Adds support for loading tctl creds from ~/.tsh profile #4678
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
klizhentas
requested review from
a-palchikov,
awly,
fspmarshall,
r0mant,
russjones and
webvictim
as code owners
a-palchikov
reviewed
Nov 2, 2020
|
Passing a specific configuration function via an exported API could be confusing. type IdentityLoader func(*GlobalCLIFlags, *service.Config) (*AuthServiceClientConfig, error)which could be part of the flags struct: And then multiple implementations could be provided: app.Flag("identity", "Path to the identity file exported with 'tctl auth sign'").
Short('i').
StringVar(&identityFilePath)
// ...
if identityFilePath != "" {
ccf.IdentityLoader = loadIdentityFromFile(identityFilePath)
} else {
ccf.IdentityLoader = loadIdentityFromHostUUID
}
// configure all commands with Teleport configuration (they share 'cfg')
clientConfig, err := applyConfig(&ccf, cfg)
if err != nil {
utils.FatalError(err)
}
// ...OSS implementations: func loadIdentityFromFile(path string) IdentityLoader {
return func(_ *GlobalCLIFlags, cfg *service.Config) (*AuthServiceClientConfig, error) {
key, err := common.LoadIdentity(path)
if err != nil {
return nil, trace.Wrap(err)
}
authConfig := new(AuthServiceClientConfig)
authConfig.TLS, err = key.ClientTLSConfig(cfg.CipherSuites)
if err != nil {
return nil, trace.Wrap(err)
}
authConfig.SSH, err = key.ClientSSHConfig()
if err != nil {
return nil, trace.Wrap(err)
}
return authConfig, nil
}
}
func loadIdentityFromHostUUID(_ *GlobalCLIFlags, cfg *service.Config) (authConfig *AuthServiceClientConfig, err error) {
// read the host UUID only in case the identity was not provided,
// because it will be used for reading local auth server identity
cfg.HostUUID, err = utils.ReadHostUUID(cfg.DataDir)
if err != nil {
return nil, trace.Wrap(err)
}
identity, err := auth.ReadLocalIdentity(filepath.Join(cfg.DataDir, teleport.ComponentProcess), auth.IdentityID{Role: teleport.RoleAdmin, HostUUID: cfg.HostUUID})
if err != nil {
// The "admin" identity is not present? This means the tctl is running
// NOT on the auth server
if trace.IsNotFound(err) {
return nil, trace.AccessDenied("tctl must be either used on the auth server or provided with the identity file via --identity flag")
}
return nil, trace.Wrap(err)
}
tls, err := identity.TLSConfig(cfg.CipherSuites)
if err != nil {
return nil, trace.Wrap(err)
}
return &AuthServiceClientConfig{
TLS: tls,
}, nil
}and pass them from corresponding main: var ccf common.GlobalCLIFlags
ccf.IdentityLoader = loadIdentityCustom // override when necessary
common.Run(commands, ccf)It is mostly the same but will make the read code better imho. |
webvictim
reviewed
Nov 2, 2020
|
We should review our profile support after this is complete, #3089 to make tctl CLI UX as smooth as possible. |
|
I built this from source and it seems to work, it's very slow though (8 seconds between pressing enter and getting a response): $ time ~/go/src/github.com/gravitational/teleport/e/build/tctl status
Cluster gus.cloud.gravitational.io
Version 5.0.0-beta.8
User CA never updated
Host CA never updated
CA pin sha256:dec0a2e0ded908af3e5ba8f124f1d44aeb8a316ce99df3ef0339a9e5951f723d
~/go/src/github.com/gravitational/teleport/e/build/tctl status 0.08s user 0.02s system 1% cpu 8.147 total$ time ~/go/src/github.com/gravitational/teleport/e/build/tctl -d status
DEBU Debug logging has been enabled. common/tctl.go:303
DEBU [KEYSTORE] Returning SSH certificate "/home/gus/.tsh/keys/gus.cloud.gravitational.io/admin-cert.pub" valid until "2020-11-03 01:29:45 -0400 AST", TLS certificate "/home/gus/.tsh/keys/gus.cloud.gravitational.io/admin-x509.pem" valid until "2020-11-03 05:29:45 +0000 UTC". client/keystore.go:277
DEBU Found active profile: {https gus.cloud.gravitational.io:443 false } admin. tctl/profile.go:43
DEBU [KEYSTORE] Returning SSH certificate "/home/gus/.tsh/keys/gus.cloud.gravitational.io/admin-cert.pub" valid until "2020-11-03 01:29:45 -0400 AST", TLS certificate "/home/gus/.tsh/keys/gus.cloud.gravitational.io/admin-x509.pem" valid until "2020-11-03 05:29:45 +0000 UTC". client/keystore.go:277
DEBU Setting auth server to web proxy gus.cloud.gravitational.io:443. tctl/profile.go:75
DEBU Connecting to auth servers: [{gus.cloud.gravitational.io:443 tcp }]. common/tctl.go:181
DEBU [CLIENT] HTTPS client init(proxyAddr=gus.cloud.gravitational.io:443, insecure=false) client/weblogin.go:307
DEBU Attempting to connect using reverse tunnel address gus.cloud.gravitational.io:3024. common/tctl.go:214
DEBU [HTTP:PROX] No valid environment variables found. proxy/proxy.go:222
DEBU [HTTP:PROX] No proxy set in environment, returning direct dialer. proxy/proxy.go:137
DEBU [CLIENT] Validated host gus.cloud.gravitational.io:3024. client/keyagent.go:99
DEBU [AUTH] GRPC(CLIENT): keep alive 1m0s count: 3. auth/clt.go:319
DEBU [HTTP:PROX] No valid environment variables found. proxy/proxy.go:222
DEBU [HTTP:PROX] No proxy set in environment, returning direct dialer. proxy/proxy.go:137
DEBU [CLIENT] Validated host gus.cloud.gravitational.io:3024. client/keyagent.go:99
Cluster gus.cloud.gravitational.io
Version 5.0.0-beta.8
User CA never updated, update_servers: Jan 1 00:00:00 UTC, complete: Jan 1 00:00:00 UTC
Host CA never updated, update_servers: Jan 1 00:00:00 UTC, complete: Jan 1 00:00:00 UTC
CA pin sha256:dec0a2e0ded908af3e5ba8f124f1d44aeb8a316ce99df3ef0339a9e5951f723d
Remote clusters
~/go/src/github.com/gravitational/teleport/e/build/tctl -d status 0.09s user 0.02s system 1% cpu 8.227 totalMy ping to cloud is 94ms, I don't think it should take this long? |
|
Strange, takes 1 second for me. |
|
Weird, I ran it in a Docker container and it was quick. It seems to be quicker locally now as well. Must have been a glitch, |
|
@a-palchikov I see what you're saying refactoring of the identity loading code, but this will be deleted in a few weeks once 5.1.0 lands and OSS and Enterprise both support RBAC. I'm in-favor of leaving as-is till then, what do you think? |
russjones
approved these changes
Nov 8, 2020
a-palchikov
approved these changes
Nov 9, 2020
This commit fixes #4439
russjones
force-pushed
the
sasha/tctl
branch
from
dd04ec2
to
9bdac2c
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit fixes #4439
Please take a look at teleport.e counterpart