New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[v11] Session Control + UI SSH Performance #18797
Conversation
Session control logic existed within `HandleNewConn` of `srv/regular.Server`. This prevented any of it from being used by other components that also needed to enforce session control. All the logic from within `HandleNewConn` was refactored to a new `srv.SessionController` object which the `regular.Server` now uses to perform session control. There were a few additional changes needed to accomadate that session control now exists outside the server and to make tests easier to write. Namely, altering `srv.ComputLockTargets` to not take a `Server` as a parameter and leveraging a clock within `services.SemaphoreLock`. This is step 2 in addressing #15167. Before the web apiserver can leverage the newly introduced proxy.Router and bypass making ssh connections to the proxy ssh server it needs to be able to perfrom session control.
Reduces latency creating ssh sessions via the web ui by: 1) No longer uses `TeleportClient.SSH` to establish a session 2) Reuses the user auth client for the web session to perform MFA ceremony 3) Ensures that connection attempts follow the flow outlined in RFD 93 The web api server now leverages the `proxy.Router` and `srv.SessionController` directly, instead of doing so indirectly via `TeleportClient.SSH`. Using the `TeleportClient` required an ssh connection to be established from the web api server to the proxy ssh server, which are in the same process. This added overhead can be avoided now that the routing logic and session control logic exists in a reusable component. To create an interactive session on the node once the connection is established, `client.NodeClient` is used. A new constructor was added to facilitate creating one and remove duplicated creation code and a `RunInteractiveShell` receiver method was added to allow callers outside of `lib/client` to spawn a session. `TerminalHandler.issueSessionMFACerts` used to check if per-session mfa was enabled and perform the mfa ceremony via the `client.ProxyClient` which was constructed with the `TeleportClient` established from connecting to the proxy ssh server. This would dial the Auth server under the hood directly and call `IsMFARequired` and do the ceremony if required. Each web session established via the web ui already established an auth client with the credentials of the logged in user. Again overhead is removed by leveraging the existing auth client and performing the mfa ceremony manually. Finally `TerminalHandler.makeClient` always attempted to perform the mfa ceremony prior to returning the `TeleportClient`. As outlined in [RFD 93](https://github.com/gravitational/teleport/blob/master/rfd/0093-offline-access.md), this causes additional latency and requires Auth connectivity to connect to nodes. The connection flow is now modified to attempt connection to the nodes first, and fall back to the mfa ceremony and reconnecting only if the node denies access. Partially addresses #15167
@@ -2353,15 +2399,25 @@ | |||
} | |||
|
|||
h.log.Debugf("New terminal request for ns=%s, server=%s, login=%s, sid=%s, websid=%s.", | |||
req.Namespace, req.Server, req.Login, req.SessionID, ctx.GetSessionID()) | |||
req.Namespace, req.Server, req.Login, req.SessionID, sessionCtx.GetSessionID()) |
Check failure
Code scanning / CodeQL
Log entries created from user input
@@ -2353,15 +2399,25 @@ | |||
} | |||
|
|||
h.log.Debugf("New terminal request for ns=%s, server=%s, login=%s, sid=%s, websid=%s.", | |||
req.Namespace, req.Server, req.Login, req.SessionID, ctx.GetSessionID()) | |||
req.Namespace, req.Server, req.Login, req.SessionID, sessionCtx.GetSessionID()) |
Check failure
Code scanning / CodeQL
Log entries created from user input
@@ -2353,15 +2399,25 @@ | |||
} | |||
|
|||
h.log.Debugf("New terminal request for ns=%s, server=%s, login=%s, sid=%s, websid=%s.", | |||
req.Namespace, req.Server, req.Login, req.SessionID, ctx.GetSessionID()) | |||
req.Namespace, req.Server, req.Login, req.SessionID, sessionCtx.GetSessionID()) |
Check failure
Code scanning / CodeQL
Log entries created from user input
@@ -2353,15 +2399,25 @@ | |||
} | |||
|
|||
h.log.Debugf("New terminal request for ns=%s, server=%s, login=%s, sid=%s, websid=%s.", | |||
req.Namespace, req.Server, req.Login, req.SessionID, ctx.GetSessionID()) | |||
req.Namespace, req.Server, req.Login, req.SessionID, sessionCtx.GetSessionID()) |
Check failure
Code scanning / CodeQL
Log entries created from user input
Backports #18565 and #18656 to branch/v11