Session is not recorded when leaf cluster is in proxy recording mode but root cluster is not

[russjones]

If I use tsh ssh --cluster=leaf.com server01, I can't see the list of sessions in either the Web UI or use tsh play to play the session. I suspect this is not due to a bug in the Web UI, but the backend since it doesn't work from tsh either. However the Web UI does show an interesting showing 1 out of 0 message.

$ tsh play --cluster=leaf.com 4a4649a0-b5bd-4b0f-b194-5a3158d5696d
error: 0 not found

[russjones]

The error error: 0 not found may be a bit misleading since I got the session ID was from the output of env. Maybe it should be checked on the backend.

[awly]

@russjones not able to reproduce this on master.
I can playback the session via tsh play and I see it in web UI under the matching cluster. Leaf sessions don't show up in root cluster's audit log.

Was there something else special about your setup? Which backend did it use?

[webvictim]

I just ran into the 0 not found error when trying to run tsh play with a session ID that's off by one. We should fix this error to be more descriptive.

[awly]

OK, looks like sessions recordings are not working in proxy recording mode.
I'll investigate that and fix the error message along the way.

[awly]

Talked to @russjones.
The problem is that leaf proxy was in proxy recording mode and root wasn't.
Because of how the leaf proxy handles requests from the reverse tunnel, it doesn't even check that it's supposed to be recording.

The cleanest solution would be to teach leaf proxies to record sessions coming over the reverse tunnel.

[russjones]

Best: 2
Worst: 4