From 64d5b1d93c29fe4963b4ab86773e174656fb9505 Mon Sep 17 00:00:00 2001 From: Russell Jones Date: Mon, 10 Apr 2017 17:55:58 -0700 Subject: [PATCH 1/2] Don't set logins directly from allowed logins for CertAuthority V2. --- lib/config/configuration.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/config/configuration.go b/lib/config/configuration.go index ea23ae5614682..bb2da0d6a0826 100644 --- a/lib/config/configuration.go +++ b/lib/config/configuration.go @@ -444,7 +444,7 @@ func parseAuthorizedKeys(bytes []byte, allowedLogins []string) (services.CertAut clusterName, nil, [][]byte{ssh.MarshalAuthorizedKey(pubkey)}, - allowedLogins) + nil) // transform old allowed logins into roles role := services.RoleForCertAuthority(ca) From c4f0b81b71091502cd3e84028d39ece13d9f59ac Mon Sep 17 00:00:00 2001 From: Russell Jones Date: Mon, 10 Apr 2017 18:13:54 -0700 Subject: [PATCH 2/2] Updated trusted cluster documentation for docker build. --- docker/README.md | 37 ++++++++++++++++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/docker/README.md b/docker/README.md index 5d354e329be67..4db1a0b2717b0 100644 --- a/docker/README.md +++ b/docker/README.md @@ -76,7 +76,7 @@ the YAML file to `tctl` via `-c` flag. ### Trusted Clusters -To setup Trusted Clusters: +#### Trusted Clusters with Resources 1. Update `two-role.yaml` and replace `username_goes_here` with your username. 1. Create a `Role` and `TrustedCluster` resource on Cluster Two. @@ -87,6 +87,41 @@ To setup Trusted Clusters: tctl -c /root/go/src/github.com/gravitational/teleport/docker/two-auth.yaml create -f docker/two-tc.yaml ``` +#### Trusted Clusters with File Configuration + +##### Export CAs + +Run the following commands to export your CAs. + +```bash +# enter cluster two and export ca +make enter-two +tctl -c /root/go/src/github.com/gravitational/teleport/docker/two-auth.yaml auth export > docker/data/two/two.ca +exit + +# enter cluster one and export ca +make enter-one +tctl auth export > docker/data/one/one.ca +exit +``` + +##### Upate Configuration + +Stop both clusters with `make stop`, update the file configuration for both clusters, and start again with `make`. + +```bash +# update docker/one.yaml with the following under "auth_service" +trusted_clusters: + - key_file: /root/go/src/github.com/gravitational/teleport/docker/data/two/two.ca +``` +```bash +# update docker/two-auth.yaml with the following under "auth_service" +trusted_clusters: + - key_file: /root/go/src/github.com/gravitational/teleport/docker/data/one/one.ca + allow_logins: root + tunnel_addr: one +``` + ### Ansible To setup Ansible: