New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add bot field to certificates and various usage events #35881
Conversation
This adds a new certificate extension field, `teleport-bot`, to certificates issued to Machine ID bot users that can definitively identify certificates as having been issued to a bot user. Additionally, this uses the new `Bot` identity flag to mark certain usage events as originating from bot users. As such, it includes a protobuf update from Cloud [1], which pulled in some small additional (mostly comment) changes. [1] gravitational/cloud#7060
Outstanding TODOs:
|
This makes a few changes to the bot tagging approach: * The bot name is embedded in the cert rather than just true/false * UserKind is included in events rather than just a bot flag, to allow for an unspecified value for older client nodes.
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks generally good. From my reading, we're only currently putting the attribute into the impersonated certs or renewed certs. Could we also make sure it goes onto the bots own certs that are produced by the joining process ?
@@ -211,10 +224,14 @@ func (r *Reporter) run(ctx context.Context) { | |||
|
|||
userActivity := make(map[string]*prehogv1.UserActivityRecord) | |||
|
|||
userRecord := func(userName string) *prehogv1.UserActivityRecord { | |||
userRecord := func(userName string, v1AlphaUserKind prehogv1alpha.UserKind) *prehogv1.UserActivityRecord { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: I don't think it's a major concern but I can see a bit of potential raciness here if there's an issue with tracking bot status. The status of the user from the first event will set it for all future events. Perhaps we ought to put some warning or error in if the kind of the user changes ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added a warning and had it override the flag. I think the behavior could go either way realistically - and given it's a bug regardless I'm not sure if I expect anything good to come from whichever behavior we use.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we should leave the record.UserKind
as is if v1UserKind
is unspecified, just in case?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, good call, we could definitely see this when aggregating events together from an outdated node. I suppose this goes both ways, right? We should allow transition from unspecified -> specified, and disallow transitions from specified -> unspecified, otherwise at least one will be logged as a warning.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've tweaked the logic here. It now allows identifying a previously unspecified user, ignores unspecified updates, and warns about flipping between human/bot users.
Good catch on the bot flag, I always forget the initial certs are generated from a different codepath. The flag is fixed now. |
@@ -211,10 +224,14 @@ func (r *Reporter) run(ctx context.Context) { | |||
|
|||
userActivity := make(map[string]*prehogv1.UserActivityRecord) | |||
|
|||
userRecord := func(userName string) *prehogv1.UserActivityRecord { | |||
userRecord := func(userName string, v1AlphaUserKind prehogv1alpha.UserKind) *prehogv1.UserActivityRecord { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we should leave the record.UserKind
as is if v1UserKind
is unspecified, just in case?
Renames the `teleport-bot` extension to `bot-name@goteleport.com`, to better follow SSH cert extension naming conventions.
17a3729
to
9d7b12d
Compare
@timothyb89 See the table below for backport results.
|
* Add bot field to certificates and various usage events This adds a new certificate extension field, `teleport-bot`, to certificates issued to Machine ID bot users that can definitively identify certificates as having been issued to a bot user. Additionally, this uses the new `Bot` identity flag to mark certain usage events as originating from bot users. As such, it includes a protobuf update from Cloud [1], which pulled in some small additional (mostly comment) changes. [1] gravitational/cloud#7060 * Small bot flag plumbing fixes * Convert bot flag to BotName and UserKind enum This makes a few changes to the bot tagging approach: * The bot name is embedded in the cert rather than just true/false * UserKind is included in events rather than just a bot flag, to allow for an unspecified value for older client nodes. * Add a quick unit test for bot cert extensions * Fix outdated grpc * Include bot flag on initial certs * Log a warning and override user kind for usage records if they differ * Fix several unit tests; add a bot metadata test case * Fix unit tests with UserKind zero value * Rename SSH cert extension to use standard format Renames the `teleport-bot` extension to `bot-name@goteleport.com`, to better follow SSH cert extension naming conventions. * Attempt to improve unspecified userkind aggregating logic
* Add bot field to certificates and various usage events This adds a new certificate extension field, `teleport-bot`, to certificates issued to Machine ID bot users that can definitively identify certificates as having been issued to a bot user. Additionally, this uses the new `Bot` identity flag to mark certain usage events as originating from bot users. As such, it includes a protobuf update from Cloud [1], which pulled in some small additional (mostly comment) changes. [1] gravitational/cloud#7060 * Small bot flag plumbing fixes * Convert bot flag to BotName and UserKind enum This makes a few changes to the bot tagging approach: * The bot name is embedded in the cert rather than just true/false * UserKind is included in events rather than just a bot flag, to allow for an unspecified value for older client nodes. * Add a quick unit test for bot cert extensions * Fix outdated grpc * Include bot flag on initial certs * Log a warning and override user kind for usage records if they differ * Fix several unit tests; add a bot metadata test case * Fix unit tests with UserKind zero value * Rename SSH cert extension to use standard format Renames the `teleport-bot` extension to `bot-name@goteleport.com`, to better follow SSH cert extension naming conventions. * Attempt to improve unspecified userkind aggregating logic
…#36366) * Add bot field to certificates and various usage events (#35881) * Add bot field to certificates and various usage events This adds a new certificate extension field, `teleport-bot`, to certificates issued to Machine ID bot users that can definitively identify certificates as having been issued to a bot user. Additionally, this uses the new `Bot` identity flag to mark certain usage events as originating from bot users. As such, it includes a protobuf update from Cloud [1], which pulled in some small additional (mostly comment) changes. [1] gravitational/cloud#7060 * Small bot flag plumbing fixes * Convert bot flag to BotName and UserKind enum This makes a few changes to the bot tagging approach: * The bot name is embedded in the cert rather than just true/false * UserKind is included in events rather than just a bot flag, to allow for an unspecified value for older client nodes. * Add a quick unit test for bot cert extensions * Fix outdated grpc * Include bot flag on initial certs * Log a warning and override user kind for usage records if they differ * Fix several unit tests; add a bot metadata test case * Fix unit tests with UserKind zero value * Rename SSH cert extension to use standard format Renames the `teleport-bot` extension to `bot-name@goteleport.com`, to better follow SSH cert extension naming conventions. * Attempt to improve unspecified userkind aggregating logic * Fix failing tests
…#36313) * Add bot field to certificates and various usage events (#35881) * Add bot field to certificates and various usage events This adds a new certificate extension field, `teleport-bot`, to certificates issued to Machine ID bot users that can definitively identify certificates as having been issued to a bot user. Additionally, this uses the new `Bot` identity flag to mark certain usage events as originating from bot users. As such, it includes a protobuf update from Cloud [1], which pulled in some small additional (mostly comment) changes. [1] gravitational/cloud#7060 * Small bot flag plumbing fixes * Convert bot flag to BotName and UserKind enum This makes a few changes to the bot tagging approach: * The bot name is embedded in the cert rather than just true/false * UserKind is included in events rather than just a bot flag, to allow for an unspecified value for older client nodes. * Add a quick unit test for bot cert extensions * Fix outdated grpc * Include bot flag on initial certs * Log a warning and override user kind for usage records if they differ * Fix several unit tests; add a bot metadata test case * Fix unit tests with UserKind zero value * Rename SSH cert extension to use standard format Renames the `teleport-bot` extension to `bot-name@goteleport.com`, to better follow SSH cert extension naming conventions. * Attempt to improve unspecified userkind aggregating logic * Fix broken tests
* Add bot field to certificates and various usage events This adds a new certificate extension field, `teleport-bot`, to certificates issued to Machine ID bot users that can definitively identify certificates as having been issued to a bot user. Additionally, this uses the new `Bot` identity flag to mark certain usage events as originating from bot users. As such, it includes a protobuf update from Cloud [1], which pulled in some small additional (mostly comment) changes. [1] gravitational/cloud#7060 * Small bot flag plumbing fixes * Convert bot flag to BotName and UserKind enum This makes a few changes to the bot tagging approach: * The bot name is embedded in the cert rather than just true/false * UserKind is included in events rather than just a bot flag, to allow for an unspecified value for older client nodes. * Add a quick unit test for bot cert extensions * Fix outdated grpc * Include bot flag on initial certs * Log a warning and override user kind for usage records if they differ * Fix several unit tests; add a bot metadata test case * Fix unit tests with UserKind zero value * Rename SSH cert extension to use standard format Renames the `teleport-bot` extension to `bot-name@goteleport.com`, to better follow SSH cert extension naming conventions. * Attempt to improve unspecified userkind aggregating logic
This adds a new certificate extension field,
teleport-bot
, to certificates issued to Machine ID bot users that can definitively identify certificates as having been issued to a bot user, set to the bot's unprefixed name.Additionally, this uses the new bot name field to mark certain usage events as originating from bot users. As such, it includes a protobuf update from Cloud [1], which also pulled in some small additional (mostly comment) changes.
[1] https://github.com/gravitational/cloud/pull/7060
changelog: Added new certificate extensions and usage reporting flags to explicitly identify Machine ID bots and their cluster activity