[v14] Add bot field to certificates and various usage events (#35881) #36313
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport of #35881 for branch/v14
changelog: Added new certificate extensions and usage reporting flags to explicitly identify Machine ID bots and their cluster activity
This adds a new certificate extension field,
teleport-bot
, to certificates issued to Machine ID bot users that can definitively identify certificates as having been issued to a bot user.Additionally, this uses the new
Bot
identity flag to mark certain usage events as originating from bot users. As such, it includes a protobuf update from Cloud [1], which pulled in some small additional (mostly comment) changes.[1] https://github.com/gravitational/cloud/pull/7060
Small bot flag plumbing fixes
Convert bot flag to BotName and UserKind enum
This makes a few changes to the bot tagging approach:
The bot name is embedded in the cert rather than just true/false
UserKind is included in events rather than just a bot flag, to allow for an unspecified value for older client nodes.
Add a quick unit test for bot cert extensions
Fix outdated grpc
Include bot flag on initial certs
Log a warning and override user kind for usage records if they differ
Fix several unit tests; add a bot metadata test case
Fix unit tests with UserKind zero value
Rename SSH cert extension to use standard format
Renames the
teleport-bot
extension tobot-name@goteleport.com
, to better follow SSH cert extension naming conventions.