Add bot field to certificates and various usage events #35881
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This adds a new certificate extension field, `teleport-bot`, to certificates issued to Machine ID bot users that can definitively identify certificates as having been issued to a bot user. Additionally, this uses the new `Bot` identity flag to mark certain usage events as originating from bot users. As such, it includes a protobuf update from Cloud [1], which pulled in some small additional (mostly comment) changes. [1] gravitational/cloud#7060
|
Outstanding TODOs:
|
timothyb89
commented
Dec 27, 2023
strideynet
reviewed
Dec 27, 2023
This makes a few changes to the bot tagging approach: * The bot name is embedded in the cert rather than just true/false * UserKind is included in events rather than just a bot flag, to allow for an unspecified value for older client nodes.
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
strideynet
reviewed
Dec 28, 2023
| @@ -211,10 +224,14 @@ func (r *Reporter) run(ctx context.Context) { | |||
|
|
|||
| userActivity := make(map[string]*prehogv1.UserActivityRecord) | |||
|
|
|||
| userRecord := func(userName string) *prehogv1.UserActivityRecord { | |||
| userRecord := func(userName string, v1AlphaUserKind prehogv1alpha.UserKind) *prehogv1.UserActivityRecord { | |||
There was a problem hiding this comment.
Nit: I don't think it's a major concern but I can see a bit of potential raciness here if there's an issue with tracking bot status. The status of the user from the first event will set it for all future events. Perhaps we ought to put some warning or error in if the kind of the user changes ?
There was a problem hiding this comment.
I added a warning and had it override the flag. I think the behavior could go either way realistically - and given it's a bug regardless I'm not sure if I expect anything good to come from whichever behavior we use.
There was a problem hiding this comment.
Maybe we should leave the record.UserKind as is if v1UserKind is unspecified, just in case?
There was a problem hiding this comment.
Ah, good call, we could definitely see this when aggregating events together from an outdated node. I suppose this goes both ways, right? We should allow transition from unspecified -> specified, and disallow transitions from specified -> unspecified, otherwise at least one will be logged as a warning.
There was a problem hiding this comment.
I've tweaked the logic here. It now allows identifying a previously unspecified user, ignores unspecified updates, and warns about flipping between human/bot users.
Good catch on the bot flag, I always forget the initial certs are generated from a different codepath. The flag is fixed now. |
strideynet
approved these changes
Jan 2, 2024
espadolini
reviewed
Jan 2, 2024
| @@ -211,10 +224,14 @@ func (r *Reporter) run(ctx context.Context) { | |||
|
|
|||
| userActivity := make(map[string]*prehogv1.UserActivityRecord) | |||
|
|
|||
| userRecord := func(userName string) *prehogv1.UserActivityRecord { | |||
| userRecord := func(userName string, v1AlphaUserKind prehogv1alpha.UserKind) *prehogv1.UserActivityRecord { | |||
There was a problem hiding this comment.
Maybe we should leave the record.UserKind as is if v1UserKind is unspecified, just in case?
Renames the `teleport-bot` extension to `bot-name@goteleport.com`, to better follow SSH cert extension naming conventions.
espadolini
approved these changes
Jan 4, 2024
public-teleport-github-review-bot
bot
removed request for
ryanclark and
flyinghermit
timothyb89
force-pushed
the
timothyb89/bot-flag-usage-events
branch
from
17a3729
to
9d7b12d
Compare
|
@timothyb89 See the table below for backport results.
|
timothyb89
added a commit
that referenced
this pull request
Jan 5, 2024
* Add bot field to certificates and various usage events This adds a new certificate extension field, `teleport-bot`, to certificates issued to Machine ID bot users that can definitively identify certificates as having been issued to a bot user. Additionally, this uses the new `Bot` identity flag to mark certain usage events as originating from bot users. As such, it includes a protobuf update from Cloud [1], which pulled in some small additional (mostly comment) changes. [1] gravitational/cloud#7060 * Small bot flag plumbing fixes * Convert bot flag to BotName and UserKind enum This makes a few changes to the bot tagging approach: * The bot name is embedded in the cert rather than just true/false * UserKind is included in events rather than just a bot flag, to allow for an unspecified value for older client nodes. * Add a quick unit test for bot cert extensions * Fix outdated grpc * Include bot flag on initial certs * Log a warning and override user kind for usage records if they differ * Fix several unit tests; add a bot metadata test case * Fix unit tests with UserKind zero value * Rename SSH cert extension to use standard format Renames the `teleport-bot` extension to `bot-name@goteleport.com`, to better follow SSH cert extension naming conventions. * Attempt to improve unspecified userkind aggregating logic
timothyb89
added a commit
that referenced
this pull request
Jan 6, 2024
* Add bot field to certificates and various usage events This adds a new certificate extension field, `teleport-bot`, to certificates issued to Machine ID bot users that can definitively identify certificates as having been issued to a bot user. Additionally, this uses the new `Bot` identity flag to mark certain usage events as originating from bot users. As such, it includes a protobuf update from Cloud [1], which pulled in some small additional (mostly comment) changes. [1] gravitational/cloud#7060 * Small bot flag plumbing fixes * Convert bot flag to BotName and UserKind enum This makes a few changes to the bot tagging approach: * The bot name is embedded in the cert rather than just true/false * UserKind is included in events rather than just a bot flag, to allow for an unspecified value for older client nodes. * Add a quick unit test for bot cert extensions * Fix outdated grpc * Include bot flag on initial certs * Log a warning and override user kind for usage records if they differ * Fix several unit tests; add a bot metadata test case * Fix unit tests with UserKind zero value * Rename SSH cert extension to use standard format Renames the `teleport-bot` extension to `bot-name@goteleport.com`, to better follow SSH cert extension naming conventions. * Attempt to improve unspecified userkind aggregating logic
github-merge-queue bot
pushed a commit
that referenced
this pull request
Jan 9, 2024
…#36366) * Add bot field to certificates and various usage events (#35881) * Add bot field to certificates and various usage events This adds a new certificate extension field, `teleport-bot`, to certificates issued to Machine ID bot users that can definitively identify certificates as having been issued to a bot user. Additionally, this uses the new `Bot` identity flag to mark certain usage events as originating from bot users. As such, it includes a protobuf update from Cloud [1], which pulled in some small additional (mostly comment) changes. [1] gravitational/cloud#7060 * Small bot flag plumbing fixes * Convert bot flag to BotName and UserKind enum This makes a few changes to the bot tagging approach: * The bot name is embedded in the cert rather than just true/false * UserKind is included in events rather than just a bot flag, to allow for an unspecified value for older client nodes. * Add a quick unit test for bot cert extensions * Fix outdated grpc * Include bot flag on initial certs * Log a warning and override user kind for usage records if they differ * Fix several unit tests; add a bot metadata test case * Fix unit tests with UserKind zero value * Rename SSH cert extension to use standard format Renames the `teleport-bot` extension to `bot-name@goteleport.com`, to better follow SSH cert extension naming conventions. * Attempt to improve unspecified userkind aggregating logic * Fix failing tests
github-merge-queue bot
pushed a commit
that referenced
this pull request
Jan 11, 2024
…#36313) * Add bot field to certificates and various usage events (#35881) * Add bot field to certificates and various usage events This adds a new certificate extension field, `teleport-bot`, to certificates issued to Machine ID bot users that can definitively identify certificates as having been issued to a bot user. Additionally, this uses the new `Bot` identity flag to mark certain usage events as originating from bot users. As such, it includes a protobuf update from Cloud [1], which pulled in some small additional (mostly comment) changes. [1] gravitational/cloud#7060 * Small bot flag plumbing fixes * Convert bot flag to BotName and UserKind enum This makes a few changes to the bot tagging approach: * The bot name is embedded in the cert rather than just true/false * UserKind is included in events rather than just a bot flag, to allow for an unspecified value for older client nodes. * Add a quick unit test for bot cert extensions * Fix outdated grpc * Include bot flag on initial certs * Log a warning and override user kind for usage records if they differ * Fix several unit tests; add a bot metadata test case * Fix unit tests with UserKind zero value * Rename SSH cert extension to use standard format Renames the `teleport-bot` extension to `bot-name@goteleport.com`, to better follow SSH cert extension naming conventions. * Attempt to improve unspecified userkind aggregating logic * Fix broken tests
ibeckermayer
pushed a commit
that referenced
this pull request
Jan 17, 2024
* Add bot field to certificates and various usage events This adds a new certificate extension field, `teleport-bot`, to certificates issued to Machine ID bot users that can definitively identify certificates as having been issued to a bot user. Additionally, this uses the new `Bot` identity flag to mark certain usage events as originating from bot users. As such, it includes a protobuf update from Cloud [1], which pulled in some small additional (mostly comment) changes. [1] gravitational/cloud#7060 * Small bot flag plumbing fixes * Convert bot flag to BotName and UserKind enum This makes a few changes to the bot tagging approach: * The bot name is embedded in the cert rather than just true/false * UserKind is included in events rather than just a bot flag, to allow for an unspecified value for older client nodes. * Add a quick unit test for bot cert extensions * Fix outdated grpc * Include bot flag on initial certs * Log a warning and override user kind for usage records if they differ * Fix several unit tests; add a bot metadata test case * Fix unit tests with UserKind zero value * Rename SSH cert extension to use standard format Renames the `teleport-bot` extension to `bot-name@goteleport.com`, to better follow SSH cert extension naming conventions. * Attempt to improve unspecified userkind aggregating logic
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds a new certificate extension field,
teleport-bot, to certificates issued to Machine ID bot users that can definitively identify certificates as having been issued to a bot user, set to the bot's unprefixed name.Additionally, this uses the new bot name field to mark certain usage events as originating from bot users. As such, it includes a protobuf update from Cloud [1], which also pulled in some small additional (mostly comment) changes.
[1] https://github.com/gravitational/cloud/pull/7060
changelog: Added new certificate extensions and usage reporting flags to explicitly identify Machine ID bots and their cluster activity