsageBasedBilling] == false, legacy support
// where before EUB, it was unlimited.
bool enabled = 1 [(gogoproto.jsontag) = "enabled,omitempty"];
// Usage-based limit for the number of registered/enrolled devices, at the
// implementation's discretion.
int32 devices_usage_limit = 2 [(gogoproto.jsontag) = "devices_usage_limit,omitempty"];
}
// AccessRequestsFeature holds the AccessRequest feature general and usage-based
// settings.
// Limits have no affect if [Features.IdentityGovernance] is enabled.
message AccessRequestsFeature {
// Usage-based limit for the number of limit for the number of
// access requests created in a calendar month.
int32 monthly_request_limit = 1 [(gogoproto.jsontag) = "monthly_request_limit"];
reserved 2;
reserved "enabled";
}
// AccessListFeature holds the Access List feature settings.
// Limits have no affect if [Features.IdentityGovernance] is enabled.
message AccessListFeature {
// Limit for the number of access list creatable when feature is
// not enabled.
int32 create_limit = 1 [(gogoproto.jsontag) = "create_limit,omitempty"];
}
// AccessMonitoringFeature holds the Access Monitoring feature settings.
// Limits have no affect if [Features.IdentityGovernance] is enabled.
message AccessMonitoringFeature {
// True if enabled in the auth service config: [auth_service.access_monitoring.enabled].
bool enabled = 1 [(gogoproto.jsontag) = "enabled,omitempty"];
// Defines the max number of days to include in an access report.
int32 max_report_range_limit = 2 [(gogoproto.jsontag) = "max_report_range_limit,omitempty"];
}
// DeleteUserRequest is the input value for the DeleteUser method.
message DeleteUserRequest {
// Name is the user name to delete.
string Name = 1 [(gogoproto.jsontag) = "name"];
}
// Semaphores is a sequence of Semaphore resources.
message Semaphores {
repeated types.SemaphoreV3 Semaphores = 1 [(gogoproto.jsontag) = "semaphores"];
}
// AuditStreamRequest contains stream request - event or stream control request
message AuditStreamRequest {
// Request is either stream request - create, resume or complete stream
// or event submitted as a part of the stream
oneof Request {
// CreateStream creates the stream for session ID
// should be the first message sent to the stream
CreateStream CreateStream = 1;
// ResumeStream resumes existing stream, should be the
// first message sent to the stream
ResumeStream ResumeStream = 2;
// CompleteStream completes the stream
CompleteStream CompleteStream = 3;
// FlushAndClose flushes and closes the stream
FlushAndCloseStream FlushAndCloseStream = 4;
// Event contains the stream event
events.OneOf Event = 5;
}
}
// AuditStreamStatus returns audit stream status
// with corresponding upload ID
message AuditStreamStatus {
// UploadID is upload ID associated with the stream,
// can be used to resume the stream
string UploadID = 1;
}
// CreateStream creates stream for a new session ID
message CreateStream {
string SessionID = 1;
}
// ResumeStream resumes stream that was previously created
message ResumeStream {
// SessionID is a session ID of the stream
string SessionID = 1;
// UploadID is upload ID to resume
string UploadID = 2;
}
// CompleteStream completes the stream
// and uploads it to the session server
message CompleteStream {}
// FlushAndCloseStream flushes the stream data and closes the stream
message FlushAndCloseStream {}
// UpsertApplicationServerRequest upserts an app server.
message UpsertApplicationServerRequest {
// Server is an app server resource to register.
types.AppServerV3 Server = 1 [(gogoproto.jsontag) = "server"];
}
// DeleteApplicationServerRequest is a request to delete an app server.
message DeleteApplicationServerRequest {
// Namespace is the app server namespace.
string Namespace = 1 [(gogoproto.jsontag) = "namespace"];
// HostID is the app server host uuid.
string HostID = 2 [(gogoproto.jsontag) = "host_id"];
// Name is the name of the application to delete.
string Name = 3 [(gogoproto.jsontag) = "name"];
}
// DeleteAllApplicationServersRequest are the parameters used to remove all applications.
message DeleteAllApplicationServersRequest {
// Namespace is the app servers namespace.
string Namespace = 1 [(gogoproto.jsontag) = "namespace"];
}
// GenerateAppTokenRequest are the parameters used to request an application
// token.
message GenerateAppTokenRequest {
// Username is the Teleport username.
string Username = 1 [(gogoproto.jsontag) = "username"];
// Roles is a list of Teleport roles assigned to the user.
repeated string Roles = 2 [(gogoproto.jsontag) = "roles"];
// URI is the URI of the application this token is targeting.
string URI = 3 [(gogoproto.jsontag) = "uri"];
// Expires is the time this token expires.
google.protobuf.Timestamp Expires = 4 [
(gogoproto.stdtime) = true,
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "expires"
];
// Traits are the traits assigned to the user within Teleport.
map<string, wrappers.StringValues> Traits = 5 [(gogoproto.jsontag) = "traits"];
}
// GenerateAppTokenResponse contains a signed application token.
message GenerateAppTokenResponse {
string Token = 1 [(gogoproto.jsontag) = "token"];
}
// GetAppSessionRequest are the parameters used to request an application web session.
message GetAppSessionRequest {
// SessionID is the ID of the session being requested.
string SessionID = 1 [(gogoproto.jsontag) = "session_id"];
}
// GetAppSessionResponse contains the requested application web session.
message GetAppSessionResponse {
// Session is the application web session.
types.WebSessionV2 Session = 1 [(gogoproto.jsontag) = "session"];
}
// ListAppSessionRequest are the parameters used to request an application web session.
//
// Follows the pagination semantics of
// https://cloud.google.com/apis/design/standard_methods#list.
message ListAppSessionsRequest {
// The maximum number of items to return.
// The server may impose a different page size at its discretion.
int32 page_size = 1;
// The next_page_token value returned from a previous List request, if any.
string page_token = 2;
// Optional username which will filter the returned web sessions
// to include only those for the given user.
string user = 3;
}
// ListAppSessionResponse contains the requested application web session.
message ListAppSessionsResponse {
// Sessions for the retrieved page.
repeated types.WebSessionV2 sessions = 1;
// Token to retrieve the next page of results, or empty if there are no
// more results in the list.
string next_page_token = 2;
}
// GetSnowflakeSessionsResponse contains all the requested Snowflake web sessions.
message GetSnowflakeSessionsResponse {
// Sessions is a list of Snowflake web sessions.
repeated types.WebSessionV2 Sessions = 1 [(gogoproto.jsontag) = "sessions"];
}
// ListSAMLIdPSessionRequest are the parameters used to request a SAML IdP sessions.
//
// Follows the pagination semantics of
// https://cloud.google.com/apis/design/standard_methods#list.
message ListSAMLIdPSessionsRequest {
// The maximum number of items to return.
// The server may impose a different page size at its discretion.
int32 page_size = 1;
// The next_page_token value returned from a previous List request, if any.
string page_token = 2;
// Optional username which will filter the returned SAML IdP sessions
// to include only those for the given user.
string user = 3;
}
// ListSAMLIdPSessionsResponse contains all the requested SAML IdP sessions.
message ListSAMLIdPSessionsResponse {
// Sessions for the retrieved page.
repeated types.WebSessionV2 sessions = 1;
// Token to retrieve the next page of results, or empty if there are no
// more results in the list.
string next_page_token = 2;
}
// CreateAppSessionRequest contains the parameters to request a application web session.
message CreateAppSessionRequest {
reserved 2;
// Username is the name of the user requesting the session.
string Username = 1 [(gogoproto.jsontag) = "username"];
// PublicAddr is the public address the application.
string PublicAddr = 3 [(gogoproto.jsontag) = "public_addr"];
// ClusterName is cluster within which the application is running.
string ClusterName = 4 [(gogoproto.jsontag) = "cluster_name"];
// AWSRoleARN is AWS role the user wants to assume.
string AWSRoleARN = 5 [(gogoproto.jsontag) = "aws_role_arn"];
// AzureIdentity is Azure identity the user wants to assume.
string AzureIdentity = 6 [(gogoproto.jsontag) = "azure_identity"];
// GCPServiceAccount is the GCP service account the user wants to assume.
string GCPServiceAccount = 7 [(gogoproto.jsontag) = "gcp_service_account"];
}
// CreateAppSessionResponse contains the requested application web session.
message CreateAppSessionResponse {
// Session is the application web session.
types.WebSessionV2 Session = 1 [(gogoproto.jsontag) = "session"];
}
// CreateSnowflakeSessionRequest contains data required to create Snowflake web session.
message CreateSnowflakeSessionRequest {
// Username is the name of the user requesting the session.
string Username = 1 [(gogoproto.jsontag) = "username"];
// SessionToken is the Snowflake server session token.
string SessionToken = 2 [(gogoproto.jsontag) = "session_token"];
// TokenTTL is the token validity period.
int64 TokenTTL = 3 [
(gogoproto.jsontag) = "token_ttl",
(gogoproto.casttype) = "Duration"
];
}
// CreateSnowflakeSessionResponse contains Snowflake WebSession.
message CreateSnowflakeSessionResponse {
types.WebSessionV2 Session = 1 [(gogoproto.jsontag) = "session"];
}
// CreateSAMLIdPSessionRequest contains data required to create a SAML IdP session.
message CreateSAMLIdPSessionRequest {
// SessionID is the identifier for the session.
string SessionID = 1 [(gogoproto.jsontag) = "session_id"];
// Username is the name of the user requesting the session.
string Username = 2 [(gogoproto.jsontag) = "username"];
// SAMLSession is the session data associated with the SAML IdP session.
types.SAMLSessionData SAMLSession = 3 [(gogoproto.jsontag) = "saml_session"];
}
// CreateSAMLIdPSessionResponse contains a SAML IdP session.
message CreateSAMLIdPSessionResponse {
types.WebSessionV2 Session = 1 [(gogoproto.jsontag) = "session"];
}
// GetSnowflakeSessionRequest are the parameters used to request an Snowflake web session.
message GetSnowflakeSessionRequest {
// SessionID is the ID of the session being requested.
string SessionID = 1 [(gogoproto.jsontag) = "session_id"];
}
// GetSnowflakeSessionResponse contains the requested Snowflake web session.
message GetSnowflakeSessionResponse {
// Session is the Snowflake web session.
types.WebSessionV2 Session = 1 [(gogoproto.jsontag) = "session"];
}
// GetSAMLIdPSessionRequest are the parameters used to request a SAML IdP session.
message GetSAMLIdPSessionRequest {
// SessionID is the ID of the session being requested.
string SessionID = 1 [(gogoproto.jsontag) = "session_id"];
}
// GetSAMLIdPSessionResponse contains the requested SAML IdP session.
message GetSAMLIdPSessionResponse {
// Session is the SAML IdP web session.
types.WebSessionV2 Session = 1 [(gogoproto.jsontag) = "session"];
}
// DeleteAppSessionRequest contains the parameters used to remove an application web session.
message DeleteAppSessionRequest {
string SessionID = 1 [(gogoproto.jsontag) = "session_id"];
}
// DeleteSnowflakeSessionRequest contains the parameters used to remove a Snowflake web session.
message DeleteSnowflakeSessionRequest {
string SessionID = 1 [(gogoproto.jsontag) = "session_id"];
}
// DeleteSAMLIdPSessionRequest contains the parameters used to remove a SAML IdP session.
message DeleteSAMLIdPSessionRequest {
string SessionID = 1 [(gogoproto.jsontag) = "session_id"];
}
// DeleteUserAppSessionsRequest contains the parameters used to remove the
// user's application web sessions.
message DeleteUserAppSessionsRequest {
string Username = 1 [(gogoproto.jsontag) = "username"];
}
// DeleteUserAppSessionsRequest contains the parameters used to remove the
// user's SAML IdP sessions.
message DeleteUserSAMLIdPSessionsRequest {
string Username = 1 [(gogoproto.jsontag) = "username"];
}
// GetWebSessionResponse contains the requested web session.
message GetWebSessionResponse {
// Session is the web session.
types.WebSessionV2 Session = 1 [(gogoproto.jsontag) = "session"];
}
// GetWebSessionsResponse contains all the requested web sessions.
message GetWebSessionsResponse {
// Sessions is a list of web sessions.
repeated types.WebSessionV2 Sessions = 1 [(gogoproto.jsontag) = "sessions"];
}
// GetWebTokenResponse contains the requested web token.
message GetWebTokenResponse {
// Token is the web token being requested.
types.WebTokenV3 Token = 1 [(gogoproto.jsontag) = "token"];
}
// GetWebTokensResponse contains all the requested web tokens.
message GetWebTokensResponse {
// Tokens is a list of web tokens.
repeated types.WebTokenV3 Tokens = 1 [(gogoproto.jsontag) = "tokens"];
}
// UpsertKubernetesServerRequest are the parameters used to add or update a
// kubernetes server.
message UpsertKubernetesServerRequest {
types.KubernetesServerV3 Server = 1 [(gogoproto.jsontag) = "server"];
}
// DeleteKubernetesServerRequest are the parameters used to remove a kubernetes server.
message DeleteKubernetesServerRequest {
// HostID is the kube server host uuid.
string HostID = 1 [(gogoproto.jsontag) = "host_id"];
// Name is the name of the kubernetes service to delete.
string Name = 2 [(gogoproto.jsontag) = "name"];
}
// DeleteAllKubernetesServersRequest are the parameters used to remove all kubernetes servers.
message DeleteAllKubernetesServersRequest {}
// UpsertDatabaseServerRequest is a request to register database server.
message UpsertDatabaseServerRequest {
// Server is the database proxy server to register.
types.DatabaseServerV3 Server = 1 [(gogoproto.jsontag) = "server"];
}
// DeleteDatabaseServerRequest is a request to delete a database server.
message DeleteDatabaseServerRequest {
// Namespace is the database server namespace.
string Namespace = 1 [(gogoproto.jsontag) = "namespace"];
// HostID is the ID of the host database server is running on.
string HostID = 2 [(gogoproto.jsontag) = "host_id"];
// Name is the database server name.
string Name = 3 [(gogoproto.jsontag) = "name"];
}
// DeleteAllDatabaseServersRequest is a request to delete all database servers.
message DeleteAllDatabaseServersRequest {
// Namespace is the database servers namespace.
string Namespace = 1 [(gogoproto.jsontag) = "namespace"];
}
// DatabaseServiceV1List represents a list of DatabaseService resources.
message DatabaseServiceV1List {
// Services is a list of DatabaseService resources.
repeated types.DatabaseServiceV1 Services = 1;
}
// UpsertDatabaseServiceRequest is a request to register DatabaseService.
message UpsertDatabaseServiceRequest {
// Service is the database service to register.
types.DatabaseServiceV1 Service = 1 [(gogoproto.jsontag) = "service"];
}
// DeleteAllDatabaseServicesRequest is a request to delete all DatabaseServices.
message DeleteAllDatabaseServicesRequest {}
// DatabaseCSRRequest is a request to generate a client certificate used
// by the proxy to authenticate with a remote database service.
message DatabaseCSRRequest {
// CSR is the request to sign.
bytes CSR = 1 [(gogoproto.jsontag) = "csr"];
// ClusterName is the name of the cluster the request is for.
string ClusterName = 2 [(gogoproto.jsontag) = "cluster_name"];
reserved 3;
reserved "SignWithDatabaseCA";
}
// DatabaseCSRResponse contains the signed database certificate.
message DatabaseCSRResponse {
// Cert is the signed certificate.
bytes Cert = 1 [(gogoproto.jsontag) = "cert"];
// CACerts is a list of certificate authorities.
repeated bytes CACerts = 2 [(gogoproto.jsontag) = "ca_certs"];
}
// DatabaseCertRequest is a request to generate a client certificate used
// by a database service to authenticate with a database instance.
message DatabaseCertRequest {
// CSR is the request to sign.
bytes CSR = 1 [(gogoproto.jsontag) = "csr"];
// ServerName is the SAN to include in the certificate.
// DEPRECATED: Replaced by ServerNames.
string ServerName = 2 [
(gogoproto.jsontag) = "server_name",
deprecated = true
];
// TTL is the certificate validity period.
int64 TTL = 3 [
(gogoproto.jsontag) = "ttl",
(gogoproto.casttype) = "Duration"
];
// ServerNames are SANs to include in the certificate.
repeated string ServerNames = 4 [(gogoproto.jsontag) = "server_names"];
// Requester is a name of service that sent the request.
enum Requester {
// UNSPECIFIED is set when the requester in unknown.
UNSPECIFIED = 0;
// TCTL is set when request was sent by tctl tool.
TCTL = 1;
}
// RequesterName identifies who sent the request.
Requester RequesterName = 5 [(gogoproto.jsontag) = "requester_name"];