Make session control logic reusable#18565
Merged
rosstimothy merged 2 commits intomasterfrom Nov 21, 2022
Merged
Conversation
rosstimothy
force-pushed
the
tross/reusable_session_control
branch
3 times, most recently
from
5d66fe4 to
c90d24e
Compare
Session control logic existed within `HandleNewConn` of `srv/regular.Server`. This prevented any of it from being used by other components that also needed to enforce session control. All the logic from within `HandleNewConn` was refactored to a new `srv.SessionController` object which the `regular.Server` now uses to perform session control. There were a few additional changes needed to accomadate that session control now exists outside the server and to make tests easier to write. Namely, altering `srv.ComputLockTargets` to not take a `Server` as a parameter and leveraging a clock within `services.SemaphoreLock`. This is step 2 in addressing #15167. Before the web apiserver can leverage the newly introduced proxy.Router and bypass making ssh connections to the proxy ssh server it needs to be able to perfrom session control.
rosstimothy
force-pushed
the
tross/reusable_session_control
branch
from
c90d24e to
6552a10
Compare
nklaassen
approved these changes
Nov 18, 2022
Contributor
Author
|
friendly ping @alistanis |
alistanis
approved these changes
Nov 21, 2022
rosstimothy
added a commit
that referenced
this pull request
Nov 28, 2022
Session control logic existed within `HandleNewConn` of `srv/regular.Server`. This prevented any of it from being used by other components that also needed to enforce session control. All the logic from within `HandleNewConn` was refactored to a new `srv.SessionController` object which the `regular.Server` now uses to perform session control. There were a few additional changes needed to accomadate that session control now exists outside the server and to make tests easier to write. Namely, altering `srv.ComputLockTargets` to not take a `Server` as a parameter and leveraging a clock within `services.SemaphoreLock`. This is step 2 in addressing #15167. Before the web apiserver can leverage the newly introduced proxy.Router and bypass making ssh connections to the proxy ssh server it needs to be able to perfrom session control.
rosstimothy
added a commit
that referenced
this pull request
Nov 28, 2022
* Make session control logic reusable (#18565) Session control logic existed within `HandleNewConn` of `srv/regular.Server`. This prevented any of it from being used by other components that also needed to enforce session control. All the logic from within `HandleNewConn` was refactored to a new `srv.SessionController` object which the `regular.Server` now uses to perform session control. There were a few additional changes needed to accomadate that session control now exists outside the server and to make tests easier to write. Namely, altering `srv.ComputLockTargets` to not take a `Server` as a parameter and leveraging a clock within `services.SemaphoreLock`. This is step 2 in addressing #15167. Before the web apiserver can leverage the newly introduced proxy.Router and bypass making ssh connections to the proxy ssh server it needs to be able to perfrom session control. * Improve web ui ssh performance (#18656) Reduces latency creating ssh sessions via the web ui by: 1) No longer uses `TeleportClient.SSH` to establish a session 2) Reuses the user auth client for the web session to perform MFA ceremony 3) Ensures that connection attempts follow the flow outlined in RFD 93 The web api server now leverages the `proxy.Router` and `srv.SessionController` directly, instead of doing so indirectly via `TeleportClient.SSH`. Using the `TeleportClient` required an ssh connection to be established from the web api server to the proxy ssh server, which are in the same process. This added overhead can be avoided now that the routing logic and session control logic exists in a reusable component. To create an interactive session on the node once the connection is established, `client.NodeClient` is used. A new constructor was added to facilitate creating one and remove duplicated creation code and a `RunInteractiveShell` receiver method was added to allow callers outside of `lib/client` to spawn a session. `TerminalHandler.issueSessionMFACerts` used to check if per-session mfa was enabled and perform the mfa ceremony via the `client.ProxyClient` which was constructed with the `TeleportClient` established from connecting to the proxy ssh server. This would dial the Auth server under the hood directly and call `IsMFARequired` and do the ceremony if required. Each web session established via the web ui already established an auth client with the credentials of the logged in user. Again overhead is removed by leveraging the existing auth client and performing the mfa ceremony manually. Finally `TerminalHandler.makeClient` always attempted to perform the mfa ceremony prior to returning the `TeleportClient`. As outlined in [RFD 93](https://github.com/gravitational/teleport/blob/master/rfd/0093-offline-access.md), this causes additional latency and requires Auth connectivity to connect to nodes. The connection flow is now modified to attempt connection to the nodes first, and fall back to the mfa ceremony and reconnecting only if the node denies access. Partially addresses #15167
rosstimothy
added a commit
that referenced
this pull request
Nov 30, 2022
Session control logic existed within `HandleNewConn` of `srv/regular.Server`. This prevented any of it from being used by other components that also needed to enforce session control. All the logic from within `HandleNewConn` was refactored to a new `srv.SessionController` object which the `regular.Server` now uses to perform session control. There were a few additional changes needed to accomadate that session control now exists outside the server and to make tests easier to write. Namely, altering `srv.ComputLockTargets` to not take a `Server` as a parameter and leveraging a clock within `services.SemaphoreLock`. This is step 2 in addressing #15167. Before the web apiserver can leverage the newly introduced proxy.Router and bypass making ssh connections to the proxy ssh server it needs to be able to perfrom session control.
rosstimothy
added a commit
that referenced
this pull request
Nov 30, 2022
Session control logic existed within `HandleNewConn` of `srv/regular.Server`. This prevented any of it from being used by other components that also needed to enforce session control. All the logic from within `HandleNewConn` was refactored to a new `srv.SessionController` object which the `regular.Server` now uses to perform session control. There were a few additional changes needed to accomadate that session control now exists outside the server and to make tests easier to write. Namely, altering `srv.ComputLockTargets` to not take a `Server` as a parameter and leveraging a clock within `services.SemaphoreLock`. This is step 2 in addressing #15167. Before the web apiserver can leverage the newly introduced proxy.Router and bypass making ssh connections to the proxy ssh server it needs to be able to perfrom session control.
rosstimothy
added a commit
that referenced
this pull request
Dec 6, 2022
Session control logic existed within `HandleNewConn` of `srv/regular.Server`. This prevented any of it from being used by other components that also needed to enforce session control. All the logic from within `HandleNewConn` was refactored to a new `srv.SessionController` object which the `regular.Server` now uses to perform session control. There were a few additional changes needed to accomadate that session control now exists outside the server and to make tests easier to write. Namely, altering `srv.ComputLockTargets` to not take a `Server` as a parameter and leveraging a clock within `services.SemaphoreLock`. This is step 2 in addressing #15167. Before the web apiserver can leverage the newly introduced proxy.Router and bypass making ssh connections to the proxy ssh server it needs to be able to perfrom session control.
rosstimothy
added a commit
that referenced
this pull request
Dec 6, 2022
* Make proxy routing logic reusable (#18370) * create package to contain proxy peering code * Refactor proxy routing logic into a reusable object Routing logic existed within an unexported handler of ssh subsystem requests, which prevented it from being reused by other components within the proxy, like the webapi server. This causes significant latency issues for web sessions because the web apiserver is required to dial the proxy ssh server to determine how to route to the host. Since the web apiserver and the proxy ssh server exist in the same process this is an entirely unnecesarry step that could be avoided if the routing and ability to established connections were shared throughout the proxy. A new `proxy.Router` object is introduced which contains all the logic that used to exist in `regular.proxySubsys` for determining how to connect to servers and clusters. All routing within the `regular.proxySubsys` now leverages the `proxy.Router` to dial the target. This is step 1 in addressing #15167. Now that the `proxy.Router` exists `web.APIServer` will be able to make use of it to avoid dialing the same process to establish connections. * Make session control logic reusable (#18565) Session control logic existed within `HandleNewConn` of `srv/regular.Server`. This prevented any of it from being used by other components that also needed to enforce session control. All the logic from within `HandleNewConn` was refactored to a new `srv.SessionController` object which the `regular.Server` now uses to perform session control. There were a few additional changes needed to accomadate that session control now exists outside the server and to make tests easier to write. Namely, altering `srv.ComputLockTargets` to not take a `Server` as a parameter and leveraging a clock within `services.SemaphoreLock`. This is step 2 in addressing #15167. Before the web apiserver can leverage the newly introduced proxy.Router and bypass making ssh connections to the proxy ssh server it needs to be able to perfrom session control.
rosstimothy
added a commit
that referenced
this pull request
Dec 7, 2022
Session control logic existed within `HandleNewConn` of `srv/regular.Server`. This prevented any of it from being used by other components that also needed to enforce session control. All the logic from within `HandleNewConn` was refactored to a new `srv.SessionController` object which the `regular.Server` now uses to perform session control. There were a few additional changes needed to accomadate that session control now exists outside the server and to make tests easier to write. Namely, altering `srv.ComputLockTargets` to not take a `Server` as a parameter and leveraging a clock within `services.SemaphoreLock`. This is step 2 in addressing #15167. Before the web apiserver can leverage the newly introduced proxy.Router and bypass making ssh connections to the proxy ssh server it needs to be able to perfrom session control.
rosstimothy
added a commit
that referenced
this pull request
Dec 7, 2022
* Refactor proxy routing logic into a reusable object Routing logic existed within an unexported handler of ssh subsystem requests, which prevented it from being reused by other components within the proxy, like the webapi server. This causes significant latency issues for web sessions because the web apiserver is required to dial the proxy ssh server to determine how to route to the host. Since the web apiserver and the proxy ssh server exist in the same process this is an entirely unnecesarry step that could be avoided if the routing and ability to established connections were shared throughout the proxy. A new `proxy.Router` object is introduced which contains all the logic that used to exist in `regular.proxySubsys` for determining how to connect to servers and clusters. All routing within the `regular.proxySubsys` now leverages the `proxy.Router` to dial the target. This is step 1 in addressing #15167. Now that the `proxy.Router` exists `web.APIServer` will be able to make use of it to avoid dialing the same process to establish connections. * Make session control logic reusable (#18565) Session control logic existed within `HandleNewConn` of `srv/regular.Server`. This prevented any of it from being used by other components that also needed to enforce session control. All the logic from within `HandleNewConn` was refactored to a new `srv.SessionController` object which the `regular.Server` now uses to perform session control. There were a few additional changes needed to accomadate that session control now exists outside the server and to make tests easier to write. Namely, altering `srv.ComputLockTargets` to not take a `Server` as a parameter and leveraging a clock within `services.SemaphoreLock`. This is step 2 in addressing #15167. Before the web apiserver can leverage the newly introduced proxy.Router and bypass making ssh connections to the proxy ssh server it needs to be able to perfrom session control.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Session control logic existed within
HandleNewConnofsrv/regular.Server. This prevented any of it from being used by other components that also needed to enforce session control.All the logic from within
HandleNewConnwas refactored to a newsrv.SessionControllerobject which theregular.Servernow uses to perform session control. There were a few additional changes needed to accommodate that session control now exists outside the server and to make tests easier to write. Namely, alteringsrv.ComputeLockTargetsto not take aServeras a parameter and leveraging a clock withinservices.SemaphoreLock.This is step 2 in addressing #15167. Before the web apiserver can leverage the newly introduced proxy.Router and bypass making ssh connections to the proxy ssh server it needs to be able to perform session control.