config

package
v2.0.0-alpha.4+incompa... Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 2, 2017 License: Apache-2.0 Imports: 25 Imported by: 68

Documentation

Overview

Package 'config' provides facilities for configuring Teleport daemons including

  • parsing YAML configuration
  • parsing CLI flags

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ApplyFileConfig

func ApplyFileConfig(fc *FileConfig, cfg *service.Config) error

ApplyFileConfig applies confniguration from a YAML file to Teleport runtime config

func Configure

func Configure(clf *CommandLineFlags, cfg *service.Config) error

Configure merges command line arguments with what's in a configuration file with CLI commands taking precedence

Types

type Auth

type Auth struct {
	Service `yaml:",inline"`
	// DomainName is the name of the CA who manages this cluster
	DomainName string `yaml:"cluster_name,omitempty"`

	// TrustedClustersFile is a file path to a file containing public CA keys
	// of clusters we trust. One key per line, those starting with '#' are comments
	TrustedClusters []TrustedCluster `yaml:"trusted_clusters,omitempty"`

	// FOR INTERNAL USE:
	// Authorities : 3rd party certificate authorities (CAs) this auth service trusts.
	Authorities []Authority `yaml:"authorities,omitempty"`

	// FOR INTERNAL USE:
	// ReverseTunnels is a list of SSH tunnels to 3rd party proxy services (used to talk
	// to 3rd party auth servers we trust)
	ReverseTunnels []ReverseTunnel `yaml:"reverse_tunnels,omitempty"`

	// OIDCConnectors is a list of trusted OpenID Connect Identity providers
	OIDCConnectors []OIDCConnector `yaml:"oidc_connectors"`

	// StaticTokens are pre-defined host provisioning tokens supplied via config file for
	// environments where paranoid security is not needed
	//
	// Each token string has the following format: "role1,role2,..:token",
	// for exmple: "auth,proxy,node:MTIzNGlvemRmOWE4MjNoaQo"
	StaticTokens []StaticToken `yaml:"tokens,omitempty"`

	// Configuration for "universal 2nd factor"
	U2F U2F `yaml:"u2f,omitempty"`
}

Auth is 'auth_service' section of the config file

type Authority

type Authority struct {
	// Type is either user or host certificate authority
	Type services.CertAuthType `yaml:"type"`
	// DomainName identifies domain name this authority serves,
	// for host authorities that means base hostname of all servers,
	// for user authorities that means organization name
	DomainName string `yaml:"domain_name"`
	// Checkers is a list of SSH public keys that can be used to check
	// certificate signatures in OpenSSH authorized keys format
	CheckingKeys []string `yaml:"checking_keys"`
	// CheckingKeyFiles is a list of files
	CheckingKeyFiles []string `yaml:"checking_key_files"`
	// SigningKeys is a list of PEM-encoded private keys used for signing
	SigningKeys []string `yaml:"signing_keys"`
	// SigningKeyFiles is a list of paths to PEM encoded private keys used for signing
	SigningKeyFiles []string `yaml:"signing_key_files"`
	// AllowedLogins is a list of allowed logins for users within
	// this certificate authority
	AllowedLogins []string `yaml:"allowed_logins"`
}

Authority is a host or user certificate authority that can check and if it has private key stored as well, sign it too

func (*Authority) Parse

Parse reads values and returns parsed CertAuthority

type ClaimMapping

type ClaimMapping struct {
	// Claim is OIDC claim name
	Claim string `yaml:"claim"`
	// Value is claim value to match
	Value string `yaml:"value"`
	// Roles is a list of teleport roles to match
	Roles []string `yaml:"roles"`
}

ClaimMapping is OIDC claim mapping that maps claim name to teleport roles

type CommandLabel

type CommandLabel struct {
	Name    string        `yaml:"name"`
	Command []string      `yaml:"command,flow"`
	Period  time.Duration `yaml:"period"`
}

CommandLabel is `command` section of `ssh_service` in the config file

type CommandLineFlags

type CommandLineFlags struct {
	// --name flag
	NodeName string
	// --auth-server flag
	AuthServerAddr string
	// --token flag
	AuthToken string
	// --listen-ip flag
	ListenIP net.IP
	// --advertise-ip flag
	AdvertiseIP net.IP
	// --config flag
	ConfigFile string
	// ConfigString is a base64 encoded configuration string
	// set by --config-string or TELEPORT_CONFIG environment variable
	ConfigString string
	// --roles flag
	Roles string
	// -d flag
	Debug bool
	// --labels flag
	Labels string
	// --httpprofile hidden flag
	HTTPProfileEndpoint bool
	// --pid-file flag
	PIDFile string
}

CommandLineFlags stores command line flag values, it's a much simplified subset of Teleport configuration (which is fully expressed via YAML config file)

type ConnectionLimits

type ConnectionLimits struct {
	MaxConnections int64            `yaml:"max_connections"`
	MaxUsers       int              `yaml:"max_users"`
	Rates          []ConnectionRate `yaml:"rates,omitempty"`
}

ConnectionLimits sets up connection limiter

type ConnectionRate

type ConnectionRate struct {
	Period  time.Duration `yaml:"period"`
	Average int64         `yaml:"average"`
	Burst   int64         `yaml:"burst"`
}

ConnectionRate configures rate limiter

type FileConfig

type FileConfig struct {
	Global `yaml:"teleport,omitempty"`
	Auth   Auth  `yaml:"auth_service,omitempty"`
	SSH    SSH   `yaml:"ssh_service,omitempty"`
	Proxy  Proxy `yaml:"proxy_service,omitempty"`
}

FileConfig structre represents the teleport configuration stored in a config file in YAML format (usually /etc/teleport.yaml)

Use config.ReadFromFile() to read the parsed FileConfig from a YAML file.

func MakeSampleFileConfig

func MakeSampleFileConfig() (fc *FileConfig)

MakeSampleFileConfig returns a sample config structure populated by defaults, useful to generate sample configuration files

func ReadConfig

func ReadConfig(reader io.Reader) (*FileConfig, error)

ReadConfig reads Teleport configuration from reader in YAML format

func ReadConfigFile

func ReadConfigFile(cliConfigPath string) (*FileConfig, error)

readConfigFile reads /etc/teleport.yaml (or whatever is passed via --config flag) and overrides values in 'cfg' structure

func ReadFromFile

func ReadFromFile(filePath string) (*FileConfig, error)

ReadFromFile reads Teleport configuration from a file. Currently only YAML format is supported

func ReadFromString

func ReadFromString(configString string) (*FileConfig, error)

ReadFromString reads values from base64 encoded byte string

func (*FileConfig) DebugDumpToYAML

func (conf *FileConfig) DebugDumpToYAML() string

DebugDumpToYAML allows for quick YAML dumping of the config

type Global

type Global struct {
	NodeName    string           `yaml:"nodename,omitempty"`
	DataDir     string           `yaml:"data_dir,omitempty"`
	PIDFile     string           `yaml:"pid_file,omitempty"`
	AuthToken   string           `yaml:"auth_token,omitempty"`
	AuthServers []string         `yaml:"auth_servers,omitempty"`
	Limits      ConnectionLimits `yaml:"connection_limits,omitempty"`
	Logger      Log              `yaml:"log,omitempty"`
	Storage     backend.Config   `yaml:"storage,omitempty"`
	AdvertiseIP net.IP           `yaml:"advertise_ip,omitempty"`

	// Keys holds the list of SSH key/cert pairs used by all services
	// Each service (like proxy, auth, node) can find the key it needs
	// by looking into certificate
	Keys []KeyPair `yaml:"keys,omitempty"`

	// SeedConfig [GRAVITATIONAL USE] when set to true, Teleport treats
	// its configuration file simply as a seed data on initial start-up.
	// For OSS Teleport it should always be 'false' by default.
	SeedConfig bool `yaml:"seed_config,omitempty"`
}

Global is 'teleport' (global) section of the config file

type KeyPair

type KeyPair struct {
	// PrivateKeyFile is a path to file with private key
	PrivateKeyFile string `yaml:"private_key_file"`
	// CertFile is a path to file with OpenSSH certificate
	CertFile string `yaml:"cert_file"`
	// PrivateKey is PEM encoded OpenSSH private key
	PrivateKey string `yaml:"private_key"`
	// Cert is certificate in OpenSSH authorized keys format
	Cert string `yaml:"cert"`
}

KeyPair is a pair of private key and certificates

func (*KeyPair) Identity

func (k *KeyPair) Identity() (*auth.Identity, error)

Identity parses keypair into auth server identity

type Log

type Log struct {
	// Output defines where logs go. It can be one of the following: "stderr", "stdout" or
	// a path to a log file
	Output string `yaml:"output,omitempty"`
	// Severity defines how verbose the log will be. Possible valus are "error", "info", "warn"
	Severity string `yaml:"severity,omitempty"`
}

Log configures teleport logging

type OIDCConnector

type OIDCConnector struct {
	// ID is a provider id, 'e.g.' google, used internally
	ID string `yaml:"id"`
	// Issuer URL is the endpoint of the provider, e.g. https://accounts.google.com
	IssuerURL string `yaml:"issuer_url"`
	// ClientID is id for authentication client (in our case it's our Auth server)
	ClientID string `yaml:"client_id"`
	// ClientSecret is used to authenticate our client and should not
	// be visible to end user
	ClientSecret string `yaml:"client_secret"`
	// RedirectURL - Identity provider will use this URL to redirect
	// client's browser back to it after successfull authentication
	// Should match the URL on Provider's side
	RedirectURL string `yaml:"redirect_url"`
	// Display controls how this connector is displayed
	Display string `yaml:"display"`
	// Scope is a list of additional scopes to request from OIDC
	// note that oidc and email scopes are always requested
	Scope []string `yaml:"scope"`
	// ClaimsToRoles is a list of mappings of claims to roles
	ClaimsToRoles []ClaimMapping `yaml:"claims_to_roles"`
}

OIDCConnector specifies configuration fo Open ID Connect compatible external identity provider, e.g. google in some organisation

func (*OIDCConnector) Parse

func (o *OIDCConnector) Parse() (services.OIDCConnector, error)

Parse parses config struct into services connector and checks if it's valid

type Proxy

type Proxy struct {
	Service  `yaml:",inline"`
	WebAddr  string `yaml:"web_listen_addr,omitempty"`
	TunAddr  string `yaml:"tunnel_listen_addr,omitempty"`
	KeyFile  string `yaml:"https_key_file,omitempty"`
	CertFile string `yaml:"https_cert_file,omitempty"`
}

Proxy is `proxy_service` section of the config file:

type ReverseTunnel

type ReverseTunnel struct {
	DomainName string   `yaml:"domain_name"`
	Addresses  []string `yaml:"addresses"`
}

ReverseTunnel is a SSH reverse tunnel mantained by one cluster's proxy to remote Teleport proxy

func (*ReverseTunnel) ConvertAndValidate

func (t *ReverseTunnel) ConvertAndValidate() (services.ReverseTunnel, error)

ConvertAndValidate returns validated services.ReverseTunnel or nil and error otherwize

type SSH

type SSH struct {
	Service   `yaml:",inline"`
	Namespace string            `yaml:"namespace,omitempty"`
	Labels    map[string]string `yaml:"labels,omitempty"`
	Commands  []CommandLabel    `yaml:"commands,omitempty"`
}

SSH is 'ssh_service' section of the config file

type Service

type Service struct {
	EnabledFlag   string `yaml:"enabled,omitempty"`
	ListenAddress string `yaml:"listen_addr,omitempty"`
}

Service is a common configuration of a teleport service

func (*Service) Configured

func (s *Service) Configured() bool

Configured determines if a given "_service" section has been specified

func (*Service) Disabled

func (s *Service) Disabled() bool

Disabled returns 'true' if the service has been deliverately turned off

func (*Service) Enabled

func (s *Service) Enabled() bool

Enabled determines if a given "_service" section has been set to 'true'

type StaticToken

type StaticToken string

func (StaticToken) Parse

func (t StaticToken) Parse() (roles teleport.Roles, token string, err error)

Parse() is applied to a string in "role,role,role:token" format. It breaks it apart into a slice of roles, token and optional error

type TrustedCluster

type TrustedCluster struct {
	// KeyFile is a path to a remote authority (AKA "trusted cluster") public keys
	KeyFile string `yaml:"key_file,omitempty"`
	// AllowedLogins is a comma-separated list of user logins allowed from that cluster
	AllowedLogins string `yaml:"allow_logins,omitempty"`
	// TunnelAddr is a comma-separated list of reverse tunnel addressess to
	// connect to
	TunnelAddr string `yaml:"tunnel_addr,omitempty"`
}

TrustedCluster struct holds configuration values under "trusted_clusters" key

type U2F added in v1.3.0

type U2F struct {
	EnabledFlag string   `yaml:"enabled"`
	AppID       string   `yaml:"app_id,omitempty"`
	Facets      []string `yaml:"facets,omitempty"`
}

func (*U2F) Parse added in v1.3.0

func (u *U2F) Parse() (*services.U2F, error)

Parse parses the values in 'u2f' configuration section of 'auth' and validates its content:

type YAMLMap

type YAMLMap map[interface{}]interface{}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL