From bfca1101df5eb22bc56598d5742a768e81ddf1de Mon Sep 17 00:00:00 2001 From: Andrew Burke Date: Wed, 26 Jun 2024 16:48:13 -0700 Subject: [PATCH 01/10] Add very rough draft --- rfd/0715-static-host-users.md | 72 +++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 rfd/0715-static-host-users.md diff --git a/rfd/0715-static-host-users.md b/rfd/0715-static-host-users.md new file mode 100644 index 0000000000000..3f5af78e89933 --- /dev/null +++ b/rfd/0715-static-host-users.md @@ -0,0 +1,72 @@ +--- +author: Andrew Burke (andrew.burke@goteleport.com) +state: draft +--- + +# RFD 175 - Static Host Users + +## Required Approvers + +## What + +teleport nodes will be able to create host users ahead of time instead of only +when a user logs in + +## Why + +users can be provisioned w/o them needing to log in beforehand + +## Details + +### new resource + +copy a lot of stuff for host users from roles + +```yaml +kind: static_host_user +metadata: + name: hostuser +spec: + login: user1 # don't support the templating thing from roles as + # that depends on users i think + # these 2 are identical to their role counterparts + groups: [abc, def] + sudoers: [ + # ... + ] + # from user traits + uid: 1234 + gid: 1234 + node_labels: # same as allow rules in roles + # ... + node_labels_expression: | # same deal + # ... + # we do not need host user mode as it will always be keep +``` + +### propagation + +nodes will get all static host users on startup and create the ones that apply to them (check with the labels). +after that nodes will watch for new host users in their cache + +they will get updated users this way too + +nodes with host user creation disabled don't do anything + +### deletion + +key under login/name in backend so we have login info for deletion + +### UX + +### security + +need to make sure that users not added by teleport can't be deleted by a user that has access to +host user resources. add a new group `teleport-created` (like `teleport-system`) that simply marks +that a user was created by teleport. only users with this group can be deleted (TODO: should host +users created the normal way get this group too?) + +if a user is not allowed to create host users in their roles, they are also not allowed to create +static host users (maintain parity between static and dynamic host users as much as possible). +also user must have matching login to be able to work with matching static host user (TODO: consider if +there should be an admin bypass.) From ba3a5de0112684559bb103a8d884e9c01eaa8914 Mon Sep 17 00:00:00 2001 From: Andrew Burke Date: Thu, 27 Jun 2024 17:00:51 -0700 Subject: [PATCH 02/10] First pass --- rfd/0175-static-host-users.md | 93 +++++++++++++++++++++++++++++++++++ rfd/0715-static-host-users.md | 72 --------------------------- 2 files changed, 93 insertions(+), 72 deletions(-) create mode 100644 rfd/0175-static-host-users.md delete mode 100644 rfd/0715-static-host-users.md diff --git a/rfd/0175-static-host-users.md b/rfd/0175-static-host-users.md new file mode 100644 index 0000000000000..d64d825cd6650 --- /dev/null +++ b/rfd/0175-static-host-users.md @@ -0,0 +1,93 @@ +--- +author: Andrew Burke (andrew.burke@goteleport.com) +state: draft +--- + +# RFD 175 - Static Host Users + +## Required Approvers + +## What + +Teleport nodes will be able to create host users statically, i.e. independently +of a Teleport user creating one when SSHing with the current host user creation. + +## Why + +users can be provisioned w/o them needing to log in beforehand + +## Details + +### Resource + +Add a new resource to Teleport called `static_host_user`. This resource defines +a single Unix user, including groups, sudoers, uid, and gid, as well as labels +to select specific nodes the user should be created on. + +```yaml +kind: static_host_user +metadata: + name: hostuser +spec: + login: user1 + # groups and sudoers are identical to their role counterparts + groups: [abc, def] + sudoers: [ + # ... + ] + # same as from user traits + uid: "1234" + gid: "5678" + # same as allow rules in roles + node_labels: + # ... + node_labels_expression: # ... +``` + +### Propagation + +On startup, nodes will apply all available `static_host_user`s in the cache, +then watch the cache for new and updated users. Nodes will use the labels in the +`static_host_user`s to filter out those that don't apply to them, with the same +logic that currently determines access with roles. Updated `static_host_user`s +override the existing user. Delete events from the cache will signal the node +to delete the created user. + +To facilitate deletion, `static_host_user`s will be keyed under their login in +the backend, i.e. `hostUsers//`. + +Nodes that disable host user creation (by setting `ssh_service.disable_create_host_user` +to true in their config) will ignore `static_host_user`s entirely. + +### UX + +Admins will create a `static_host_user` resource: + +```yaml +# foo-dev.yaml +kind: static_host_user +metadata: + name: foo-dev +spec: + login: foo + node_labels: + env: dev +``` + +Then create it with `tctl`: + +```code +$ tctl create foo-dev.yaml +``` + +The user `foo` will eventually appear on nodes with label `env: dev` once the +`foo-dev` resource makes it through the cache. + +### Security + +We want to minimize the ability of Teleport users to mess with existing Unix users +via `static_host_user`s. To that end, all Unix users created from `static_host_user`s +will be in the `teleport-created` group (similar to the `teleport-system` group, which +we currently use to mark users that Teleport should clean up). Teleport will not +delete users without `teleport-created`, and new users will not override existing users +that are not in `teleport-created`. diff --git a/rfd/0715-static-host-users.md b/rfd/0715-static-host-users.md deleted file mode 100644 index 3f5af78e89933..0000000000000 --- a/rfd/0715-static-host-users.md +++ /dev/null @@ -1,72 +0,0 @@ ---- -author: Andrew Burke (andrew.burke@goteleport.com) -state: draft ---- - -# RFD 175 - Static Host Users - -## Required Approvers - -## What - -teleport nodes will be able to create host users ahead of time instead of only -when a user logs in - -## Why - -users can be provisioned w/o them needing to log in beforehand - -## Details - -### new resource - -copy a lot of stuff for host users from roles - -```yaml -kind: static_host_user -metadata: - name: hostuser -spec: - login: user1 # don't support the templating thing from roles as - # that depends on users i think - # these 2 are identical to their role counterparts - groups: [abc, def] - sudoers: [ - # ... - ] - # from user traits - uid: 1234 - gid: 1234 - node_labels: # same as allow rules in roles - # ... - node_labels_expression: | # same deal - # ... - # we do not need host user mode as it will always be keep -``` - -### propagation - -nodes will get all static host users on startup and create the ones that apply to them (check with the labels). -after that nodes will watch for new host users in their cache - -they will get updated users this way too - -nodes with host user creation disabled don't do anything - -### deletion - -key under login/name in backend so we have login info for deletion - -### UX - -### security - -need to make sure that users not added by teleport can't be deleted by a user that has access to -host user resources. add a new group `teleport-created` (like `teleport-system`) that simply marks -that a user was created by teleport. only users with this group can be deleted (TODO: should host -users created the normal way get this group too?) - -if a user is not allowed to create host users in their roles, they are also not allowed to create -static host users (maintain parity between static and dynamic host users as much as possible). -also user must have matching login to be able to work with matching static host user (TODO: consider if -there should be an admin bypass.) From 589c2ebbfe0c5c2256429d40dcdad2c6821b60a1 Mon Sep 17 00:00:00 2001 From: Andrew Burke Date: Fri, 28 Jun 2024 15:58:02 -0700 Subject: [PATCH 03/10] Another pass --- rfd/0175-static-host-users.md | 86 +++++++++++++++++++++++------------ 1 file changed, 56 insertions(+), 30 deletions(-) diff --git a/rfd/0175-static-host-users.md b/rfd/0175-static-host-users.md index d64d825cd6650..0438bc118a59f 100644 --- a/rfd/0175-static-host-users.md +++ b/rfd/0175-static-host-users.md @@ -7,6 +7,8 @@ state: draft ## Required Approvers +TODO + ## What Teleport nodes will be able to create host users statically, i.e. independently @@ -14,14 +16,51 @@ of a Teleport user creating one when SSHing with the current host user creation. ## Why -users can be provisioned w/o them needing to log in beforehand +TODO ## Details +### UX + +To create a static host user, an admin will create a `static_host_user` resource: + +```yaml +# foo-dev.yaml +kind: static_host_user +metadata: + name: foo-dev +spec: + login: foo + node_labels: + env: dev +``` + +Then create it with `tctl`: + +```code +$ tctl create foo-dev.yaml +``` + +The user `foo` will eventually appear on nodes with label `env: dev` once the +`foo-dev` resource makes it through the cache. + +To update an existing static host user, an admin will update update `foo-dev.yaml`, +then update the resource in Teleport with `tctl`: + +```code +$ tctl create -f foo-dev.yaml +``` + +To remove the resource and delete all host users associated with it, run: + +```code +$ tctl rm host_user/foo-dev +``` + ### Resource -Add a new resource to Teleport called `static_host_user`. This resource defines -a single Unix user, including groups, sudoers, uid, and gid, as well as labels +We will add a new resource to Teleport called `static_host_user`. This resource defines +a single host user, including groups, sudoers entitlements, uid, and gid, as well as labels to select specific nodes the user should be created on. ```yaml @@ -59,35 +98,22 @@ the backend, i.e. `hostUsers//`. Nodes that disable host user creation (by setting `ssh_service.disable_create_host_user` to true in their config) will ignore `static_host_user`s entirely. -### UX - -Admins will create a `static_host_user` resource: - -```yaml -# foo-dev.yaml -kind: static_host_user -metadata: - name: foo-dev -spec: - login: foo - node_labels: - env: dev -``` - -Then create it with `tctl`: - -```code -$ tctl create foo-dev.yaml -``` - -The user `foo` will eventually appear on nodes with label `env: dev` once the -`foo-dev` resource makes it through the cache. - ### Security -We want to minimize the ability of Teleport users to mess with existing Unix users -via `static_host_user`s. To that end, all Unix users created from `static_host_user`s +We want to minimize the ability of Teleport users to mess with existing host users +via `static_host_user`s. To that end, all host users created from `static_host_user`s will be in the `teleport-created` group (similar to the `teleport-system` group, which we currently use to mark users that Teleport should clean up). Teleport will not -delete users without `teleport-created`, and new users will not override existing users +delete users not in `teleport-created`, and new users will not override existing users that are not in `teleport-created`. + +### Backward compatibility + +Consider nodes that do not support static host users but are connected to an +auth server that does. These nodes will silently ignore static +host users. + +### Future work + +Extend server heartbeats to include static host users. This will allow Teleport users to spot incorrect propagation of host users +due to misconfiguration, nodes that don't support them, etc. From d397194d8ca8c8d31b6953dbe72160abff4a8c53 Mon Sep 17 00:00:00 2001 From: Andrew Burke Date: Tue, 9 Jul 2024 16:01:21 -0700 Subject: [PATCH 04/10] Add details about user deletion --- rfd/0175-static-host-users.md | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/rfd/0175-static-host-users.md b/rfd/0175-static-host-users.md index 0438bc118a59f..1b6feb44b0d5f 100644 --- a/rfd/0175-static-host-users.md +++ b/rfd/0175-static-host-users.md @@ -51,7 +51,7 @@ then update the resource in Teleport with `tctl`: $ tctl create -f foo-dev.yaml ``` -To remove the resource and delete all host users associated with it, run: +To remove the resource and delete all host users associated with it, an admin will run: ```code $ tctl rm host_user/foo-dev @@ -89,14 +89,26 @@ On startup, nodes will apply all available `static_host_user`s in the cache, then watch the cache for new and updated users. Nodes will use the labels in the `static_host_user`s to filter out those that don't apply to them, with the same logic that currently determines access with roles. Updated `static_host_user`s -override the existing user. Delete events from the cache will signal the node -to delete the created user. +override the existing user. + +Nodes that disable host user creation (by setting `ssh_service.disable_create_host_user` +to true in their config) will ignore `static_host_user`s entirely. + +### Deletion + +Delete events from the cache will signal the node to delete a created user. If the user is still in use (i.e. someone is logged +in as it), it will be added to the `teleport-delete` group. Teleport +will periodically delete `teleport-delete` users as it does with +expired `teleport-system` users. Teleport users will not be able to log in as a host user if it is marked for deletion. To facilitate deletion, `static_host_user`s will be keyed under their login in the backend, i.e. `hostUsers//`. -Nodes that disable host user creation (by setting `ssh_service.disable_create_host_user` -to true in their config) will ignore `static_host_user`s entirely. +### Product usage + +The session start PostHog event can be extended to include a flag +indicating whether or not the host user for an SSH session was +created by Teleport (for both static and non-static host users). ### Security @@ -111,7 +123,8 @@ that are not in `teleport-created`. Consider nodes that do not support static host users but are connected to an auth server that does. These nodes will silently ignore static -host users. +host users. When these nodes are upgraded to a supporting +version, they will create static host users as normal. ### Future work From 4dbbb96995b98358a1bdc493a752ff4ef31e1487 Mon Sep 17 00:00:00 2001 From: Andrew Burke Date: Fri, 12 Jul 2024 09:12:35 -0700 Subject: [PATCH 05/10] Add who and why --- rfd/0175-static-host-users.md | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/rfd/0175-static-host-users.md b/rfd/0175-static-host-users.md index 1b6feb44b0d5f..d474106b4af53 100644 --- a/rfd/0175-static-host-users.md +++ b/rfd/0175-static-host-users.md @@ -7,7 +7,7 @@ state: draft ## Required Approvers -TODO +- Engineering: @rosstimothy && @lxea ## What @@ -16,7 +16,8 @@ of a Teleport user creating one when SSHing with the current host user creation. ## Why -TODO +Host users can be created and used (potentially by third-party services) without +a Teleport user needing to log in first. ## Details @@ -96,10 +97,11 @@ to true in their config) will ignore `static_host_user`s entirely. ### Deletion -Delete events from the cache will signal the node to delete a created user. If the user is still in use (i.e. someone is logged -in as it), it will be added to the `teleport-delete` group. Teleport -will periodically delete `teleport-delete` users as it does with -expired `teleport-system` users. Teleport users will not be able to log in as a host user if it is marked for deletion. +Delete events from the cache will signal the node to delete a created user. If +the user is still in use (i.e. someone is logged in as it), it will be added +to the `teleport-delete` group. Teleport will periodically delete `teleport-delete` +users as it does with expired `teleport-system` users. Teleport users will not +be able to log in as a host user if it is marked for deletion. To facilitate deletion, `static_host_user`s will be keyed under their login in the backend, i.e. `hostUsers//`. @@ -128,5 +130,6 @@ version, they will create static host users as normal. ### Future work -Extend server heartbeats to include static host users. This will allow Teleport users to spot incorrect propagation of host users -due to misconfiguration, nodes that don't support them, etc. +Extend server heartbeats to include static host users. This will allow Teleport +users to spot incorrect propagation of host users due to misconfiguration, nodes +that don't support them, etc. From b230b3a13d4ed94ffd705c3eab734ad3032cb53b Mon Sep 17 00:00:00 2001 From: Andrew Burke Date: Fri, 12 Jul 2024 09:41:44 -0700 Subject: [PATCH 06/10] Add reviewer --- rfd/0175-static-host-users.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rfd/0175-static-host-users.md b/rfd/0175-static-host-users.md index d474106b4af53..1d68d5f64f94b 100644 --- a/rfd/0175-static-host-users.md +++ b/rfd/0175-static-host-users.md @@ -7,7 +7,7 @@ state: draft ## Required Approvers -- Engineering: @rosstimothy && @lxea +- Engineering: @rosstimothy && @lxea && @@espadolini ## What From 04355d5c352d42d5c1cfbbba24afb404ffa2d35f Mon Sep 17 00:00:00 2001 From: Andrew Burke Date: Fri, 12 Jul 2024 17:09:28 -0700 Subject: [PATCH 07/10] Delete deletion --- rfd/0175-static-host-users.md | 21 +++------------------ 1 file changed, 3 insertions(+), 18 deletions(-) diff --git a/rfd/0175-static-host-users.md b/rfd/0175-static-host-users.md index 1d68d5f64f94b..67795fd6f0201 100644 --- a/rfd/0175-static-host-users.md +++ b/rfd/0175-static-host-users.md @@ -52,12 +52,6 @@ then update the resource in Teleport with `tctl`: $ tctl create -f foo-dev.yaml ``` -To remove the resource and delete all host users associated with it, an admin will run: - -```code -$ tctl rm host_user/foo-dev -``` - ### Resource We will add a new resource to Teleport called `static_host_user`. This resource defines @@ -90,22 +84,13 @@ On startup, nodes will apply all available `static_host_user`s in the cache, then watch the cache for new and updated users. Nodes will use the labels in the `static_host_user`s to filter out those that don't apply to them, with the same logic that currently determines access with roles. Updated `static_host_user`s -override the existing user. +override the existing user. When a `static_host_user` is deleted, any host users +created by it are *not* deleted (same behavior as `keep` mode for current host +user creation). Nodes that disable host user creation (by setting `ssh_service.disable_create_host_user` to true in their config) will ignore `static_host_user`s entirely. -### Deletion - -Delete events from the cache will signal the node to delete a created user. If -the user is still in use (i.e. someone is logged in as it), it will be added -to the `teleport-delete` group. Teleport will periodically delete `teleport-delete` -users as it does with expired `teleport-system` users. Teleport users will not -be able to log in as a host user if it is marked for deletion. - -To facilitate deletion, `static_host_user`s will be keyed under their login in -the backend, i.e. `hostUsers//`. - ### Product usage The session start PostHog event can be extended to include a flag From 2bfacbbcdd75b38e3ba5ac31fdc73153242b4966 Mon Sep 17 00:00:00 2001 From: Andrew Burke Date: Mon, 15 Jul 2024 15:34:09 -0700 Subject: [PATCH 08/10] Add missing sections --- rfd/0175-static-host-users.md | 51 +++++++++++++++++++++++++++++++++-- 1 file changed, 49 insertions(+), 2 deletions(-) diff --git a/rfd/0175-static-host-users.md b/rfd/0175-static-host-users.md index 67795fd6f0201..54369a8cd861e 100644 --- a/rfd/0175-static-host-users.md +++ b/rfd/0175-static-host-users.md @@ -78,6 +78,37 @@ spec: node_labels_expression: # ... ``` +```proto +message StaticHostUser { + string kind = 1; + string sub_kind = 2; + string version = 3; + teleport.header.v1.Metadata metadata = 4; + + StaticHostUserSpec spec = 5; +} + +message StaticHostUserSpec { + string login = 1; + repeated string groups = 2; + repeated string sudoers = 3; + string uid = 4; + string gid = 5; + + wrappers.LabelValues node_labels = 6; + string node_labels_expression = 7; +} + +service UsersService { + rpc GetStaticHostUser(GetStaticHostUserRequest) returns (GetStaticHostUserResponse); + rpc ListStaticHostUsers(ListStaticHostUsersRequest) returns (ListStaticHostUsersResponse); + rpc CreateStaticHostUser(CreateStaticHostUserRequest) returns (CreateStaticHostUserResponse); + rpc UpdateStaticHostUser(UpdateStaticHostUserRequest) returns (UpdateStaticHostUserResponse); + rpc UpsertStaticHostUser(UpsertStaticHostUserRequest) returns (UpsertStaticHostUserResponse); + rpc DeleteStaticHostUser(DeleteStaticHostUserRequest) returns (google.protobuf.Empty); +} +``` + ### Propagation On startup, nodes will apply all available `static_host_user`s in the cache, @@ -91,14 +122,22 @@ user creation). Nodes that disable host user creation (by setting `ssh_service.disable_create_host_user` to true in their config) will ignore `static_host_user`s entirely. -### Product usage +### Audit events -The session start PostHog event can be extended to include a flag +The `session.start` audit event will be extened to include a flag indicating whether or not the host user for an SSH session was created by Teleport (for both static and non-static host users). +### Product usage + +The session start PostHog event will be extended to include the +same flag described in [Audit events](#audit-events). + ### Security +CRUD operations on `static_host_user`s can be restricted with verbs +in allow/deny rules like any other resource. + We want to minimize the ability of Teleport users to mess with existing host users via `static_host_user`s. To that end, all host users created from `static_host_user`s will be in the `teleport-created` group (similar to the `teleport-system` group, which @@ -113,6 +152,14 @@ auth server that does. These nodes will silently ignore static host users. When these nodes are upgraded to a supporting version, they will create static host users as normal. +### Test plan + +Integration test for: +- nodes create/update nodes in response to `static_host_user` updates from the cache + +Manual test for: +- create static host user with `tctl` and verify it's applied to nodes + ### Future work Extend server heartbeats to include static host users. This will allow Teleport From c69b551fe0e8d2330364ae8d8dbea300ec522396 Mon Sep 17 00:00:00 2001 From: Andrew Burke Date: Tue, 16 Jul 2024 12:41:42 -0700 Subject: [PATCH 09/10] Address comments --- rfd/0175-static-host-users.md | 49 +++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/rfd/0175-static-host-users.md b/rfd/0175-static-host-users.md index 54369a8cd861e..393d2aabe1a32 100644 --- a/rfd/0175-static-host-users.md +++ b/rfd/0175-static-host-users.md @@ -107,6 +107,52 @@ service UsersService { rpc UpsertStaticHostUser(UpsertStaticHostUserRequest) returns (UpsertStaticHostUserResponse); rpc DeleteStaticHostUser(DeleteStaticHostUserRequest) returns (google.protobuf.Empty); } + +message GetStaticHostUserRequest { + string name = 1; +} + +message GetStaticHostUserResponse { + types.StaticHostUserV1 user = 1; +} + +message ListStaticHostUsersRequest { + int32 page_size = 1; + string page_token = 2; +} + +message ListStaticHostUsersResponse { + repeated types.StaticHostUserV1 users = 1; + string next_page_token = 2; +} + +message CreateStaticHostUserRequest { + types.StaticHostUserV1 user = 1; +} + +message CreateStaticHostUserResponse { + types.StaticHostUserV1 user = 1; +} + +message UpdateStaticHostUserRequest { + types.StaticHostUserV1 user = 1; +} + +message UpdateStaticHostUserResponse { + types.StaticHostUserV1 user = 1; +} + +message UpsertStaticHostUserRequest { + types.StaticHostUserV1 user = 1; +} + +message UpsertStaticHostUserResponse { + types.StaticHostUserV1 user = 1; +} + +message DeleteStaticHostUserRequest { + string name = 1; +} ``` ### Propagation @@ -128,6 +174,9 @@ The `session.start` audit event will be extened to include a flag indicating whether or not the host user for an SSH session was created by Teleport (for both static and non-static host users). +Two new audit events, `host_user.create` and `host_user.update`, will be added +and emitted by nodes when they create or update a host user, respectively. + ### Product usage The session start PostHog event will be extended to include the From 0fea5b3e098e93fa833b363305125b11d1a6ebbb Mon Sep 17 00:00:00 2001 From: Andrew Burke Date: Wed, 17 Jul 2024 11:00:02 -0700 Subject: [PATCH 10/10] Rename teleport-created to teleport-static --- rfd/0175-static-host-users.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/rfd/0175-static-host-users.md b/rfd/0175-static-host-users.md index 393d2aabe1a32..77d95290a389f 100644 --- a/rfd/0175-static-host-users.md +++ b/rfd/0175-static-host-users.md @@ -189,10 +189,9 @@ in allow/deny rules like any other resource. We want to minimize the ability of Teleport users to mess with existing host users via `static_host_user`s. To that end, all host users created from `static_host_user`s -will be in the `teleport-created` group (similar to the `teleport-system` group, which -we currently use to mark users that Teleport should clean up). Teleport will not -delete users not in `teleport-created`, and new users will not override existing users -that are not in `teleport-created`. +will be in the `teleport-static` group (similar to the `teleport-system` group, which +we currently use to mark users that Teleport should clean up). New users will not override +existing users that are not in `teleport-static`. ### Backward compatibility