Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RFD - Static host users #43666

Merged
merged 10 commits into from
Jul 17, 2024
Merged

RFD - Static host users #43666

Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
bfca110
Add very rough draft
atburke Jun 26, 2024
ba3a5de
First pass
atburke Jun 28, 2024
589c2eb
Another pass
atburke Jun 28, 2024
d397194
Add details about user deletion
atburke Jul 9, 2024
4dbbb96
Add who and why
atburke Jul 12, 2024
b230b3a
Add reviewer
atburke Jul 12, 2024
04355d5
Delete deletion
atburke Jul 13, 2024
2bfacbb
Add missing sections
atburke Jul 15, 2024
c69b551
Address comments
atburke Jul 16, 2024
0fea5b3
Rename teleport-created to teleport-static
atburke Jul 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
215 changes: 215 additions & 0 deletions rfd/0175-static-host-users.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,215 @@
---
author: Andrew Burke ([email protected])
state: draft
---

# RFD 175 - Static Host Users

## Required Approvers

- Engineering: @rosstimothy && @lxea && @@espadolini

## What

Teleport nodes will be able to create host users statically, i.e. independently
of a Teleport user creating one when SSHing with the current host user creation.

## Why

Host users can be created and used (potentially by third-party services) without
a Teleport user needing to log in first.

## Details

### UX

To create a static host user, an admin will create a `static_host_user` resource:

```yaml
# foo-dev.yaml
kind: static_host_user
metadata:
name: foo-dev
spec:
login: foo
node_labels:
env: dev
```

Then create it with `tctl`:

```code
$ tctl create foo-dev.yaml
```

The user `foo` will eventually appear on nodes with label `env: dev` once the
`foo-dev` resource makes it through the cache.

To update an existing static host user, an admin will update update `foo-dev.yaml`,
then update the resource in Teleport with `tctl`:

```code
$ tctl create -f foo-dev.yaml
```

### Resource

We will add a new resource to Teleport called `static_host_user`. This resource defines
rosstimothy marked this conversation as resolved.
Show resolved Hide resolved
a single host user, including groups, sudoers entitlements, uid, and gid, as well as labels
to select specific nodes the user should be created on.

```yaml
kind: static_host_user
metadata:
name: hostuser
spec:
login: user1
# groups and sudoers are identical to their role counterparts
groups: [abc, def]
sudoers: [
# ...
]
# same as from user traits
uid: "1234"
gid: "5678"
# same as allow rules in roles
node_labels:
# ...
node_labels_expression: # ...
```

```proto
message StaticHostUser {
string kind = 1;
string sub_kind = 2;
string version = 3;
teleport.header.v1.Metadata metadata = 4;

StaticHostUserSpec spec = 5;
}

message StaticHostUserSpec {
string login = 1;
repeated string groups = 2;
repeated string sudoers = 3;
string uid = 4;
string gid = 5;
Comment on lines +95 to +96
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are these strings?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They're strings here because they're strings in user traits, and I wanted to keep them the same.


wrappers.LabelValues node_labels = 6;
string node_labels_expression = 7;
}

service UsersService {
rpc GetStaticHostUser(GetStaticHostUserRequest) returns (GetStaticHostUserResponse);
rpc ListStaticHostUsers(ListStaticHostUsersRequest) returns (ListStaticHostUsersResponse);
rpc CreateStaticHostUser(CreateStaticHostUserRequest) returns (CreateStaticHostUserResponse);
rpc UpdateStaticHostUser(UpdateStaticHostUserRequest) returns (UpdateStaticHostUserResponse);
rpc UpsertStaticHostUser(UpsertStaticHostUserRequest) returns (UpsertStaticHostUserResponse);
rpc DeleteStaticHostUser(DeleteStaticHostUserRequest) returns (google.protobuf.Empty);
rosstimothy marked this conversation as resolved.
Show resolved Hide resolved
}

message GetStaticHostUserRequest {
string name = 1;
}

message GetStaticHostUserResponse {
types.StaticHostUserV1 user = 1;
}

message ListStaticHostUsersRequest {
int32 page_size = 1;
string page_token = 2;
}

message ListStaticHostUsersResponse {
repeated types.StaticHostUserV1 users = 1;
string next_page_token = 2;
}

message CreateStaticHostUserRequest {
types.StaticHostUserV1 user = 1;
}

message CreateStaticHostUserResponse {
types.StaticHostUserV1 user = 1;
}

message UpdateStaticHostUserRequest {
types.StaticHostUserV1 user = 1;
}

message UpdateStaticHostUserResponse {
types.StaticHostUserV1 user = 1;
}

message UpsertStaticHostUserRequest {
types.StaticHostUserV1 user = 1;
}

message UpsertStaticHostUserResponse {
types.StaticHostUserV1 user = 1;
}

message DeleteStaticHostUserRequest {
string name = 1;
}
```

### Propagation

On startup, nodes will apply all available `static_host_user`s in the cache,
then watch the cache for new and updated users. Nodes will use the labels in the
`static_host_user`s to filter out those that don't apply to them, with the same
logic that currently determines access with roles. Updated `static_host_user`s
override the existing user. When a `static_host_user` is deleted, any host users
created by it are *not* deleted (same behavior as `keep` mode for current host
user creation).

Nodes that disable host user creation (by setting `ssh_service.disable_create_host_user`
to true in their config) will ignore `static_host_user`s entirely.

### Audit events
rosstimothy marked this conversation as resolved.
Show resolved Hide resolved

The `session.start` audit event will be extened to include a flag
indicating whether or not the host user for an SSH session was
created by Teleport (for both static and non-static host users).

Two new audit events, `host_user.create` and `host_user.update`, will be added
and emitted by nodes when they create or update a host user, respectively.

### Product usage

The session start PostHog event will be extended to include the
same flag described in [Audit events](#audit-events).

### Security

CRUD operations on `static_host_user`s can be restricted with verbs
in allow/deny rules like any other resource.

We want to minimize the ability of Teleport users to mess with existing host users
rosstimothy marked this conversation as resolved.
Show resolved Hide resolved
via `static_host_user`s. To that end, all host users created from `static_host_user`s
will be in the `teleport-static` group (similar to the `teleport-system` group, which
we currently use to mark users that Teleport should clean up). New users will not override
existing users that are not in `teleport-static`.

rosstimothy marked this conversation as resolved.
Show resolved Hide resolved
### Backward compatibility

Consider nodes that do not support static host users but are connected to an
auth server that does. These nodes will silently ignore static
host users. When these nodes are upgraded to a supporting
version, they will create static host users as normal.

rosstimothy marked this conversation as resolved.
Show resolved Hide resolved
### Test plan

Integration test for:
- nodes create/update nodes in response to `static_host_user` updates from the cache

Manual test for:
- create static host user with `tctl` and verify it's applied to nodes

### Future work

Extend server heartbeats to include static host users. This will allow Teleport
users to spot incorrect propagation of host users due to misconfiguration, nodes
that don't support them, etc.
Loading