Skip to content

[v7] backport #10741 (leaf cluster CA sanitizing)#10744

Merged
r0mant merged 8 commits intobranch/v7from
espadolini/v7-remotecluster-ca-sanitize
Mar 2, 2022
Merged

[v7] backport #10741 (leaf cluster CA sanitizing)#10744
r0mant merged 8 commits intobranch/v7from
espadolini/v7-remotecluster-ca-sanitize

Conversation

@espadolini
Copy link
Copy Markdown
Contributor

@espadolini espadolini commented Mar 2, 2022
edited
Loading

Backport of #10741 and #10020.

As a major version n node can connect to any major version n+1 auth, for versions 7 and below (not 8, because v9 will support CA filtering since 9.0.0) we rely entirely on the server-side filter injection for CA filtering.

This also fixes an issue introduced in #10226 when backporting #9822 down to v6, as in v7 and v6 there's still an if/else if/else chain in events.FromOneOf that was removed in v8 and above.

@espadolini espadolini added security Security Issues trusted-cluster tctl tctl - Teleport admin tool backport labels Mar 2, 2022
@espadolini espadolini requested review from r0mant and zmb3 March 2, 2022 17:33
@github-actions github-actions Bot requested review from ravicious and timothyb89 March 2, 2022 17:33
@espadolini
Handle CertificateCreate in events.FromOneOf
68ae614
@espadolini
CertAuthority watcher filtering (#10020)
b7b7d05
@espadolini
Backport fixes and changes
1c9e786 
Clients before 9 shouldn't ask for filtered CA watches as the
server side might be of a higher major version but not support
them; we rely entirely on the backwards compatibility filter
injection in that case.
@espadolini
Fix TestNodeCAFiltering
cab1cc9
@espadolini espadolini added the audit-log Issues related to Teleports Audit Log label Mar 2, 2022
@r0mant r0mant enabled auto-merge (squash) March 2, 2022 18:12
@r0mant r0mant merged commit e570842 into branch/v7 Mar 2, 2022
@r0mant r0mant deleted the espadolini/v7-remotecluster-ca-sanitize branch March 2, 2022 18:23
@espadolini espadolini restored the espadolini/v7-remotecluster-ca-sanitize branch June 29, 2022 07:17
@espadolini espadolini mentioned this pull request Jun 29, 2022
Merged
@espadolini espadolini deleted the espadolini/v7-remotecluster-ca-sanitize branch July 6, 2022 10:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@r0mant r0mant r0mant approved these changes

@zmb3 zmb3 zmb3 approved these changes

@ravicious ravicious Awaiting requested review from ravicious

@timothyb89 timothyb89 Awaiting requested review from timothyb89

Assignees

No one assigned

Labels

audit-log Issues related to Teleports Audit Log backport security Security Issues tctl tctl - Teleport admin tool trusted-cluster

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@espadolini @r0mant @zmb3