update user cert request proto#21197
Merged
GavinFrazar merged 1 commit intoFeb 8, 2023
Merged
Conversation
GavinFrazar
force-pushed
the
gavinfrazar/disable-mfa-duration-limit-for-db-access-protos
branch
2 times, most recently
from
24fa04d to
b050801
Compare
GavinFrazar
changed the base branch from
master
to
gavinfrazar/refactor-tsh-db-local-proxy-logic
GavinFrazar
added
database-access
smallinsky
reviewed
Feb 6, 2023
GavinFrazar
force-pushed
the
gavinfrazar/refactor-tsh-db-local-proxy-logic
branch
from
5829fbd to
8f17573
Compare
Base automatically changed from
gavinfrazar/refactor-tsh-db-local-proxy-logic
to
master
February 6, 2023 20:11
GavinFrazar
force-pushed
the
gavinfrazar/disable-mfa-duration-limit-for-db-access-protos
branch
from
b050801 to
1a73bef
Compare
* Identify the "requester" of the cert request
GavinFrazar
force-pushed
the
gavinfrazar/disable-mfa-duration-limit-for-db-access-protos
branch
from
9ea751f to
69c7bda
Compare
smallinsky
approved these changes
Feb 8, 2023
greedy52
approved these changes
Feb 8, 2023
public-teleport-github-review-bot
Bot
removed request for
Joerger,
atburke and
zmb3
|
@GavinFrazar See the table below for backport results.
|
GavinFrazar
deleted the
gavinfrazar/disable-mfa-duration-limit-for-db-access-protos
branch
avatus
pushed a commit
that referenced
this pull request
Mar 3, 2023
* Identify the "requester" of the cert request
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Step 2/3 for #20323
This PR updates the protos for user cert requests. I'm adding a request parameter that identifies whether a db local proxy tunnel is requesting single-use certs. This way the mfa session TTL restriction can be skipped when the cert requester will hold the certs in memory as discussed in the RFD (#16739). This way older tsh clients will not have set this flag, and thus will not save certs to disk without the per-session-mfa TTL limit.
TODO
Step 3/3: small change to make local proxy tunnel disable per-session-mfa cert TTL and make tsh db connect use local proxy tunnel when per-session-mfa is in effect.