-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[v13] Add bot field to certificates and various usage events (#35881) #36366
Conversation
* Add bot field to certificates and various usage events This adds a new certificate extension field, `teleport-bot`, to certificates issued to Machine ID bot users that can definitively identify certificates as having been issued to a bot user. Additionally, this uses the new `Bot` identity flag to mark certain usage events as originating from bot users. As such, it includes a protobuf update from Cloud [1], which pulled in some small additional (mostly comment) changes. [1] gravitational/cloud#7060 * Small bot flag plumbing fixes * Convert bot flag to BotName and UserKind enum This makes a few changes to the bot tagging approach: * The bot name is embedded in the cert rather than just true/false * UserKind is included in events rather than just a bot flag, to allow for an unspecified value for older client nodes. * Add a quick unit test for bot cert extensions * Fix outdated grpc * Include bot flag on initial certs * Log a warning and override user kind for usage records if they differ * Fix several unit tests; add a bot metadata test case * Fix unit tests with UserKind zero value * Rename SSH cert extension to use standard format Renames the `teleport-bot` extension to `bot-name@goteleport.com`, to better follow SSH cert extension naming conventions. * Attempt to improve unspecified userkind aggregating logic
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
@@ -87,6 +102,13 @@ message UserMetadata { | |||
// TrustedDevice contains information about the users' trusted device. | |||
// Requires a registered and enrolled device to be used during authentication. | |||
DeviceMetadata TrustedDevice = 8 [(gogoproto.jsontag) = "trusted_device,omitempty"]; | |||
|
|||
// RequiredPrivateKeyPolicy is the private key policy enforced for this login. | |||
string RequiredPrivateKeyPolicy = 9 [(gogoproto.jsontag) = "required_private_key_policy,omitempty"]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As an aside, I'm not sure what the best backporting behavior is here and pulled in an adjacent field that was not backported itself. I think it's harmless, and slightly nicer to keep the fields contiguous? Would it be better to remove it and let it be backported later if needed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we only add the needed fields when backporting.
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's some failing test that does some proto diff on UserMetadata; I'm not sure why it worked fine for the v14 backport but we should backport that if possible rather than fix it in a v13-specific way I think.
Ah, I manually fixed the v14 test, I think. It's mostly deprecated stuff that was marked for removal in v15 IIRC. I'll fix it regardless - I'd meant to include those changes here and missed a few. |
Backport of #35881 for branch/v13
changelog: Added new certificate extensions and usage reporting flags to explicitly identify Machine ID bots and their cluster activity
This adds a new certificate extension field,
teleport-bot
, to certificates issued to Machine ID bot users that can definitively identify certificates as having been issued to a bot user.Additionally, this uses the new
Bot
identity flag to mark certain usage events as originating from bot users. As such, it includes a protobuf update from Cloud [1], which pulled in some small additional (mostly comment) changes.[1] https://github.com/gravitational/cloud/pull/7060
Small bot flag plumbing fixes
Convert bot flag to BotName and UserKind enum
This makes a few changes to the bot tagging approach:
The bot name is embedded in the cert rather than just true/false
UserKind is included in events rather than just a bot flag, to allow for an unspecified value for older client nodes.
Add a quick unit test for bot cert extensions
Fix outdated grpc
Include bot flag on initial certs
Log a warning and override user kind for usage records if they differ
Fix several unit tests; add a bot metadata test case
Fix unit tests with UserKind zero value
Rename SSH cert extension to use standard format
Renames the
teleport-bot
extension tobot-name@goteleport.com
, to better follow SSH cert extension naming conventions.