Skip to content

[v11] Fix access to leaf resources #25922

Merged
rosstimothy merged 1 commit intobranch/v11from
tross/backport-25694/v11
May 12, 2023
Merged

[v11] Fix access to leaf resources #25922
rosstimothy merged 1 commit intobranch/v11from
tross/backport-25694/v11

Conversation

@rosstimothy
Copy link
Copy Markdown
Contributor

@rosstimothy rosstimothy commented May 9, 2023

Backport #25694 to branch/v11

@rosstimothy rosstimothy force-pushed the tross/backport-25694/v11 branch 2 times, most recently from 5881a4f to c567d1f Compare May 9, 2023 18:58
@rosstimothy
Fix access to leaf resources (#25694) (#25862)
7649e74 
* Add leaf resource test cases to TestGenerateUserSingleUseCert

Updates TestGenerateUserSingleUseCert to test certificate generation
for kube and db resources in a leaf cluster.

* Fix access to leaf resources

The MFA required check added to the Auth server in
#24250 is now
only performed if the `RouteToCluster` indicates that the request
is for the local cluster and not a remote cluster. When the root
cluster checks if mfa is required to a resource in another cluster
it would always return a not found error since the resource didn't
exist in the root backend. This results in the behavior described
in #25619.

This step is now skipped for any resources in another cluster to allow
certificates for remote cluster resources to be generated by the root.
`tsh` detects that a resource is a leaf cluster and will first call
`proto.AuthService/IsMFARequired` on the leaf cluster before requesting
certificates from the root cluster to prevent a user from being
prompted to complete an MFA ceremony if one is not required.

Closes #25619

* Add desktop and app test case to TestGenerateUserSingleUseCert
@rosstimothy rosstimothy force-pushed the tross/backport-25694/v11 branch from c567d1f to 7649e74 Compare May 9, 2023 19:17
@rosstimothy rosstimothy marked this pull request as ready for review May 9, 2023 19:59
@github-actions github-actions Bot requested a review from capnspacehook May 9, 2023 19:59
@github-actions github-actions Bot added the tsh tsh - Teleport's command line tool for logging into nodes running Teleport. label May 9, 2023
@github-actions github-actions Bot requested review from ibeckermayer and nklaassen May 9, 2023 19:59
@rosstimothy rosstimothy requested review from r0mant and zmb3 May 10, 2023 14:00
ibeckermayer
ibeckermayer approved these changes May 10, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@ibeckermayer ibeckermayer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Double checked that all is working as expected for windows

@rosstimothy rosstimothy added this pull request to the merge queue May 12, 2023
Merged via the queue into branch/v11 with commit c129b8c May 12, 2023
@rosstimothy rosstimothy deleted the tross/backport-25694/v11 branch May 12, 2023 20:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@r0mant r0mant r0mant approved these changes

+1 more reviewer

@ibeckermayer ibeckermayer ibeckermayer approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backport size/md tsh tsh - Teleport's command line tool for logging into nodes running Teleport.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rosstimothy @r0mant @ibeckermayer