Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remote tctl execution. #2991

Merged
merged 2 commits into from
Sep 24, 2019
Merged

Remote tctl execution. #2991

merged 2 commits into from
Sep 24, 2019

Conversation

r0mant
Copy link
Collaborator

@r0mant r0mant commented Sep 16, 2019

This PR implements #1525 by adding ability to use tctl remotely with --auth-server and --identity flags.

To use it remotely, a user would first need to export identity locally on the auth server using the usual method:

auth$ tctl auth sign --user=admin --out=identity.pem

After that, the exported identity file can be used to invoke tctl from a remote node:

remote$ tctl status \
                --auth-server=192.168.99.102:3025 \
                --identity=identity.pem

remote$ tctl auth sign \
                --auth-server=192.168.99.102:3025 \
                --identity=identity.pem \
                --user=alice \
                --out=alice.pem

The --auth-server flag can be supplied multiple times.

Closes #1525.

r0mant
r0mant commented Sep 16, 2019
View reviewed changes
tool/tsh/common/identity.go
//
// If the "host auth callback" is not returned, user will be prompted to
// trust the proxy server.
func LoadIdentity(idFn string) (*client.Key, ssh.HostKeyCallback, error) {
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All this code just moved here from tsh.go so it could be reused.

@r0mant
Copy link
Collaborator Author

r0mant commented Sep 16, 2019

retest this please

@klizhentas
Copy link
Contributor

@fspmarshall added you as a reviewer

fspmarshall
fspmarshall approved these changes Sep 17, 2019
View reviewed changes
Copy link
Contributor

@fspmarshall fspmarshall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to clarify, this is essentially an Enterprise-Only feature, yeah? Since OSS doesn't support roles for users.

@r0mant
Copy link
Collaborator Author

r0mant commented Sep 17, 2019

@fspmarshall Technically, nothing prevents OSS users from exporting identity and using tctl remotely with it too, however what tctl will be able to actually do using this exported identity will be limited by whatever the default OSS "admin" role permits, yeah.

@klizhentas
Copy link
Contributor

@r0mant I'm holding this off after 4.1 release though, this goes in 4.2 @benarent

@klizhentas klizhentas added this to the 4.2 "Alameda" milestone Sep 18, 2019
@klizhentas klizhentas merged commit 07b2508 into master Sep 24, 2019
@klizhentas klizhentas deleted the roman/tctl branch September 24, 2019 21:01
@galindro
Copy link

galindro commented Oct 9, 2019

@klizhentas did you have an ETA to release this feat?

@fspmarshall fspmarshall mentioned this pull request Nov 4, 2019
Open
@benarent benarent mentioned this pull request Nov 9, 2019
Closed
6 tasks
benarent added a commit that referenced this pull request Dec 18, 2019
@benarent
CLI docs for remote tctl execution. #2991
f605331
benarent added a commit that referenced this pull request Dec 18, 2019
@benarent
4.2 Documentation Base (#3154)
46eefa1 
* Copy 4.1 -> 4.2 ( Documentation Base )
* 4.2 - Docs: Enhanced Session Recording (#3187)
* 4.2 - Docs:  GCP Backend Docs (#3191)
* 4.2 - Docs: Workflow Beta (#3155)
* CLI docs for remote tctl execution. #2991
* Expand logging into and set the default to disk.
* Fix any `milv` issues
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@klizhentas klizhentas klizhentas approved these changes

@russjones russjones russjones approved these changes

@fspmarshall fspmarshall fspmarshall approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
4.2 "Alameda"
Development

Successfully merging this pull request may close these issues.

Expand/document remote tctl execution
5 participants
@r0mant @klizhentas @galindro @russjones @fspmarshall