Allow user impersonation from Teleport proxies#23311
Merged
Conversation
tigrato
force-pushed
the
tigrato/allow-http-impersonation
branch
2 times, most recently
from
87e6be1 to
d83f13e
Compare
rosstimothy
reviewed
Mar 22, 2023
tigrato
force-pushed
the
tigrato/allow-http-impersonation
branch
from
c434b7a to
f992cac
Compare
fspmarshall
approved these changes
Mar 24, 2023
rosstimothy
approved these changes
Mar 27, 2023
public-teleport-github-review-bot
Bot
removed the request for review
from capnspacehook
This PR introduces user impersonation from connections created by Teleport proxies. The goal is to allow proxies to forward the user identity that initiated the connection without signing a new certificate with the user's identity. HTTP requests originated from Proxies with `Teleport-Impersonate-User` header allows the proxy to impersonate the identity carried in the value. Certificates without `SytemRole=Proxy` are denied to impersonate users and the connection is automatically terminated. For IP Pinning, the client IP address is transferred using the `Teleport-Real-User-IP` header. Since the connection originated from a valid certificate belonging to a Teleport proxy, the identity and IP address headers don't need to be signed because the Teleport upstream service trusts the proxy certificate. Part of #22533
tigrato
force-pushed
the
tigrato/allow-http-impersonation
branch
from
4e08091 to
6c0593b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR introduces user impersonation from connections created by Teleport proxies. The goal is to allow proxies to forward the user identity that initiated the connection without signing a new certificate with the user's identity.
HTTP requests originated from Proxies with the
Teleport-Impersonate-Userheader allow the proxy to impersonate the identity carried in the value.Certificates without
SytemRole=Proxyare denied to impersonate users and the connection is automatically terminated.For IP Pinning, the client IP address is transferred using the
Teleport-Real-User-IPheader.Since the connection originated from a valid certificate belonging to a Teleport proxy, the identity and IP address headers don't need to be signed because the Teleport upstream service trusts the proxy certificate.
Part of #22533