Documentation ¶
Overview ¶
Gravitational Teleport is a modern SSH server for remotely accessing clusters of Linux servers via SSH or HTTPS. It is intended to be used instead of sshd.
Teleport enables teams to easily adopt the best SSH practices like:
- No need to distribute keys: Teleport uses certificate-based access with automatic expiration time.
- Enforcement of 2nd factor authentication.
- Cluster introspection: every Teleport node becomes a part of a cluster and is visible on the Web UI.
- Record and replay SSH sessions for knowledge sharing and auditing purposes.
- Collaboratively troubleshoot issues through session sharing.
- Connect to clusters located behind firewalls without direct Internet access via SSH bastions.
- Ability to integrate SSH credentials with your organization identities via OAuth (Google Apps, Github).
- Keep the full audit log of all SSH sessions within a cluster.
Teleport web site:
https://gravitational.com/teleport/
Teleport on Github:
https://github.com/gravitational/teleport
Index ¶
Constants ¶
const ( // SSHAuthSock is the environment variable pointing to the // Unix socket the SSH agent is running on. SSHAuthSock = "SSH_AUTH_SOCK" // SSHAgentPID is the environment variable pointing to the agent // process ID SSHAgentPID = "SSH_AGENT_PID" // SSHTeleportUser is the current Teleport user that is logged in. SSHTeleportUser = "SSH_TELEPORT_USER" // SSHSessionWebproxyAddr is the address the web proxy. SSHSessionWebproxyAddr = "SSH_SESSION_WEBPROXY_ADDR" // SSHTeleportClusterName is the name of the cluster this node belongs to. SSHTeleportClusterName = "SSH_TELEPORT_CLUSTER_NAME" // SSHTeleportHostUUID is the UUID of the host. SSHTeleportHostUUID = "SSH_TELEPORT_HOST_UUID" // SSHSessionID is the UUID of the current session. SSHSessionID = "SSH_SESSION_ID" )
const ( // HTTPSProxy is an environment variable pointing to a HTTPS proxy. HTTPSProxy = "HTTPS_PROXY" // HTTPProxy is an environment variable pointing to a HTTP proxy. HTTPProxy = "HTTP_PROXY" // NoProxy is an environment variable matching the cases // when HTTPS_PROXY or HTTP_PROXY is ignored NoProxy = "NO_PROXY" )
const ( // TOTPValidityPeriod is the number of seconds a TOTP token is valid. TOTPValidityPeriod uint = 30 // TOTPSkew adds that many periods before and after to the validity window. TOTPSkew uint = 1 )
const ( // ComponentMemory is a memory backend ComponentMemory = "memory" // ComponentAuthority is a TLS and an SSH certificate authority ComponentAuthority = "ca" // ComponentProcess is a main control process ComponentProcess = "proc" // ComponentServer is a server subcomponent of some services ComponentServer = "server" // ComponentReverseTunnelServer is reverse tunnel server // that together with agent establish a bi-directional SSH revers tunnel // to bypass firewall restrictions ComponentReverseTunnelServer = "proxy:server" // ComponentReverseTunnelAgent is reverse tunnel agent // that together with server establish a bi-directional SSH revers tunnel // to bypass firewall restrictions ComponentReverseTunnelAgent = "proxy:agent" // ComponentLabel is a component label name used in reporting ComponentLabel = "component" // ComponentKube is a kubernetes proxy ComponentKube = "proxy:kube" // ComponentAuth is the cluster CA node (auth server API) ComponentAuth = "auth" // ComponentGRPC is grpc server ComponentGRPC = "grpc" // ComponentMigrate is responsible for data migrations ComponentMigrate = "migrate" // ComponentNode is SSH node (SSH server serving requests) ComponentNode = "node" // ComponentForwardingNode is SSH node (SSH server serving requests) ComponentForwardingNode = "node:forward" // ComponentProxy is SSH proxy (SSH server forwarding connections) ComponentProxy = "proxy" // ComponentDiagnostic is a diagnostic service ComponentDiagnostic = "diag" // ComponentClient is a client ComponentClient = "client" // ComponentTunClient is a tunnel client ComponentTunClient = "client:tunnel" // ComponentCache is a cache component ComponentCache = "cache" // ComponentBackend is a backend component ComponentBackend = "backend" // ComponentCachingClient is a caching auth client ComponentCachingClient = "client:cache" // ComponentSubsystemProxy is the proxy subsystem. ComponentSubsystemProxy = "subsystem:proxy" // ComponentLocalTerm is a terminal on a regular SSH node. ComponentLocalTerm = "term:local" // ComponentRemoteTerm is a terminal on a forwarding SSH node. ComponentRemoteTerm = "term:remote" // ComponentRemoteSubsystem is subsystem on a forwarding SSH node. ComponentRemoteSubsystem = "subsystem:remote" // ComponentAuditLog is audit log component ComponentAuditLog = "audit" // ComponentKeyAgent is an agent that has loaded the sessions keys and // certificates for a user connected to a proxy. ComponentKeyAgent = "keyagent" // ComponentKeyStore is all sessions keys and certificates a user has on disk // for all proxies. ComponentKeyStore = "keystore" // ComponentConnectProxy is the HTTP CONNECT proxy used to tunnel connection. ComponentConnectProxy = "http:proxy" // ComponentSOCKS is a SOCKS5 proxy. ComponentSOCKS = "socks" // ComponentKeyGen is the public/private keypair generator. ComponentKeyGen = "keygen" // ComponentFirestore represents firestore clients ComponentFirestore = "firestore" // ComponentSession is an active session. ComponentSession = "session" // ComponentDynamoDB represents dynamodb clients ComponentDynamoDB = "dynamodb" // Component pluggable authentication module (PAM) ComponentPAM = "pam" // ComponentUpload is a session recording upload server ComponentUpload = "upload" // ComponentWeb is a web server ComponentWeb = "web" // ComponentWebsocket is websocket server that the web client connects to. ComponentWebsocket = "websocket" // ComponentRBAC is role-based access control. ComponentRBAC = "rbac" // ComponentKeepAlive is keep-alive messages sent from clients to servers // and vice versa. ComponentKeepAlive = "keepalive" // ComponentTSH is the "tsh" binary. ComponentTSH = "tsh" // ComponentKubeClient is the Kubernetes client. ComponentKubeClient = "client:kube" // ComponentBuffer is in-memory event circular buffer // used to broadcast events to subscribers. ComponentBuffer = "buffer" // ComponentBPF is the eBPF packagae. ComponentBPF = "bpf" // ComponentCgroup is the cgroup package. ComponentCgroup = "cgroups" // DebugEnvVar tells tests to use verbose debug output DebugEnvVar = "DEBUG" // VerboseLogEnvVar forces all logs to be verbose (down to DEBUG level) VerboseLogsEnvVar = "TELEPORT_DEBUG" // IterationsEnvVar sets tests iterations to run IterationsEnvVar = "ITERATIONS" // DefaultTerminalWidth defines the default width of a server-side allocated // pseudo TTY DefaultTerminalWidth = 80 // DefaultTerminalHeight defines the default height of a server-side allocated // pseudo TTY DefaultTerminalHeight = 25 // SafeTerminalType is the fall-back TTY type to fall back to (when $TERM // is not defined) SafeTerminalType = "xterm" // ConnectorOIDC means connector type OIDC ConnectorOIDC = "oidc" // ConnectorSAML means connector type SAML ConnectorSAML = "saml" // ConnectorGithub means connector type Github ConnectorGithub = "github" // DataDirParameterName is the name of the data dir configuration parameter passed // to all backends during initialization DataDirParameterName = "data_dir" // SSH request type to keep the connection alive. A client and a server keep // pining each other with it: KeepAliveReqType = "keepalive@openssh.com" // RecordingProxyReqType is the name of a global request which returns if // the proxy is recording sessions or not. RecordingProxyReqType = "recording-proxy@teleport.com" // OTP means One-time Password Algorithm for Two-Factor Authentication. OTP = "otp" // TOTP means Time-based One-time Password Algorithm. for Two-Factor Authentication. TOTP = "totp" // HOTP means HMAC-based One-time Password Algorithm.for Two-Factor Authentication. HOTP = "hotp" // U2F means Universal 2nd Factor.for Two-Factor Authentication. U2F = "u2f" // OFF means no second factor.for Two-Factor Authentication. OFF = "off" // Local means authentication will happen locally within the Teleport cluster. Local = "local" // OIDC means authentication will happen remotely using an OIDC connector. OIDC = ConnectorOIDC // SAML means authentication will happen remotely using a SAML connector. SAML = ConnectorSAML // Github means authentication will happen remotely using a Github connector. Github = ConnectorGithub // JSON means JSON serialization format JSON = "json" // YAML means YAML serialization format YAML = "yaml" // Text means text serialization format Text = "text" // LinuxAdminGID is the ID of the standard adm group on linux LinuxAdminGID = 4 // LinuxOS is the GOOS constant used for Linux. LinuxOS = "linux" // WindowsOS is the GOOS constant used for Microsoft Windows. WindowsOS = "windows" // DarwinOS is the GOOS constant for Apple macOS/darwin. DarwinOS = "darwin" // by the owner and group DirMaskSharedGroup = 0770 // FileMaskOwnerOnly is the file mask that allows read write access // to owers only FileMaskOwnerOnly = 0600 // On means mode is on On = "on" // Off means mode is off Off = "off" // SchemeS3 is S3 file scheme, means upload or download to S3 like object // storage SchemeS3 = "s3" // SchemeGCS is GCS file scheme, means upload or download to GCS like object // storage SchemeGCS = "gs" // Region is AWS region parameter Region = "region" // Endpoint is an optional Host for non-AWS S3 Endpoint = "endpoint" // Insecure is an optional switch to use HTTP instead of HTTPS Insecure = "insecure" // DisableServerSideEncryption is an optional switch to opt out of SSE in case the provider does not support it DisableServerSideEncryption = "disablesse" // SchemeFile is a local disk file storage SchemeFile = "file" // SchemeStdout outputs audit log entries to stdout SchemeStdout = "stdout" // LogsDir is a log subdirectory for events and logs LogsDir = "log" // Syslog is a mode for syslog logging Syslog = "syslog" // HumanDateFormat is a human readable date formatting HumanDateFormat = "Jan _2 15:04 UTC" // HumanDateFormatSeconds is a human readable date formatting with seconds HumanDateFormatSeconds = "Jan _2 15:04:05 UTC" // HumanDateFormatMilli is a human readable date formatting with milliseconds HumanDateFormatMilli = "Jan _2 15:04:05.000 UTC" // DebugLevel is a debug logging level name DebugLevel = "debug" )
const ( // OIDCPromptSelectAccount instructs the Authorization Server to // prompt the End-User to select a user account. OIDCPromptSelectAccount = "select_account" // OIDCAccessTypeOnline indicates that OIDC flow should be performed // with Authorization server and user connected online OIDCAccessTypeOnline = "online" )
const ( // AuthorizedKeys are public keys that check against User CAs. AuthorizedKeys = "authorized_keys" // KnownHosts are public keys that check against Host CAs. KnownHosts = "known_hosts" )
const ( // CertExtensionPermitX11Forwarding allows X11 forwarding for certificate CertExtensionPermitX11Forwarding = "permit-X11-forwarding" // CertExtensionPermitAgentForwarding allows agent forwarding for certificate CertExtensionPermitAgentForwarding = "permit-agent-forwarding" // CertExtensionPermitPTY allows user to request PTY CertExtensionPermitPTY = "permit-pty" // CertExtensionPermitPortForwarding allows user to request port forwarding CertExtensionPermitPortForwarding = "permit-port-forwarding" // CertExtensionTeleportRoles is used to propagate teleport roles CertExtensionTeleportRoles = "teleport-roles" // CertExtensionTeleportRouteToCluster is used to encode // the target cluster to route to in the certificate CertExtensionTeleportRouteToCluster = "teleport-route-to-cluster" // CertExtensionTeleportTraits is used to propagate traits about the user. CertExtensionTeleportTraits = "teleport-traits" // CertExtensionTeleportActiveRequests is used to track which privilege // escalation requests were used to construct the certificate. CertExtensionTeleportActiveRequests = "teleport-active-requests" )
const ( // NetIQ is an identity provider. NetIQ = "netiq" // ADFS is Microsoft Active Directory Federation Services ADFS = "adfs" )
const ( // RemoteCommandSuccess is returned when a command has successfully executed. RemoteCommandSuccess = 0 // RemoteCommandFailure is returned when a command has failed to execute and // we don't have another status code for it. RemoteCommandFailure = 255 )
const ( // CertificateFormatOldSSH is used to make Teleport interoperate with older // versions of OpenSSH. CertificateFormatOldSSH = "oldssh" // CertificateFormatStandard is used for normal Teleport operation without any // compatibility modes. CertificateFormatStandard = "standard" // CertificateFormatUnspecified is used to check if the format was specified // or not. CertificateFormatUnspecified = "" // DurationNever is human friendly shortcut that is interpreted as a Duration of 0 DurationNever = "never" )
const ( // TraitInternalPrefix is the role variable prefix that indicates it's for // local accounts. TraitInternalPrefix = "internal" // TraitLogins is the name the role variable used to store // allowed logins. TraitLogins = "logins" // TraitKubeGroups is the name the role variable used to store // allowed kubernetes groups TraitKubeGroups = "kubernetes_groups" // TraitKubeUsers is the name the role variable used to store // allowed kubernetes users TraitKubeUsers = "kubernetes_users" // TraitInternalLoginsVariable is the variable used to store allowed // logins for local accounts. TraitInternalLoginsVariable = "{{internal.logins}}" // TraitInternalKubeGroupsVariable is the variable used to store allowed // kubernetes groups for local accounts. TraitInternalKubeGroupsVariable = "{{internal.kubernetes_groups}}" // TraitInternalKubeUsersVariable is the variable used to store allowed // kubernetes users for local accounts. TraitInternalKubeUsersVariable = "{{internal.kubernetes_users}}" )
const ( // GSuiteIssuerURL is issuer URL used for GSuite provider GSuiteIssuerURL = "https://accounts.google.com" // GSuiteGroupsEndpoint is gsuite API endpoint GSuiteGroupsEndpoint = "https://www.googleapis.com/admin/directory/v1/groups" // GSuiteGroupsScope is a scope to get access to admin groups API GSuiteGroupsScope = "https://www.googleapis.com/auth/admin.directory.group.readonly" // GSuiteDomainClaim is the domain name claim for GSuite GSuiteDomainClaim = "hd" )
const ( // RemoteClusterStatusOffline indicates that cluster is considered as // offline, since it has missed a series of heartbeats RemoteClusterStatusOffline = "offline" // RemoteClusterStatusOnline indicates that cluster is sending heartbeats // at expected interval RemoteClusterStatusOnline = "online" )
const ( // PrivateDirMode is a mode for private directories PrivateDirMode = 0700 )SharedDirMode = 0750
const ( // SessionEvent is sent by servers to clients when an audit event occurs on // the session. SessionEvent = "x-teleport-event" // VersionRequest is sent by clients to server requesting the Teleport // version they are running. VersionRequest = "x-teleport-version" )
const ( // EnvKubeConfig is environment variable for kubeconfig EnvKubeConfig = "KUBECONFIG" // KubeConfigDir is a default directory where k8s stores its user local config KubeConfigDir = ".kube" // KubeConfigFile is a default filename where k8s stores its user local config KubeConfigFile = "config" // EnvHome is home environment variable EnvHome = "HOME" // EnvUserProfile is the home directory environment variable on Windows. EnvUserProfile = "USERPROFILE" // KubeCAPath is a hardcode of mounted CA inside every pod of K8s KubeCAPath = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" // KubeKindCSR is a certificate signing requests KubeKindCSR = "CertificateSigningRequest" // KubeKindPod is a kubernetes pod KubeKindPod = "Pod" // KubeMetadataNameSelector is a selector for name metadata in API requests KubeMetadataNameSelector = "metadata.name" // KubeMetadataLabelSelector is a selector for label KubeMetadataLabelSelector = "metadata.label" // KubeRunTests turns on kubernetes tests KubeRunTests = "TEST_KUBE" // KubeSystemMasters is a name of the builtin kubernets group for master nodes KubeSystemMasters = "system:masters" // KubeSystemAuthenticated is a builtin group that allows // any user to access common API methods, e.g. discovery methods // required for initial client usage KubeSystemAuthenticated = "system:authenticated" // UsageKubeOnly specifies certificate usage metadata // that limits certificate to be only used for kubernetes proxying UsageKubeOnly = "usage:kube" )
const ( // UseOfClosedNetworkConnection is a special string some parts of // go standard lib are using that is the only way to identify some errors UseOfClosedNetworkConnection = "use of closed network connection" // NodeIsAmbiguous serves as an identifying error string indicating that // the proxy subsystem found multiple nodes matching the specified hostname. NodeIsAmbiguous = "err-node-is-ambiguous" )
const ( // OpenBrowserLinux is the command used to open a web browser on Linux. OpenBrowserLinux = "xdg-open" // OpenBrowserDarwin is the command used to open a web browser on macOS/Darwin. OpenBrowserDarwin = "open" // OpenBrowserWindows is the command used to open a web browser on Windows. OpenBrowserWindows = "rundll32.exe" // BrowserNone is the string used to suppress the opening of a browser in // response to 'tsh login' commands. BrowserNone = "none" )
const ( // EnhancedRecordingMinKernel is the minimum kernel version for the enhanced // recording feature. EnhancedRecordingMinKernel = "4.18.0" // EnhancedRecordingCommand is a role option that implies command events are // captured. EnhancedRecordingCommand = "command" // EnhancedRecordingDisk is a role option that implies disk events are captured. EnhancedRecordingDisk = "disk" // EnhancedRecordingNetwork is a role option that implies network events // are captured. EnhancedRecordingNetwork = "network" )
const ( // ExecSubCommand is the sub-command Teleport uses to re-exec itself for // command execution (exec and shells). ExecSubCommand = "exec" // ForwardSubCommand is the sub-command Teleport uses to re-exec itself // for port forwarding. ForwardSubCommand = "forward" )
const ( // ChanDirectTCPIP is a SSH channel of type "direct-tcpip". ChanDirectTCPIP = "direct-tcpip" // ChanSession is a SSH channel of type "session". ChanSession = "session" )
const ( // MetricGenerateRequests counts how many generate server keys requests // are issued over time MetricGenerateRequests = "auth_generate_requests_total" // MetricGenerateRequestsThrottled measures how many generate requests // are throttled MetricGenerateRequestsThrottled = "auth_generate_requests_throttled_total" // MetricGenerateRequestsCurrent measures current in-flight requests MetricGenerateRequestsCurrent = "auth_generate_requests" // MetricGenerateRequestsHistogram measures generate requests latency MetricGenerateRequestsHistogram = "auth_generate_seconds" // MetricServerInteractiveSessions measures interactive sessions in flight MetricServerInteractiveSessions = "server_interactive_sessions_total" // MetricRemoteClusters measures connected remote clusters MetricRemoteClusters = "remote_clusters" // TagCluster is a metric tag for a cluster TagCluster = "cluster" )
const ( // MetricProcessCPUSecondsTotal measures CPU seconds consumed by process MetricProcessCPUSecondsTotal = "process_cpu_seconds_total" // MetricProcessMaxFDs shows maximum amount of file descriptors allowed for the process MetricProcessMaxFDs = "process_max_fds" // MetricProcessOpenFDs shows process open file descriptors MetricProcessOpenFDs = "process_open_fds" // MetricProcessResidentMemoryBytes measures bytes consumed by process resident memory MetricProcessResidentMemoryBytes = "process_resident_memory_bytes" // MetricProcessStartTimeSeconds measures process start time MetricProcessStartTimeSeconds = "process_start_time_seconds" )
const ( // MetricGoThreads is amount of system threads used by Go runtime MetricGoThreads = "go_threads" // MetricGoGoroutines measures current number of goroutines MetricGoGoroutines = "go_goroutines" // MetricGoInfo provides information about Go runtime version MetricGoInfo = "go_info" // MetricGoAllocBytes measures allocated memory bytes MetricGoAllocBytes = "go_memstats_alloc_bytes" // MetricGoHeapAllocBytes measures heap bytes allocated by Go runtime MetricGoHeapAllocBytes = "go_memstats_heap_alloc_bytes" // MetricGoHeapObjects measures count of heap objects created by Go runtime MetricGoHeapObjects = "go_memstats_heap_objects" )
const ( // MetricBackendWatchers is a metric with backend watchers MetricBackendWatchers = "backend_watchers_total" // MetricBackendWatcherQueues is a metric with backend watcher queues sizes MetricBackendWatcherQueues = "backend_watcher_queues_total" // MetricBackendRequests measures count of backend requests MetricBackendRequests = "backend_requests" // MetricBackendReadHistogram measures histogram of backend read latencies MetricBackendReadHistogram = "backend_read_seconds" // MetricBackendWriteHistogram measures histogram of backend write latencies MetricBackendWriteHistogram = "backend_write_seconds" // MetricBackendBatchWriteHistogram measures histogram of backend batch write latencies MetricBackendBatchWriteHistogram = "backend_batch_write_seconds" // MetricBackendBatchReadHistogram measures histogram of backend batch read latencies MetricBackendBatchReadHistogram = "backend_batch_read_seconds" // MetricBackendWriteRequests measures backend write requests count MetricBackendWriteRequests = "backend_write_requests_total" // MetricBackendWriteFailedRequests measures failed backend write requests count MetricBackendWriteFailedRequests = "backend_write_requests_failed_total" // MetricBackendBatchWriteRequests measures batch backend writes count MetricBackendBatchWriteRequests = "backend_batch_write_requests_total" // MetricBackendBatchFailedWriteRequests measures failed batch backend requests count MetricBackendBatchFailedWriteRequests = "backend_batch_write_requests_failed_total" // MetricBackendReadRequests measures backend read requests count MetricBackendReadRequests = "backend_read_requests_total" // MetricBackendFailedReadRequests measures failed backend read requests count MetricBackendFailedReadRequests = "backend_read_requests_failed_total" // MetricBackendBatchReadRequests measures batch backend read requests count MetricBackendBatchReadRequests = "backend_batch_read_requests_total" // MetricBackendBatchFailedReadRequests measures failed backend batch read requests count MetricBackendBatchFailedReadRequests = "backend_batch_read_requests_failed_total" // MetricLostCommandEvents measures the number of command events that were lost MetricLostCommandEvents = "bpf_lost_command_events" // MetricLostDiskEvents measures the number of disk events that were lost. MetricLostDiskEvents = "bpf_lost_disk_events" // MetricLostNetworkEvents measures the number of network events that were lost. MetricLostNetworkEvents = "bpf_lost_network_events" // MetricState tracks the state of the teleport process. MetricState = "process_state" // TagRange is a tag specifying backend requests TagRange = "range" // TagReq is a tag specifying backend request type TagReq = "req" // TagTrue is a tag value to mark true values TagTrue = "true" // TagFalse is a tag value to mark false values TagFalse = "false" )
const APIDomain = "teleport.cluster.local"
APIDomain is a default domain name for Auth server API
const AdminRoleName = "admin"
DefaultRole is the name of the default admin role for all local users if another role is not explicitly assigned (Enterprise only).
const DefaultImplicitRole = "default-implicit-role"
DefaultImplicitRole is implicit role that gets added to all service.RoleSet objects.
const ForeverTTL time.Duration = 0
ForeverTTL means that object TTL will not expire unless deleted
const MaxEnvironmentFileLines = 1000
MaxEnvironmentFileLines is the maximum number of lines in a environment file.
const MaxResourceSize = 1000000
MaxResourceSize is the maximum size (in bytes) of a serialized resource. This limit is typically only enforced against resources that are likely to arbitrarily grow (e.g. PluginData).
const MinClientVersion = "3.0.0"
MinClientVersion is the minimum client version required by the server.
const RSAKeySize = 2048
RSAKeySize is the size of the RSA key.
const Root = "root"
Root is *nix system administrator account name.
const SCP = "scp"
SCP is Secure Copy.
const UserSystem = "system"
UserSystem defines a user as system.
const (
Version = "4.3.7"
)
const WebAPIVersion = "v1"
WebAPIVersion is a current webapi version
Variables ¶
var Gitref string
Gitref variable is automatically set to the output of git-describe during the build process
Functions ¶
Types ¶
type Principal ¶
type Principal string
A principal name for use in SSH certificates.
const ( // The localhost domain, for talking to a proxy or node on the same // machine. PrincipalLocalhost Principal = "localhost" // The IPv4 loopback address, for talking to a proxy or node on the same // machine. PrincipalLoopbackV4 Principal = "127.0.0.1" // The IPv6 loopback address, for talking to a proxy or node on the same // machine. PrincipalLoopbackV6 Principal = "::1" )
type Role ¶ added in v1.0.0
type Role string
Role identifies the role of an SSH connection. Unlike "user roles" introduced as part of RBAC in Teleport 1.4+ these are built-in roles used for different Teleport components when connecting to each other.
const ( // RoleAuth is for teleport auth server (authority, authentication and authorization) RoleAuth Role = "Auth" // RoleWeb is for web access users RoleWeb Role = "Web" // RoleNode is a role for SSH node in the cluster RoleNode Role = "Node" // RoleProxy is a role for SSH proxy in the cluster RoleProxy Role = "Proxy" // RoleAdmin is admin role RoleAdmin Role = "Admin" // RoleProvisionToken is a role for nodes authenticated using provisioning tokens RoleProvisionToken Role = "ProvisionToken" // RoleTrustedCluster is a role needed for tokens used to add trusted clusters. RoleTrustedCluster Role = "Trusted_cluster" // RoleSignup is for first time signing up users RoleSignup Role = "Signup" // RoleNop is used for actions that already using external authz mechanisms // e.g. tokens or passwords RoleNop Role = "Nop" // RoleRemoteProxy is a role for remote SSH proxy in the cluster RoleRemoteProxy Role = "RemoteProxy" )
const LegacyClusterTokenType Role = "Trustedcluster"
this constant exists for backwards compatibility reasons, needed to upgrade to 2.3
func (*Role) Check ¶ added in v1.0.0
Check checks if this a a valid role value, returns nil if it's ok, false otherwise
type Roles ¶ added in v1.0.0
type Roles []Role
func ParseRoles ¶ added in v1.0.0
ParseRoles takes a comma-separated list of roles and returns a slice of roles, or an error if parsing failed
func (Roles) Check ¶ added in v1.0.0
Check returns an error if the role set is incorrect (contains unknown roles)
func (Roles) Include ¶ added in v1.0.0
Includes returns 'true' if a given list of roles includes a given role
func (Roles) StringSlice ¶
Slice returns roles as string slice
Directories ¶
Path | Synopsis |
---|---|
api
module
|
|
build.assets
|
|
tooling
Module
|
|
examples
|
|
integration package tests Teleport on a high level creating clusters of servers in memory, connecting them together and connecting to them
|
integration package tests Teleport on a high level creating clusters of servers in memory, connecting them together and connecting to them |
integrations
|
|
kube-agent-updater
Module
|
|
terraform
Module
|
|
asciitable
Package asciitable implements a simple ASCII table formatter for printing tabular values into a text terminal.
|
Package asciitable implements a simple ASCII table formatter for printing tabular values into a text terminal. |
auth
Package auth implements certificate signing authority and access control server Authority server is composed of several parts: * Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper Package auth implements certificate signing authority and access control server Authority server is composed of several parts: * Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper
|
Package auth implements certificate signing authority and access control server Authority server is composed of several parts: * Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper Package auth implements certificate signing authority and access control server Authority server is composed of several parts: * Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper |
auth/test
package test contains CA authority acceptance test suite.
|
package test contains CA authority acceptance test suite. |
backend
Package backend provides storage backend abstraction layer backend package allows for pluggable back-ends for secrets storage.
|
Package backend provides storage backend abstraction layer backend package allows for pluggable back-ends for secrets storage. |
backend/dynamo
Package dynamodbDynamoDBBackend implements DynamoDB storage backend for Teleport auth service, similar to etcd backend.
|
Package dynamodbDynamoDBBackend implements DynamoDB storage backend for Teleport auth service, similar to etcd backend. |
backend/etcdbk
Package etcdbk implements Etcd powered backend
|
Package etcdbk implements Etcd powered backend |
backend/firestore
Package firestoreFirestoreBackend implements Firestore storage backend for Teleport auth service, similar to DynamoDB backend.
|
Package firestoreFirestoreBackend implements Firestore storage backend for Teleport auth service, similar to DynamoDB backend. |
backend/lite
Package lite implements SQLite backend used for local persistent caches in proxies and nodes and for standalone auth service deployments.
|
Package lite implements SQLite backend used for local persistent caches in proxies and nodes and for standalone auth service deployments. |
backend/memory
Package memory implements backend interface using a combination of Minheap (to store expiring items) and B-Tree for storing sorted dictionary of items.
|
Package memory implements backend interface using a combination of Minheap (to store expiring items) and B-Tree for storing sorted dictionary of items. |
backend/test
Package test contains a backend acceptance test suite that is backend implementation independent each backend will use the suite to test itself
|
Package test contains a backend acceptance test suite that is backend implementation independent each backend will use the suite to test itself |
cache
Package cache implements event-driven cache layer that is used by auth servers, proxies and nodes.
|
Package cache implements event-driven cache layer that is used by auth servers, proxies and nodes. |
client/escape
Package escape implements client-side escape character logic.
|
Package escape implements client-side escape character logic. |
client/identityfile
Package identityfile handles formatting and parsing of identity files.
|
Package identityfile handles formatting and parsing of identity files. |
config
Package 'config' provides facilities for configuring Teleport daemons including - parsing YAML configuration - parsing CLI flags
|
Package 'config' provides facilities for configuring Teleport daemons including - parsing YAML configuration - parsing CLI flags |
defaults
Package defaults contains default constants set in various parts of teleport codebase
|
Package defaults contains default constants set in various parts of teleport codebase |
events
Package events implements the audit log interface events.IAuditLog using filesystem backend.
|
Package events implements the audit log interface events.IAuditLog using filesystem backend. |
events/firestoreevents
Package firestoreeventsLog implements Firestore storage backend for Teleport event storage.
|
Package firestoreeventsLog implements Firestore storage backend for Teleport event storage. |
events/gcssessions
Package gcssessionsHandler implements GCS storage for Teleport session recording persistence.
|
Package gcssessionsHandler implements GCS storage for Teleport session recording persistence. |
httplib
Package httplib implements common utility functions for writing classic HTTP handlers Package httplib implements common utility functions for writing classic HTTP handlers
|
Package httplib implements common utility functions for writing classic HTTP handlers Package httplib implements common utility functions for writing classic HTTP handlers |
kube
Package kube contains subpackages with utility functions and proxies to intercept and authenticate Kubernetes API traffic
|
Package kube contains subpackages with utility functions and proxies to intercept and authenticate Kubernetes API traffic |
kube/kubeconfig
Package kubeconfig manages teleport entries in a local kubeconfig file.
|
Package kubeconfig manages teleport entries in a local kubeconfig file. |
limiter
Package limiter implements connection and rate limiters for teleport
|
Package limiter implements connection and rate limiters for teleport |
modules
package modules allows external packages override certain behavioral aspects of teleport
|
package modules allows external packages override certain behavioral aspects of teleport |
multiplexer
Package multiplexer implements SSH and TLS multiplexing on the same listener mux, _ := multiplexer.New(Config{Listener: listener}) mux.SSH() // returns listener getting SSH connections mux.TLS() // returns listener getting TLS connections
|
Package multiplexer implements SSH and TLS multiplexing on the same listener mux, _ := multiplexer.New(Config{Listener: listener}) mux.SSH() // returns listener getting SSH connections mux.TLS() // returns listener getting TLS connections |
pam
Package pam implements a subset of Pluggable Authentication Modules (PAM).
|
Package pam implements a subset of Pluggable Authentication Modules (PAM). |
reversetunnel
Package reversetunnel sets up persistent reverse tunnel between remote site and teleport proxy, when site agents dial to teleport proxy's socket and teleport proxy can connect to any server through this tunnel.
|
Package reversetunnel sets up persistent reverse tunnel between remote site and teleport proxy, when site agents dial to teleport proxy's socket and teleport proxy can connect to any server through this tunnel. |
reversetunnel/track
Package track provides a simple interface for tracking known proxies by endpoint/name and correctly handling expiration and exclusivity.
|
Package track provides a simple interface for tracking known proxies by endpoint/name and correctly handling expiration and exclusivity. |
secret
Package secret implements a authenticated encryption with associated data (AEAD) cipher to be used when symmetric is required in Teleport.
|
Package secret implements a authenticated encryption with associated data (AEAD) cipher to be used when symmetric is required in Teleport. |
service
Package service implements teleport running service, takes care of initialization, cleanup and shutdown procedures
|
Package service implements teleport running service, takes care of initialization, cleanup and shutdown procedures |
services
Package services implements statefule services provided by teleport, like certificate authority management, user and web sessions, events and logs.
|
Package services implements statefule services provided by teleport, like certificate authority management, user and web sessions, events and logs. |
services/local
Package local implements services interfaces using abstract key value backend provided by lib/backend, what makes it possible for teleport to run using boltdb or etcd
|
Package local implements services interfaces using abstract key value backend provided by lib/backend, what makes it possible for teleport to run using boltdb or etcd |
session
Package session is used for bookeeping of SSH interactive sessions that happen in realtime across the teleport cluster
|
Package session is used for bookeeping of SSH interactive sessions that happen in realtime across the teleport cluster |
srv/regular
Package regular implements SSH server that supports multiplexing tunneling, SSH connections proxying and only supports Key based auth
|
Package regular implements SSH server that supports multiplexing tunneling, SSH connections proxying and only supports Key based auth |
sshca
Package sshca specifies interfaces for SSH certificate authorities
|
Package sshca specifies interfaces for SSH certificate authorities |
sshutils
Package sshutils contains contains the implementations of the base SSH server used throughout Teleport.
|
Package sshutils contains contains the implementations of the base SSH server used throughout Teleport. |
sshutils/scp
Package scp handles file uploads and downloads via scp command
|
Package scp handles file uploads and downloads via scp command |
tlsca
Package tlsca provides internal TLS certificate authority used for mutual TLS authentication with the auth server and internal teleport components and external clients
|
Package tlsca provides internal TLS certificate authority used for mutual TLS authentication with the auth server and internal teleport components and external clients |
utils/socks
package socks implements a SOCKS5 handshake.
|
package socks implements a SOCKS5 handshake. |
utils/workpool
Package workpool provies the `Pool` type which functions as a means of managing the number of concurrent workers, grouped by key.
|
Package workpool provies the `Pool` type which functions as a means of managing the number of concurrent workers, grouped by key. |
web
Package web implements web proxy handler that provides web interface to view and connect to teleport nodes
|
Package web implements web proxy handler that provides web interface to view and connect to teleport nodes |
tool
|
|