Remote Site should check version of Auth server not Proxy server #12010

rosstimothy · 2022-04-15T19:50:51Z

When creating a remote site we check the version of the remote cluster to determine how to initialize the cache to account for different resources being emitted based on different version. However the check is only checking the version of the proxy and not auth. This can lead to issue if the auth server and proxy server in the remote cluster are not on the same version. In such a scenario it is possible that the remote site cache will indefinitely be unhealthy.

teleport/lib/reversetunnel/srv.go

Lines 1152 to 1179 in 8c887bb

    
           func sendVersionRequest(ctx context.Context, sconn ssh.Conn) (string, error) { 
        
           	errorCh := make(chan error, 1) 
        
           	versionCh := make(chan string, 1) 
        
           	go func() { 
        
           		ok, payload, err := sconn.SendRequest(versionRequest, true, nil) 
        
           		if err != nil { 
        
           			errorCh <- err 
        
           			return 
        
           		} 
        
           		if !ok { 
        
           			errorCh <- trace.BadParameter("no response to %v request", versionRequest) 
        
           			return 
        
           		} 
        
           		versionCh <- string(payload) 
        
           	}() 
        
           	select { 
        
           	case ver := <-versionCh: 
        
           		return ver, nil 
        
           	case err := <-errorCh: 
        
           		return "", trace.Wrap(err) 
        
           	case <-time.After(defaults.WaitCopyTimeout): 
        
           		return "", trace.BadParameter("timeout waiting for version") 
        
           	case <-ctx.Done(): 
        
           		return "", ctx.Err() 
        
           	} 
        
           }

The cache policy used for a remote site is determined based on the response from a version request. However the version response was only returning the proxy version. If the remote site was not running the same version for both auth and proxy, then the cache policy chosen could be invalid. The reverse tunnel agent now pings its auth server and reports both the auth and proxy version in response to a version request. To maintain backward compatability the reverse tunnel server will fallback to using the proxy version if the response does not contain an auth version. Fixes #12010

* Create remote site cache based on remote auth version The cache policy used for a remote site is determined based on the response from a version request. However the version response was only returning the proxy version. If the remote site was not running the same version for both auth and proxy, then the cache policy chosen could be invalid. The reverse tunnel agent now pings its auth server and reports both the auth version in response to a version request. Fixes #12010

* Create remote site cache based on remote auth version The cache policy used for a remote site is determined based on the response from a version request. However the version response was only returning the proxy version. If the remote site was not running the same version for both auth and proxy, then the cache policy chosen could be invalid. The reverse tunnel agent now pings its auth server and reports both the auth version in response to a version request. Fixes #12010 (cherry picked from commit 4f2ad1f) # Conflicts: # lib/reversetunnel/srv.go

* Create remote site cache based on remote auth version The cache policy used for a remote site is determined based on the response from a version request. However the version response was only returning the proxy version. If the remote site was not running the same version for both auth and proxy, then the cache policy chosen could be invalid. The reverse tunnel agent now pings its auth server and reports both the auth version in response to a version request. Fixes #12010 (cherry picked from commit 4f2ad1f)

* Create remote site cache based on remote auth version The cache policy used for a remote site is determined based on the response from a version request. However the version response was only returning the proxy version. If the remote site was not running the same version for both auth and proxy, then the cache policy chosen could be invalid. The reverse tunnel agent now pings its auth server and reports both the auth version in response to a version request. Fixes #12010 (cherry picked from commit 4f2ad1f) # Conflicts: # lib/reversetunnel/srv.go

* Create remote site cache based on remote auth version The cache policy used for a remote site is determined based on the response from a version request. However the version response was only returning the proxy version. If the remote site was not running the same version for both auth and proxy, then the cache policy chosen could be invalid. The reverse tunnel agent now pings its auth server and reports both the auth version in response to a version request. Fixes #12010 (cherry picked from commit 4f2ad1f)

rosstimothy added the bug label Apr 15, 2022

rosstimothy mentioned this issue Apr 20, 2022

Create remote site cache based on remote auth version #12130

Merged

rosstimothy closed this as completed in #12130 Apr 26, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Remote Site should check version of Auth server not Proxy server #12010

Remote Site should check version of Auth server not Proxy server #12010

rosstimothy commented Apr 15, 2022

Remote Site should check version of Auth server not Proxy server #12010

Remote Site should check version of Auth server not Proxy server #12010

Comments

rosstimothy commented Apr 15, 2022