From 0bac356157a83413fbecc5a3ba6b221e0ec81e8f Mon Sep 17 00:00:00 2001 From: Paul Gottschling Date: Tue, 15 Oct 2024 13:36:56 -0400 Subject: [PATCH] Simplify how-to guides Closes #38931 Remove "Static" and "Dynamic" configuration branching. Use the dynamic approach unless the guide already shows readers how to use the static approach elsewhere, e.g., using `teleport db configure create`. For example, in the AWS OpenSearch guide, creating a Teleport configuration is required for the guide anyway, so this change uses only the static approach. Ignore edge cases where the branching has some qualities that are unique to a specific guide: - `application-access/cloud-apis/google-cloud.mdx`: includes branching on authentication preference type. - `application-access/guides/connecting-apps.mdx` because it explains syntax differences between the static and dynamic approaches. - `enroll-aws-databases/aws-cross-account.mdx`: branches using three tabs, so editing requires another approach than the one this change applies. This change edits only how-to guides, not conceptual guides, since the goal of a how-to guide is to get the user to an end state as quickly as possible. --- .../device-trust/device-management.mdx | 66 ++------- .../device-trust/enforcing-device-trust.mdx | 47 ++----- .../guides/mfa-for-admin-actions.mdx | 74 ++++------ .../access-controls/guides/passwordless.mdx | 129 +++--------------- .../guides/per-session-mfa.mdx | 49 +------ docs/pages/connect-your-client/web-ui.mdx | 15 -- .../enroll-aws-databases/aws-opensearch.mdx | 56 -------- .../oracle-self-hosted.mdx | 21 +-- .../db-definition-default-dbname.mdx | 26 +--- .../db-definition-self-hosted.mdx | 21 +-- .../auto-user-provisioning/db-definition.mdx | 23 +--- .../enterprise/oidcauthentication.mdx | 52 +++---- .../enterprise/samlauthentication.mdx | 19 --- 13 files changed, 104 insertions(+), 494 deletions(-) diff --git a/docs/pages/admin-guides/access-controls/device-trust/device-management.mdx b/docs/pages/admin-guides/access-controls/device-trust/device-management.mdx index ef200e46dcd68..8b4b22d395b80 100644 --- a/docs/pages/admin-guides/access-controls/device-trust/device-management.mdx +++ b/docs/pages/admin-guides/access-controls/device-trust/device-management.mdx @@ -138,11 +138,14 @@ For auto-enrollment to work, the following conditions must be met: integration, like the [Jamf Pro integration](./jamf-integration.mdx). - Auto-enrollment must be enabled in the cluster setting. -Enable auto-enrollment in your cluster settings: +Enable auto-enrollment in your cluster settings. To do so, modify the dynamic +config resource using the following command: - - -Modify the dynamic config resource using `tctl edit cluster_auth_preference`: +```code +$ tctl edit cluster_auth_preference +``` + +Make the following change: ```diff kind: cluster_auth_preference @@ -156,22 +159,7 @@ spec: + auto_enroll: true ``` - - -Edit the Auth Server's `teleport.yaml` file: - -```diff -auth_service: - authentication: - # ... - device_trust: -+ auto_enroll: true -``` - -After saving the changes, restart the Teleport service. - - - +Save and close your editor to apply your changes. Once enabled, users with their device registered in Teleport will have their device enrolled to Teleport in their next login. @@ -244,18 +232,14 @@ To configure `ekcert_allowed_cas`, you must first obtain the CA certificate in PEM format from the manufacturer of the TPM included in your devices. This step varies from manufacturer to manufacturer. -After you obtain the CA certificate in PEM format, there are two ways of -configuring `ekcert_allowed_cas`: +After you obtain the CA certificate in PEM format, modify the dynamic config +resource using tghe following command: -- Statically using the Teleport configuration file. This is the simplest - option, but is not possible for Teleport Cloud clusters and not recommended - for clusters in a highly available configuration. -- Dynamically using `cluster_auth_preference` resource. This works with all - clusters and is the most flexible. +```code +$ tctl edit cluster_auth_preference +``` - - -Modify the dynamic config resource using `tctl edit cluster_auth_preference`: +Make the following change: ```diff kind: cluster_auth_preference @@ -274,27 +258,7 @@ spec: + -----END CERTIFICATE----- ``` - - -Edit the Auth Server's `teleport.yaml` file and restart: - -```diff -auth_service: - authentication: - ... - device_trust: -+ ekcert_allowed_cas: -+ # The CA can be configured inline within the configuration file: -+ - | -+ -----BEGIN CERTIFICATE----- -+ --snip-- -+ -----END CERTIFICATE----- -+ # Or, it can be configured in the configuration file using a path: -+ - /path/to/my/ekcert-ca.pem -``` - - - +Save and close your editor to apply your changes. ## Troubleshooting diff --git a/docs/pages/admin-guides/access-controls/device-trust/enforcing-device-trust.mdx b/docs/pages/admin-guides/access-controls/device-trust/enforcing-device-trust.mdx index 3bb1fff1e7647..9ac5c819060c2 100644 --- a/docs/pages/admin-guides/access-controls/device-trust/enforcing-device-trust.mdx +++ b/docs/pages/admin-guides/access-controls/device-trust/enforcing-device-trust.mdx @@ -96,10 +96,13 @@ accesses. To enable device mode `required` update your configuration as follows: - - -Create a `cap.yaml` file or get the existing configuration using -`tctl get cluster_auth_preference`: +Edit your cluster authentication preference using the following command: + +```code +$ tctl edit cluster_auth_preference +``` + +Make the following change: ```diff kind: cluster_auth_preference @@ -115,39 +118,11 @@ spec: + mode: "required" # add this line ``` -Update the configuration: - -```code -$ tctl create -f cap.yaml -cluster auth preference has been updated -``` - -You can also edit this configuration directly: - -```code -$ tctl edit cluster_auth_preference -``` - - - -Edit the Auth Server's `teleport.yaml` file and restart all Auth Services: - -```diff -auth_service: - authentication: - type: local - second_factor: "on" - webauthn: - rp_id: (=clusterDefaults.clusterName=) - device_trust: -+ mode: "required" # add this line -``` - - - +Save and close your editor to apply your changes. -Once the config is updated, SSH, Database and Kubernetes access without a trusted device will be forbidden. -For example, SSH access without a trusted device fails with the following error: +Once the config is updated, SSH, Database and Kubernetes access without a +trusted device will be forbidden. For example, SSH access without a trusted +device fails with the following error: ```code $ tsh ssh (=clusterDefaults.nodeIP=) diff --git a/docs/pages/admin-guides/access-controls/guides/mfa-for-admin-actions.mdx b/docs/pages/admin-guides/access-controls/guides/mfa-for-admin-actions.mdx index a3cab5e3e3b5b..809a3b193ba8d 100644 --- a/docs/pages/admin-guides/access-controls/guides/mfa-for-admin-actions.mdx +++ b/docs/pages/admin-guides/access-controls/guides/mfa-for-admin-actions.mdx @@ -56,50 +56,30 @@ WebAuthn is the only form of second factor allowed. for a wider range of cluster configurations. - - - - Edit the `cluster_auth_preference` resource: - - ```code - $ tctl edit cap - ``` - - Update the `cluster_auth_preference` definition to include the following content: - - ```yaml - kind: cluster_auth_preference - version: v2 - metadata: - name: cluster-auth-preference - spec: - type: local - # To make webauthn the only form of second factor allowed, set this field to 'webauthn'. - second_factor: "webauthn" - webauthn: - rp_id: example.com - ``` - - Save and exit the file. `tctl` will update the remote definition: - - ```text - cluster auth preference has been updated - ``` - - - - Edit the Auth Service's `teleport.yaml` file and restart all Auth Service instances: - - ```yaml - # snippet from /etc/teleport.yaml: - auth_service: - authentication: - type: local - # To make webauthn the only form of second factor allowed, set this field to 'webauthn'. - second_factor: "webauthn" - webauthn: - rp_id: example.com - ``` - - - +Edit the `cluster_auth_preference` resource: + +```code +$ tctl edit cap +``` + +Update the `cluster_auth_preference` definition to include the following content: + +```yaml +kind: cluster_auth_preference +version: v2 +metadata: + name: cluster-auth-preference +spec: + type: local + # To make webauthn the only form of second factor allowed, set this field to 'webauthn'. + second_factor: "webauthn" + webauthn: + rp_id: example.com +``` + +Save and exit the file. `tctl` will update the remote definition: + +```text +cluster auth preference has been updated +``` + diff --git a/docs/pages/admin-guides/access-controls/guides/passwordless.mdx b/docs/pages/admin-guides/access-controls/guides/passwordless.mdx index 1ece97815ff4c..a2931cda9ed6c 100644 --- a/docs/pages/admin-guides/access-controls/guides/passwordless.mdx +++ b/docs/pages/admin-guides/access-controls/guides/passwordless.mdx @@ -119,54 +119,17 @@ using `tsh login --proxy=example.com --auth=local` in order to get their first passwordless registration. To enable passwordless by default, add `connector_name: passwordless` to your -cluster configuration: +cluster configuration. - - - - - Auth Server `teleport.yaml` file: - - ```yaml - auth_service: - authentication: - type: local - second_factor: on - webauthn: - rp_id: example.com - connector_name: passwordless # passwordless by default - ``` - - - Create a `cap.yaml` file or get the existing configuration using - `tctl get cluster_auth_preference`: - - ```yaml - kind: cluster_auth_preference - version: v2 - metadata: - name: cluster-auth-preference - spec: - type: local - second_factor: "on" - webauthn: - rp_id: example.com - connector_name: passwordless # passwordless by default - ``` - - Update the configuration: - - ```code - $ tctl create -f cap.yaml - # cluster auth preference has been updated - ``` - - - +Edit your cluster authentication preference configuration using the following +command: + +```code +$ tctl edit cluster_auth_preference +``` - -Create a `cap.yaml` file or get the existing configuration using -`tctl get cluster_auth_preference`: +Ensure that the configuration includes the `connector_name` field as shown +below: ```yaml kind: cluster_auth_preference @@ -181,16 +144,6 @@ spec: connector_name: passwordless # passwordless by default ``` -Update the configuration: - -```code -$ tctl create -f cap.yaml -# cluster auth preference has been updated -``` - - - - ## Troubleshooting ### "Allow passwordless logins" doesn't appear @@ -259,55 +212,15 @@ $ tsh webauthnwin diag ### Disable passwordless If you want to forbid passwordless access to your cluster, add `passwordless: -false` to your configuration: +false` to your configuration. Edit your cluster authentication preference using +the following command: - - - - - Auth Server `teleport.yaml` file: - - ```yaml - # snippet from /etc/teleport.yaml: - auth_service: - authentication: - type: local - second_factor: on - webauthn: - rp_id: example.com - passwordless: false # disable passwordless - ``` - - - Create a `cap.yaml` file or get the existing configuration using - `tctl get cluster_auth_preference`: - - ```yaml - kind: cluster_auth_preference - version: v2 - metadata: - name: cluster-auth-preference - spec: - type: local - second_factor: "on" - webauthn: - rp_id: example.com - passwordless: false # disable passwordless - ``` - - Update the configuration: - - ```code - $ tctl create -f cap.yaml - # cluster auth preference has been updated - ``` - - - +```code +$ tctl edit cluster_auth_preference +``` - -Create a `cap.yaml` file or get the existing configuration using -`tctl get cluster_auth_preference`: +In your editor, ensure that your `cluster_auth_preference` includes a +`passwordless` field similar to the following: ```yaml kind: cluster_auth_preference @@ -322,15 +235,7 @@ spec: passwordless: false # disable passwordless ``` -Update the configuration: - -```code -$ tctl create -f cap.yaml -# cluster auth preference has been updated -``` - - - +Save and close your editor to apply your changes. ### Why did my multi-factor authentication (MFA) device become a passkey? diff --git a/docs/pages/admin-guides/access-controls/guides/per-session-mfa.mdx b/docs/pages/admin-guides/access-controls/guides/per-session-mfa.mdx index e09365dd95da0..c2fa8ed63f9ef 100644 --- a/docs/pages/admin-guides/access-controls/guides/per-session-mfa.mdx +++ b/docs/pages/admin-guides/access-controls/guides/per-session-mfa.mdx @@ -56,51 +56,8 @@ Per-session MFA can be enforced cluster-wide or only for some specific roles. ### Cluster-wide - - - To enforce MFA checks for all roles, edit your cluster authentication -configuration: - - - - -Update `teleport.yaml` on the Auth Server to include the following content: - -```yaml -auth_service: - authentication: - # require per-session MFA cluster-wide - require_session_mfa: yes -``` - - - - -Edit your `cluster_auth_preference` resource: - -```code -$ tctl edit cap -``` - -Ensure that the resource contains the following content: - -```yaml -kind: cluster_auth_preference -metadata: - name: cluster-auth-preference -spec: - require_session_mfa: true -version: v2 -``` - -Apply your changes by saving and closing the file in your editor. - - - - - - +configuration. Edit your `cluster_auth_preference` resource: @@ -121,10 +78,6 @@ version: v2 Apply your changes by saving and closing the file in your editor. - - - - ### Per role To enforce MFA checks for a specific role, update the role to contain: diff --git a/docs/pages/connect-your-client/web-ui.mdx b/docs/pages/connect-your-client/web-ui.mdx index 22b8c6202d1d5..be05318f09d57 100644 --- a/docs/pages/connect-your-client/web-ui.mdx +++ b/docs/pages/connect-your-client/web-ui.mdx @@ -40,9 +40,6 @@ interacted with any Web UI browser tab, either through keyboard input or mouse m To change the default idle timeout of 10 minutes, ask your cluster admin to adjust the `web_idle_timeout` setting in the Auth Service configuration. - - - Use `tctl` to edit the `cluster_networking_config` value: ```code @@ -68,15 +65,3 @@ After you save and exit the editor, `tctl` will update the resource: cluster networking configuration has been updated ``` - - - -Update `/etc/teleport.yaml` in the `auth_service` section and restart the `teleport` daemon. - -```yaml -auth_service: - web_idle_timeout: 10m0s -``` - - - diff --git a/docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-opensearch.mdx b/docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-opensearch.mdx index 5fd5b7cffb2e7..bc4a2f57b5bce 100644 --- a/docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-opensearch.mdx +++ b/docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-opensearch.mdx @@ -184,9 +184,6 @@ Use the token provided by the output of this command in the next step. (!docs/pages/includes/install-linux.mdx!) - - - On the host where you will run the Teleport Database Service, start Teleport with the appropriate configuration. @@ -214,59 +211,6 @@ $ sudo teleport db configure create \ (!docs/pages/includes/start-teleport.mdx service="the Teleport Database Service"!) - - - -Modify your Teleport Database Service static configuration file: - -```yaml -db_service: - enabled: "yes" - databases: - - name: example-opensearch - aws: - account_id: "(=aws.aws_access_key=)" - protocol: opensearch - uri: :443 - static_labels: - env: dev -``` - -Restart the Teleport Database Service for the configuration file changes to take -effect. - - - -Create a dynamic database resource to dynamically register an AWS database -in an external account and proxy connections to it. - -```yaml -kind: db -version: v3 -metadata: - name: "example-opensearch" - description: "Example dynamic database resource" - labels: - env: "dev" -spec: - protocol: "opensearch" - uri: :443 - aws: - account_id: "(=aws.aws_access_key=)" -``` - -Save the configuration to a file like `database.yaml` and create it with `tctl`: - -```code -$ tctl create database.yaml -``` - -For more information about database registration using dynamic database -resources, see: [Dynamic Registration](../guides/dynamic-registration.mdx). - - - - ## Step 4/4. Connect Once the Database Service has started and joined the cluster, you can start accessing Amazon OpenSearch API: diff --git a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/oracle-self-hosted.mdx b/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/oracle-self-hosted.mdx index f66f25e7317a4..17f1aef4d7455 100644 --- a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/oracle-self-hosted.mdx +++ b/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/oracle-self-hosted.mdx @@ -204,10 +204,9 @@ AUDIT ALL STATEMENTS by alice BY access; You must enable auditing for each Teleport user that will be used to connect to Oracle. Additionally you can create a different audit policy for each user. -Configure the Teleport Database Service to pull audit logs from Oracle Audit Trail: +Edit the Database Service configuration you created earlier pull audit logs from +Oracle Audit Trail: - - ```yaml db_service: enabled: "yes" @@ -218,22 +217,6 @@ db_service: oracle: audit_user: "teleport" ``` - - -```yaml -kind: db -version: v3 -metadata: - name: oracle -spec: - protocol: "oracle" - uri: "oracle.example.com:2484" - oracle: - audit_user: "teleport" -``` - - - Teleport doesn't clean up audit trail events from Oracle Audit Trail. Make sure to configure an Oracle Audit Trail cleanup policy to avoid running out of disk space. diff --git a/docs/pages/includes/database-access/auto-user-provisioning/db-definition-default-dbname.mdx b/docs/pages/includes/database-access/auto-user-provisioning/db-definition-default-dbname.mdx index 8db14c3ab953a..f5283bfed938e 100644 --- a/docs/pages/includes/database-access/auto-user-provisioning/db-definition-default-dbname.mdx +++ b/docs/pages/includes/database-access/auto-user-provisioning/db-definition-default-dbname.mdx @@ -1,23 +1,6 @@ {{ default="'teleport'" }} Next, configure the database admin user in the Teleport database configuration: - - -```yaml -db_service: - enabled: "yes" - databases: - - name: "example" - protocol: "{{ protocol }}" - uri: "{{ uri }}" - admin_user: - name: "teleport-admin" - # Optional default database the admin user logs into. Default is - # {{ default }}, if not specified. - # default_database: teleport -``` - - ```yaml kind: db version: v3 @@ -32,11 +15,12 @@ spec: # {{ default }}, if not specified. # default_database: teleport ``` - - - +This example assumes that you have configured the database as a dynamic +resource. If you have configured your database using a static Teleport Database +Service configuration, edit the entry in your `db_service.databases` +configuration. + For auto-discovered cloud databases, the name of the admin user is taken from the `teleport.dev/db-admin` label, and the default database is taken from the `teleport.dev/db-admin-default-database` label. - diff --git a/docs/pages/includes/database-access/auto-user-provisioning/db-definition-self-hosted.mdx b/docs/pages/includes/database-access/auto-user-provisioning/db-definition-self-hosted.mdx index c238a65926a17..84cdb5a0f120c 100644 --- a/docs/pages/includes/database-access/auto-user-provisioning/db-definition-self-hosted.mdx +++ b/docs/pages/includes/database-access/auto-user-provisioning/db-definition-self-hosted.mdx @@ -1,19 +1,5 @@ Next, configure the database admin user in the Teleport database configuration: - - -```yaml -db_service: - enabled: "yes" - databases: - - name: "example" - protocol: "{{ protocol }}" - uri: "{{ uri }}" - admin_user: - name: "teleport-admin" -``` - - ```yaml kind: db version: v3 @@ -25,5 +11,8 @@ spec: admin_user: name: "teleport-admin" ``` - - + +This example assumes that you have configured the database as a dynamic +resource. If you have configured your database using a static Teleport Database +Service configuration, edit the entry in your `db_service.databases` +configuration. diff --git a/docs/pages/includes/database-access/auto-user-provisioning/db-definition.mdx b/docs/pages/includes/database-access/auto-user-provisioning/db-definition.mdx index c2a7749c46055..ac4afded4f7af 100644 --- a/docs/pages/includes/database-access/auto-user-provisioning/db-definition.mdx +++ b/docs/pages/includes/database-access/auto-user-provisioning/db-definition.mdx @@ -1,19 +1,5 @@ Next, configure the database admin user in the Teleport database configuration: - - -```yaml -db_service: - enabled: "yes" - databases: - - name: "example" - protocol: "{{ protocol }}" - uri: "{{ uri }}" - admin_user: - name: "teleport-admin" -``` - - ```yaml kind: db version: v3 @@ -25,10 +11,11 @@ spec: admin_user: name: "teleport-admin" ``` - - - +This example assumes that you have configured the database as a dynamic +resource. If you have configured your database using a static Teleport Database +Service configuration, edit the entry in your `db_service.databases` +configuration. + For auto-discovered cloud databases, the name of the admin user is taken from the `teleport.dev/db-admin` label. - diff --git a/docs/pages/includes/enterprise/oidcauthentication.mdx b/docs/pages/includes/enterprise/oidcauthentication.mdx index 5ecb3a6ce3b3a..136102ea83651 100644 --- a/docs/pages/includes/enterprise/oidcauthentication.mdx +++ b/docs/pages/includes/enterprise/oidcauthentication.mdx @@ -1,39 +1,19 @@ Configure Teleport to use OIDC authentication as the default instead of the local user database. -Follow the instructions for your Teleport edition: - - - - - Update `/etc/teleport.yaml` in the `auth_service` section and restart the `teleport` daemon. - - ```yaml - auth_service: - authentication: - type: oidc - - ``` - - - - - Create a file called `cap.yaml`: - - ```yaml - kind: cluster_auth_preference - metadata: - name: cluster-auth-preference - spec: - type: oidc - version: v2 - ``` - - Create a resource: - - ```code - $ tctl create -f cap.yaml - ``` - - - +Edit your `cluster_auth_preference` resource: + +```code +$ tctl edit cap +``` + +In your editor, ensure that the file contains the following content: + +```yaml +kind: cluster_auth_preference +metadata: + name: cluster-auth-preference +spec: + type: oidc +version: v2 +``` diff --git a/docs/pages/includes/enterprise/samlauthentication.mdx b/docs/pages/includes/enterprise/samlauthentication.mdx index dfabdb7a3ec71..9fcd1e9db5362 100644 --- a/docs/pages/includes/enterprise/samlauthentication.mdx +++ b/docs/pages/includes/enterprise/samlauthentication.mdx @@ -3,11 +3,6 @@ Configure Teleport to use SAML authentication as the default instead of the local user database. -Follow the instructions for your Teleport edition: - - - - Use `tctl` to edit the `cluster_auth_preference` value: ```code @@ -34,20 +29,6 @@ After you save and exit the editor, `tctl` will update the resource: cluster auth preference has been updated ``` - - - -Update `/etc/teleport.yaml` in the `auth_service` section and restart the `teleport` daemon. - -```yaml -auth_service: - authentication: - type: saml -``` - - - - If you need to log in again before configuring your SAML provider, use the flag `--auth=local`.