diff --git a/docs/config.json b/docs/config.json index e88ea882e97f8..a57e300b42fa0 100644 --- a/docs/config.json +++ b/docs/config.json @@ -31,7 +31,7 @@ { "title": "Teleport Assist", "slug": "/ai-assist/", - "forScopes": ["oss"] + "forScopes": ["oss", "team"] } ] }, @@ -45,7 +45,8 @@ }, { "title": "Teleport Team", - "slug": "/choose-an-edition/teleport-team/" + "slug": "/choose-an-edition/teleport-team/", + "forScopes": ["team"] }, { "title": "Teleport Enterprise Cloud", @@ -99,7 +100,8 @@ "entries": [ { "title": "Introduction", - "slug": "/deploy-a-cluster/introduction/" + "slug": "/deploy-a-cluster/introduction/", + "forScopes": ["oss", "enterprise"] }, { "title": "High Availability Deployments", @@ -246,7 +248,7 @@ { "title": "Single Sign-On (SSO)", "slug": "/access-controls/sso/", - "forScopes": ["enterprise", "oss", "cloud"], + "forScopes": ["oss", "team", "enterprise", "cloud"], "entries": [ { "title": "Active Directory (ADFS)", @@ -260,8 +262,7 @@ }, { "title": "GitHub", - "slug": "/access-controls/sso/github-sso/", - "forScopes": ["enterprise", "cloud", "oss"] + "slug": "/access-controls/sso/github-sso/" }, { "title": "GitLab", @@ -293,22 +294,22 @@ { "title": "Teleport as an IdP", "slug": "/access-controls/idps/", - "forScopes": ["enterprise", "cloud"], + "forScopes": ["enterprise", "cloud", "team"], "entries": [ { "title": "SAML Identity Provider Guide", "slug": "/access-controls/idps/saml-guide/", - "forScopes": ["enterprise", "cloud"] + "forScopes": ["enterprise", "cloud", "team"] }, { "title": "Authenticate to Grafana with Teleport SAML", "slug": "/access-controls/idps/saml-grafana/", - "forScopes": ["enterprise", "cloud"] + "forScopes": ["enterprise", "cloud", "team"] }, { "title": "SAML Identity Provider Reference", "slug": "/access-controls/idps/saml-reference/", - "forScopes": ["enterprise", "cloud"] + "forScopes": ["enterprise", "cloud", "team"] } ] }, @@ -380,7 +381,8 @@ "entries": [ { "title": "Role Requests", - "slug": "/access-controls/access-requests/role-requests/" + "slug": "/access-controls/access-requests/role-requests/", + "forScopes": ["enterprise", "cloud"] }, { "title": "Resource Requests", @@ -390,7 +392,7 @@ { "title": "Role Requests in OSS Teleport", "slug": "/access-controls/access-requests/oss-role-requests/", - "forScopes": ["oss", "enterprise", "cloud"] + "forScopes": ["oss"] } ] }, @@ -473,7 +475,8 @@ "entries": [ { "title": "Kubernetes Operator (Preview)", - "slug": "/management/dynamic-resources/teleport-operator/" + "slug": "/management/dynamic-resources/teleport-operator/", + "forScopes": ["oss","enterprise"] }, { "title": "Terraform Provider", @@ -499,8 +502,7 @@ }, { "title": "Troubleshooting", - "slug": "/management/admin/troubleshooting/", - "forScopes": ["oss", "enterprise", "cloud"] + "slug": "/management/admin/troubleshooting/" }, { "title": "Upgrading the Teleport Binary", @@ -512,7 +514,8 @@ }, { "title": "Run Teleport with Self-Signed Certificates", - "slug": "/management/admin/self-signed-certs/" + "slug": "/management/admin/self-signed-certs/", + "forScopes": ["oss", "enterprise"] }, { "title": "Uninstall Teleport", @@ -535,8 +538,7 @@ }, { "title": "Backup and Restore", - "slug": "/management/operations/backup-restore/", - "forScopes": ["oss", "enterprise"] + "slug": "/management/operations/backup-restore/" }, { "title": "Cert Authority Rotation", @@ -553,12 +555,12 @@ "forScopes": ["enterprise"] }, { - "title": "Self-hosted automatic updates", + "title": "Self-Hosted Automatic Updates", "slug": "/management/operations/self-hosted-automatic-agent-updates/", "forScopes": ["enterprise"] }, { - "title": "Enroll agent in automatic updates", + "title": "Enroll Agents in Automatic Updates", "slug": "/management/operations/enroll-agent-into-automatic-updates/", "forScopes": ["enterprise", "cloud"] } @@ -620,23 +622,19 @@ "entries": [ { "title": "Export Audit Events to Fluentd", - "slug": "/management/export-audit-events/fluentd/", - "forScopes": ["enterprise", "cloud"] + "slug": "/management/export-audit-events/fluentd/" }, { "title": "Export Audit Events to Datadog", - "slug": "/management/export-audit-events/datadog/", - "forScopes": ["enterprise", "cloud"] + "slug": "/management/export-audit-events/datadog/" }, { "title": "Export Audit Events to the Elastic Stack", - "slug": "/management/export-audit-events/elastic-stack/", - "forScopes": ["enterprise", "cloud"] + "slug": "/management/export-audit-events/elastic-stack/" }, { "title": "Export Audit Events to Splunk", - "slug": "/management/export-audit-events/splunk/", - "forScopes": ["enterprise", "cloud"] + "slug": "/management/export-audit-events/splunk/" } ] } @@ -686,7 +684,8 @@ "entries": [ { "title": "Via AWS EC2", - "slug": "/agents/join-services-to-your-cluster/aws-ec2/" + "slug": "/agents/join-services-to-your-cluster/aws-ec2/", + "forScopes": ["oss", "enterprise"] }, { "title": "Via AWS IAM", @@ -1317,7 +1316,8 @@ }, { "title": "How to Build an Access Request Plugin", - "slug": "/api/access-plugin/" + "slug": "/api/access-plugin/", + "forScopes": ["enterprise", "cloud"] }, { "title": "Automatically Register Teleport Agents", @@ -1388,7 +1388,11 @@ "entries": [ { "title": "teleport-cluster", - "slug": "/reference/helm-reference/teleport-cluster/" + "slug": "/reference/helm-reference/teleport-cluster/", + "forScopes": [ + "oss", + "enterprise" + ] }, { "title": "teleport-kube-agent", @@ -1456,7 +1460,8 @@ }, { "title": "Proxy Peering (Preview)", - "slug": "/architecture/proxy-peering/" + "slug": "/architecture/proxy-peering/", + "forScopes": ["enterprise"] }, { "title": "Agent Update Management", diff --git a/docs/pages/access-controls/access-request-plugins/ssh-approval-discord.mdx b/docs/pages/access-controls/access-request-plugins/ssh-approval-discord.mdx index e2a0e609366c8..ccb7e6f47c25b 100644 --- a/docs/pages/access-controls/access-request-plugins/ssh-approval-discord.mdx +++ b/docs/pages/access-controls/access-request-plugins/ssh-approval-discord.mdx @@ -286,7 +286,7 @@ Once Teleport is running, you've created the Discord app, and the plugin is configured, you can now run the plugin and test the workflow. - + Start the plugin: ```code @@ -301,7 +301,7 @@ INFO Starting Teleport Access Discord Plugin 7.2.1: discord/app.go:80 INFO Plugin is ready discord/app.go:101 ``` - + Install the plugin: ```code diff --git a/docs/pages/access-controls/access-request-plugins/ssh-approval-email.mdx b/docs/pages/access-controls/access-request-plugins/ssh-approval-email.mdx index 5cbb721020198..4d97516784cb3 100644 --- a/docs/pages/access-controls/access-request-plugins/ssh-approval-email.mdx +++ b/docs/pages/access-controls/access-request-plugins/ssh-approval-email.mdx @@ -38,20 +38,23 @@ in your Teleport cluster. ## Step 2/7. Install the Teleport email plugin - +In this step, you will install the Teleport email plugin. + + + We recommend installing Teleport plugins on the same host as the Teleport Proxy Service. This is an ideal location as plugins have a low memory footprint, and will require both public internet access and Teleport Auth Service access. - - - + + Install the Teleport email plugin on a host that can access both your Teleport Cloud tenant and your SMTP service. - + +
diff --git a/docs/pages/access-controls/access-request-plugins/ssh-approval-mattermost.mdx b/docs/pages/access-controls/access-request-plugins/ssh-approval-mattermost.mdx index 6314aa672899b..46f6042b61a21 100644 --- a/docs/pages/access-controls/access-request-plugins/ssh-approval-mattermost.mdx +++ b/docs/pages/access-controls/access-request-plugins/ssh-approval-mattermost.mdx @@ -152,7 +152,7 @@ Edit the configuration as explained below: ### `[mattermost]` - + **`url`**: Include the scheme (`https://`) and fully qualified domain name of your Mattermost deployment. @@ -183,7 +183,7 @@ recipients = [ ``` - + **`url`**: Include the scheme (`https://`) and fully qualified domain name of your Mattermost deployment. @@ -275,7 +275,7 @@ severity = "INFO" # Logger severity. Could be "INFO", "ERROR", "DEBUG" or "WARN" ## Step 7/8. Test your Mattermost bot - + After modifying your configuration, run the bot with the following command: ```code @@ -294,7 +294,7 @@ DEBU Watcher connected mattermost/main.go:260 DEBU Mattermost API health check finished ok mattermost/main.go:19 ``` - + After modifying your configuration, run the bot with the following command: ```code diff --git a/docs/pages/access-controls/access-request-plugins/ssh-approval-pagerduty.mdx b/docs/pages/access-controls/access-request-plugins/ssh-approval-pagerduty.mdx index abdb990085d02..422de44f4c950 100644 --- a/docs/pages/access-controls/access-request-plugins/ssh-approval-pagerduty.mdx +++ b/docs/pages/access-controls/access-request-plugins/ssh-approval-pagerduty.mdx @@ -32,20 +32,21 @@ PagerDuty. - Either a Linux host or Kubernetes cluster where you will run the PagerDuty plugin. - + + We recommend installing Teleport plugins on the same host as the Teleport Proxy Service. This is an ideal location as plugins have a low memory footprint, and will require both public internet access and Teleport Auth Service access. - - - + + Install the Teleport PagerDuty plugin on a host that can access both your Teleport Cloud tenant and PagerDuty. - + + - (!docs/pages/includes/tctl.mdx!) @@ -521,7 +522,7 @@ The final configuration should resemble the following: ## Step 7/8. Test the PagerDuty plugin - + After you configure the PagerDuty plugin, run the following command to start it. The `-d` flag will provide debug information to ensure that the plugin can connect to PagerDuty and your Teleport cluster: @@ -539,7 +540,7 @@ $ teleport-pagerduty start -d # DEBU Setting up the webhook extensions pagerduty/main.go:178 ``` - + After modifying your configuration, run the bot with the following command: ```code @@ -597,7 +598,7 @@ should still check the Teleport audit log to ensure that the right users are reviewing the right requests. When auditing Access Request reviews, check for events with the type `Access -Request Reviewed` in the Teleport Web UI and `access_request.review` if reviewing the audit log on the Auth Service host. diff --git a/docs/pages/access-controls/access-request-plugins/ssh-approval-slack.mdx b/docs/pages/access-controls/access-request-plugins/ssh-approval-slack.mdx index e3ddb2a5c5709..d2b78960d8edc 100644 --- a/docs/pages/access-controls/access-request-plugins/ssh-approval-slack.mdx +++ b/docs/pages/access-controls/access-request-plugins/ssh-approval-slack.mdx @@ -339,7 +339,7 @@ Once Teleport is running, you've created the Slack app, and the plugin is configured, you can now run the plugin and test the workflow. - + Start the plugin: ```code @@ -354,7 +354,7 @@ INFO Starting Teleport Access Slack Plugin 7.2.1: slack/app.go:80 INFO Plugin is ready slack/app.go:101 ``` - + Install the plugin: ```code diff --git a/docs/pages/access-controls/access-requests/role-requests.mdx b/docs/pages/access-controls/access-requests/role-requests.mdx index 8f5600e7d5464..1ec0bfbcb1598 100644 --- a/docs/pages/access-controls/access-requests/role-requests.mdx +++ b/docs/pages/access-controls/access-requests/role-requests.mdx @@ -10,7 +10,7 @@ via ChatOps or anywhere else via our flexible Authorization Workflow API. ## Prerequisites -(!docs/pages/includes/edition-prereqs-tabs.mdx!) +(!docs/pages/includes/commercial-prereqs-tabs.mdx!) - (!docs/pages/includes/tctl.mdx!) diff --git a/docs/pages/access-controls/compliance-frameworks/soc2.mdx b/docs/pages/access-controls/compliance-frameworks/soc2.mdx index 1ebbc51a4b06e..1c026c45a5d67 100644 --- a/docs/pages/access-controls/compliance-frameworks/soc2.mdx +++ b/docs/pages/access-controls/compliance-frameworks/soc2.mdx @@ -7,13 +7,12 @@ h1: SOC 2 Compliance for SSH, Kubernetes, Databases, Desktops, and Web Apps Teleport is designed to meet SOC 2 requirements for the purposes of accessing infrastructure, change management, and system operations. This document outlines a high level overview of how Teleport can be used to help your company to become SOC 2 compliant. - + - This guide requires Teleport Cloud or Teleport Enterprise. + SOC 2 compliance features are only available for Teleport Enterprise and + Teleport Enterprise Cloud. - + ## Achieving SOC 2 Compliance with Teleport SOC 2 or Service Organization Controls were developed by the American Institute of CPAs (AICPA). They are based on five trust services criteria: security, availability, processing integrity, confidentiality, and privacy. diff --git a/docs/pages/access-controls/guides/dual-authz.mdx b/docs/pages/access-controls/guides/dual-authz.mdx index 8ce47c6a3fc13..7fef919b7789e 100644 --- a/docs/pages/access-controls/guides/dual-authz.mdx +++ b/docs/pages/access-controls/guides/dual-authz.mdx @@ -10,20 +10,19 @@ Here are the most common scenarios: - Improve the security of your system and prevent one successful phishing attack from compromising your system. - Satisfy FedRAMP AC-3 Dual authorization control that requires approval of two authorized individuals. -In this guide, we will set up Teleport's Just-in-Time Access Requests to require the approval -of two team members for a privileged role `dbadmin`. +In this guide, we will set up Teleport's Just-in-Time Access Requests to require +the approval of two team members for a privileged role `dbadmin`. - +The steps below describe how to use Teleport with Mattermost. You can also +[integrate with many other providers](../access-requests.mdx). - This guide requires a commercial edition of Teleport. The open source - edition of Teleport only supports [GitHub](../../access-controls/sso/github-sso.mdx) as - an SSO provider. + - +This guide requires a commercial edition of Teleport. The open source edition of +Teleport only supports [GitHub](../../access-controls/sso/github-sso.mdx) as an +SSO provider. - - The steps below describe how to use Teleport with Mattermost. You can also [integrate with many other providers](../access-requests.mdx). - + ## Prerequisites @@ -211,7 +210,7 @@ Bob can also assume granted Access Request roles using Web UI: {/* TODO: This H2 will show up in the table of contents when this section is invisible. We need a way to hide invisible H2s from the TOC. */} - + ## Troubleshooting diff --git a/docs/pages/access-controls/guides/hardware-key-support.mdx b/docs/pages/access-controls/guides/hardware-key-support.mdx index 17b73a8a1f945..5ca176d88756a 100644 --- a/docs/pages/access-controls/guides/hardware-key-support.mdx +++ b/docs/pages/access-controls/guides/hardware-key-support.mdx @@ -54,7 +54,7 @@ Additionally, this feature can be configured to require touch for every Teleport ## Prerequisites -(!docs/pages/includes/edition-prereqs-tabs.mdx!) +(!docs/pages/includes/commercial-prereqs-tabs.mdx!) - A series 5+ YubiKey diff --git a/docs/pages/access-controls/guides/moderated-sessions.mdx b/docs/pages/access-controls/guides/moderated-sessions.mdx index 5485a118e49f5..15ec098fe55a7 100644 --- a/docs/pages/access-controls/guides/moderated-sessions.mdx +++ b/docs/pages/access-controls/guides/moderated-sessions.mdx @@ -14,11 +14,11 @@ the session, and terminate the session at will. In addition, Teleport administrators can [define rules](#join_sessions) that allow users to join each other's sessions from `tsh` and the Web UI. - + - Moderated Sessions requires Teleport Enterprise or Teleport Cloud. + Moderated Sessions requires Teleport Enterprise or Teleport Enterprise Cloud. - + ### Use cases diff --git a/docs/pages/access-controls/guides/webauthn.mdx b/docs/pages/access-controls/guides/webauthn.mdx index 44966f99334d6..f51437f1d2a58 100644 --- a/docs/pages/access-controls/guides/webauthn.mdx +++ b/docs/pages/access-controls/guides/webauthn.mdx @@ -28,7 +28,7 @@ WebAuthn is disabled by default. To enable WebAuthn support, update your Teleport configuration as below: - + Edit the `cluster_auth_preference` resource: diff --git a/docs/pages/access-controls/idps/saml-grafana.mdx b/docs/pages/access-controls/idps/saml-grafana.mdx index 249735a24b7f7..f9f02371c12a0 100644 --- a/docs/pages/access-controls/idps/saml-grafana.mdx +++ b/docs/pages/access-controls/idps/saml-grafana.mdx @@ -15,7 +15,7 @@ not just those running behind the Teleport App Service. - An instance of Grafana Enterprise, with edit access to `grafana.ini`. - A trusted certificate authority to create TLS certificates/keys for the SAML connection. -(!docs/pages/includes/commercial-prereqs-tabs.mdx!) +(!docs/pages/includes/no-oss-prereqs-tabs.mdx!) - (!docs/pages/includes/tctl.mdx!) diff --git a/docs/pages/access-controls/idps/saml-guide.mdx b/docs/pages/access-controls/idps/saml-guide.mdx index 71ae4eb53c5d7..3f938c9cace2f 100644 --- a/docs/pages/access-controls/idps/saml-guide.mdx +++ b/docs/pages/access-controls/idps/saml-guide.mdx @@ -11,7 +11,7 @@ authenticate to external services. ## Prerequisites -(!docs/pages/includes/commercial-prereqs-tabs.mdx!) +(!docs/pages/includes/no-oss-prereqs-tabs.mdx!) - (!docs/pages/includes/tctl.mdx!) - If you're new to SAML, consider reviewing our [SAML Identity Provider @@ -126,4 +126,4 @@ are logged in, you should be re-routed to a success page on samltest.id. This has verified service provider initiated SSO. To verify identity provider initiated SSO, navigate to `https:///enterprise/saml-idp/login/samltest-id`, where `samltest-id` is the friendly name of the service provider object created earlier. -You should be redirected to the same successful login page seen earlier. \ No newline at end of file +You should be redirected to the same successful login page seen earlier. diff --git a/docs/pages/access-controls/sso.mdx b/docs/pages/access-controls/sso.mdx index 301f98989defb..7510983f447c5 100644 --- a/docs/pages/access-controls/sso.mdx +++ b/docs/pages/access-controls/sso.mdx @@ -241,7 +241,7 @@ scope={["enterprise"]}>either modify your Auth Service configuration file or create a `cluster_auth_preference` resource. - + Update `/etc/teleport.yaml` in the `auth_service` section and restart the `teleport` daemon. ```yaml auth_service: @@ -252,7 +252,7 @@ or create a `cluster_auth_preference` resource. (!docs/pages/includes/sso/idp-initiated.mdx!) - + Create a file called `cap.yaml`: ```yaml kind: cluster_auth_preference diff --git a/docs/pages/access-controls/sso/google-workspace.mdx b/docs/pages/access-controls/sso/google-workspace.mdx index 7d127cf918b90..37b3729c79190 100644 --- a/docs/pages/access-controls/sso/google-workspace.mdx +++ b/docs/pages/access-controls/sso/google-workspace.mdx @@ -221,7 +221,7 @@ Create the OIDC connector resource using `tctl`. We will explain how to choose values for fields within the resource spec below: - + Use this method to define the service account JSON in the connector resource. This method doesn't require providing the JSON file to the host(s) running the @@ -274,7 +274,7 @@ version: v3 ``` - + Use this method for single self-hosted Teleport Auth instances, or when you can easily and reliably make the JSON file available to all hosts running the Auth diff --git a/docs/pages/agents/join-services-to-your-cluster/aws-ec2.mdx b/docs/pages/agents/join-services-to-your-cluster/aws-ec2.mdx index 1bcc211fc265d..056393b9e7d1e 100644 --- a/docs/pages/agents/join-services-to-your-cluster/aws-ec2.mdx +++ b/docs/pages/agents/join-services-to-your-cluster/aws-ec2.mdx @@ -7,27 +7,25 @@ This guide will explain how to use the **EC2 join method** to configure Teleport processes to join your Teleport cluster without sharing any secrets when they are running in AWS. - - -The EC2 join method is not available in Teleport Enterprise Cloud. Teleport -Enterprise Cloud customers can use the [IAM join method](./aws-iam.mdx) or -[secret tokens](join-token.mdx). - - - The EC2 join method is available to any Teleport process running on an EC2 -instance. Only one Teleport process per EC2 instance may use the EC2 join +instance. Only one Teleport process per EC2 instance may use the EC2 join method. IAM credentials with `ec2:DescribeInstances` permissions are required on your Teleport Auth Service. No IAM credentials are required on the Teleport processes joining the cluster. + + +The EC2 join method is not available in Teleport Enterprise Cloud and Teleport +Team. Teleport Enterprise Cloud and Team customers can use the [IAM join +method](./aws-iam.mdx) or [secret tokens](join-token.mdx). + + +
There are two other AWS join methods available depending on your use case. @@ -46,7 +44,7 @@ AWS-specific APIs. ## Prerequisites -(!docs/pages/includes/edition-prereqs-tabs.mdx!) +(!docs/pages/includes/self-hosted-prereqs-tabs.mdx!) - (!docs/pages/includes/tctl.mdx!) - An AWS EC2 instance to host a Teleport process, with the Teleport binary diff --git a/docs/pages/architecture/proxy-peering.mdx b/docs/pages/architecture/proxy-peering.mdx index e8d0ad62f3a36..f2c04cbf4bedc 100644 --- a/docs/pages/architecture/proxy-peering.mdx +++ b/docs/pages/architecture/proxy-peering.mdx @@ -6,8 +6,6 @@ description: How Teleport implements more efficient networking with Proxy Peerin
Proxy Peering is available in Preview starting from Teleport `10.0`. diff --git a/docs/pages/choose-an-edition/teleport-enterprise/gcp-kms.mdx b/docs/pages/choose-an-edition/teleport-enterprise/gcp-kms.mdx index 236e3ee20b09f..2e883312f228f 100644 --- a/docs/pages/choose-an-edition/teleport-enterprise/gcp-kms.mdx +++ b/docs/pages/choose-an-edition/teleport-enterprise/gcp-kms.mdx @@ -38,11 +38,7 @@ only ever exists in KMS when this feature is enabled. Read on to [migrating an existing cluster](#migrating-an-existing-cluster) to learn more. - - -This guide is intended for self-hosted Teleport Enterprise users. - - +(!docs/pages/includes/cloud/call-to-action.mdx!) ## Prerequisites diff --git a/docs/pages/contributing/documentation/reference.mdx b/docs/pages/contributing/documentation/reference.mdx index f0659ccc53819..43f8026d06f1b 100644 --- a/docs/pages/contributing/documentation/reference.mdx +++ b/docs/pages/contributing/documentation/reference.mdx @@ -573,7 +573,7 @@ Here is the result: Enterprise. - + Here are instructions for Teleport Cloud users. diff --git a/docs/pages/database-access/faq.mdx b/docs/pages/database-access/faq.mdx index 2a03b94a346eb..7f1fa64bec29f 100644 --- a/docs/pages/database-access/faq.mdx +++ b/docs/pages/database-access/faq.mdx @@ -52,10 +52,10 @@ This is useful when the Teleport Web UI is running behind an L7 load balancer on a plain TCP load balancer (e.g. NLB in AWS). - + -In Teleport Cloud, the Proxy Service uses the following ports for -Database Service client traffic: +In Teleport Team and Teleport Enterprise Cloud, the Proxy Service uses the +following ports for Database Service client traffic: |Configuration setting|Port| |---|---| diff --git a/docs/pages/database-access/guides/azure-postgres-mysql.mdx b/docs/pages/database-access/guides/azure-postgres-mysql.mdx index bb288df65f07c..43ae44120b8e1 100644 --- a/docs/pages/database-access/guides/azure-postgres-mysql.mdx +++ b/docs/pages/database-access/guides/azure-postgres-mysql.mdx @@ -65,6 +65,7 @@ Create the Database Service configuration. - Specify the region for your database(s) in `--azure-mysql-discovery`. + - Replace the `--proxy` value with your Teleport proxy address or Teleport cloud URI (e.g. `mytenant.teleport.sh:443`): diff --git a/docs/pages/database-access/guides/mongodb-atlas.mdx b/docs/pages/database-access/guides/mongodb-atlas.mdx index 2f0071818ebee..0b89493180fed 100644 --- a/docs/pages/database-access/guides/mongodb-atlas.mdx +++ b/docs/pages/database-access/guides/mongodb-atlas.mdx @@ -299,7 +299,7 @@ $ tsh db ls ``` - + ```code $ tsh login --proxy=mytenant.teleport.sh --user=alice $ tsh db ls diff --git a/docs/pages/database-access/guides/oracle-self-hosted.mdx b/docs/pages/database-access/guides/oracle-self-hosted.mdx index 82148b432aa0f..d536b19050589 100644 --- a/docs/pages/database-access/guides/oracle-self-hosted.mdx +++ b/docs/pages/database-access/guides/oracle-self-hosted.mdx @@ -31,7 +31,34 @@ This guide will help you to: (!docs/pages/includes/database-access/token.mdx!) -(!docs/pages/includes/database-access/create-user.mdx!) + + +To modify an existing user to provide access to the Database Service, see [Database Access Access Controls](../../database-access/rbac.mdx) + + + +Create a local Teleport user with the built-in `access` and `requester` roles: + +```code +$ tctl users add \ + --roles=access,requester \ + --db-users=\* \ + --db-names=\* \ + alice +``` + +| Flag | Description | +|--------------|------------------------------------------------------------------------------------------------------------------------------------------| +| `--roles` | List of roles to assign to the user. The builtin `access` role allows them to connect to any database server registered with Teleport. | +| `--db-users` | List of database usernames the user will be allowed to use when connecting to the databases. A wildcard allows any user. | +| `--db-names` | List of logical databases (aka schemas) the user will be allowed to connect to within a database server. A wildcard allows any database. | + + + Database names are only enforced for PostgreSQL and MongoDB databases. + + +For more detailed information about database access controls and how to restrict +access see [RBAC](../../database-access/rbac.mdx) documentation. ## Step 2/5. Create a certificate/key pair and Teleport Oracle Wallet @@ -92,7 +119,7 @@ Install and configure Teleport where you will run the Teleport Database Service: -(!docs/pages/includes/install-linux.mdx!) +(!docs/pages/includes/install-linux-enterprise.mdx!) (!docs/pages/includes/database-access/db-configure-start.mdx dbName="oracle" dbProtocol="oracle" databaseAddress="oracle.example.com:2484" dbName="oracle" !) @@ -102,7 +129,48 @@ Install and configure Teleport where you will run the Teleport Database Service: (!docs/pages/kubernetes-access/helm/includes/helm-repo-add.mdx!) - (!docs/pages/includes/database-access/db-helm-install.mdx dbName="oracle" dbProtocol="oracle" databaseAddress="oracle.example.com:2484" dbName="oracle" !) + + + Install the Teleport Kube Agent into your Kubernetes Cluster + with the Teleport Database Service configuration. + + ```code + $ JOIN_TOKEN=$(cat /tmp/token) + $ helm install teleport-kube-agent teleport/teleport-kube-agent \ + --create-namespace \ + --namespace teleport-agent \ + --set roles=db \ + --set proxyAddr=teleport.example.com:443 \ + --set authToken=${JOIN_TOKEN?} \ + --set "databases[0].name=oracle" \ + --set "databases[0].uri=oracle.example.com:2484" \ + --set "databases[0].protocol=oracle" \ + --set "labels.env=dev" \ + --version (=teleport.version=) + ``` + + + + Install the Teleport Kube Agent into your Kubernetes Cluster + with the Teleport Database Service configuration. + + ```code + $ JOIN_TOKEN=$(cat /tmp/token) + $ helm install teleport-kube-agent teleport/teleport-kube-agent \ + --create-namespace \ + --namespace teleport-agent \ + --set roles=db \ + --set proxyAddr=mytenant.teleport.sh:443 \ + --set authToken=${JOIN_TOKEN?} \ + --set "databases[0].name=oracle" \ + --set "databases[0].uri=oracle.example.com:2484" \ + --set "databases[0].protocol=oracle" \ + --set "labels.env=dev" \ + --version (=cloud.version=) + ``` + + + @@ -113,24 +181,15 @@ Install and configure Teleport where you will run the Teleport Database Service: Once the Database Service has joined the cluster, log in to see the available databases: - ```code -$ tsh login --proxy=teleport.example.com --user=alice +$ tsh login --proxy= --user=alice $ tsh db ls # Name Description Allowed Users Labels Connect # ------ -------------- ------------- ------- ------- # oracle Oracle Example [*] env=dev ``` - - -```code -$ tsh login --proxy=mytenant.teleport.sh --user=alice -$ tsh db ls -# Name Description Allowed Users Labels Connect -# ------ -------------- ------------- ------- ------- -# oracle Oracle Example [*] env=dev -``` - + +Connect to the database: ```code $ tsh db connect --db-user=alice --db-name=XE oracle @@ -146,6 +205,7 @@ $ tsh db connect --db-user=alice --db-name=XE oracle # # SQL> ``` + To log out of the database and remove credentials: ```code diff --git a/docs/pages/database-access/guides/redis-aws.mdx b/docs/pages/database-access/guides/redis-aws.mdx index 6f32a95ad298e..20d3bdd87ed24 100644 --- a/docs/pages/database-access/guides/redis-aws.mdx +++ b/docs/pages/database-access/guides/redis-aws.mdx @@ -12,7 +12,7 @@ This guide will help you to: ![Teleport Database Access RDS Self-Hosted](../../../img/database-access/guides/redis_elasticache_selfhosted.png) - + ![Teleport Database Access RDS Cloud](../../../img/database-access/guides/redis_elasticache_cloud.png) diff --git a/docs/pages/database-access/guides/redis-cluster.mdx b/docs/pages/database-access/guides/redis-cluster.mdx index c328a8343de13..2d516a1559273 100644 --- a/docs/pages/database-access/guides/redis-cluster.mdx +++ b/docs/pages/database-access/guides/redis-cluster.mdx @@ -14,7 +14,7 @@ This guide will help you to: ![Teleport Database Access Redis Cluster Self-Hosted](../../../img/database-access/guides/rediscluster_selfhosted.png) - + ![Teleport Database Access Redis Cluster Cloud](../../../img/database-access/guides/rediscluster_cloud.png) diff --git a/docs/pages/database-access/guides/redis.mdx b/docs/pages/database-access/guides/redis.mdx index b22fe76aa7035..30406df5b3ef7 100644 --- a/docs/pages/database-access/guides/redis.mdx +++ b/docs/pages/database-access/guides/redis.mdx @@ -14,7 +14,7 @@ This guide will help you to: ![Teleport Database Access Redis Self-Hosted](../../../img/database-access/guides/redis_selfhosted.png) - + ![Teleport Database Access Redis Cloud](../../../img/database-access/guides/redis_cloud.png) diff --git a/docs/pages/database-access/guides/snowflake.mdx b/docs/pages/database-access/guides/snowflake.mdx index 05cc07a01ae32..3dd72c5359021 100644 --- a/docs/pages/database-access/guides/snowflake.mdx +++ b/docs/pages/database-access/guides/snowflake.mdx @@ -118,7 +118,7 @@ Log in to your Teleport cluster and see the available databases: # example-snowflake Example Snowflake ❄ env=dev ``` - + ```code $ tsh login --proxy=mytenant.teleport.sh --user=alice $ tsh db ls diff --git a/docs/pages/database-access/reference/configuration.mdx b/docs/pages/database-access/reference/configuration.mdx index 9d144c7ed9728..160d0ba151ec6 100644 --- a/docs/pages/database-access/reference/configuration.mdx +++ b/docs/pages/database-access/reference/configuration.mdx @@ -58,12 +58,12 @@ proxy_service: ``` - + -Teleport Cloud automatically configures the Teleport Proxy Service with the -following settings that are relevant to database access. This reference -configuration uses `mytenant.teleport.sh` in place of your Teleport Cloud tenant -address. +Teleport Team and Teleport Enterprise Cloud automatically configure the Teleport +Proxy Service with the following settings that are relevant to database access. +This reference configuration uses `mytenant.teleport.sh` in place of your +Teleport Team/Enterprise Cloud tenant address. ```yaml proxy_service: diff --git a/docs/pages/deploy-a-cluster/deployments/gcp.mdx b/docs/pages/deploy-a-cluster/deployments/gcp.mdx index 5baacc59bf099..1ae8a7da3cefe 100644 --- a/docs/pages/deploy-a-cluster/deployments/gcp.mdx +++ b/docs/pages/deploy-a-cluster/deployments/gcp.mdx @@ -3,16 +3,10 @@ title: Running Teleport on GCP description: How to install and configure Teleport on GCP --- -We've created this guide to give customers an overview of how to use Teleport on -[Google Cloud](https://cloud.google.com/gcp/) (GCP). This guide provides a -high-level introduction to setting up and running Teleport in production. - - - -This guide shows you how to deploy the Auth Service and Proxy Service, which -Teleport Cloud manages for you. - - +We've created this guide to give customers an overview of how to deploy a +self-hosted Teleport cluster on [Google Cloud](https://cloud.google.com/gcp/) +(GCP). This guide provides a high-level introduction to setting up and running +Teleport in production. We have split this guide into: @@ -225,7 +219,7 @@ Follow install instructions from our [installation page](../../installation.mdx# We recommend configuring Teleport as per the below steps: - + **1. Configure Teleport Auth Server** using the below example `teleport.yaml`,and start it using [systemd](../../management/admin/daemon.mdx). The DEB/RPM installations will automatically include the `systemd` configuration. diff --git a/docs/pages/deploy-a-cluster/deployments/ibm.mdx b/docs/pages/deploy-a-cluster/deployments/ibm.mdx index 6f9e8e4665e8f..3c894a8b2b005 100644 --- a/docs/pages/deploy-a-cluster/deployments/ibm.mdx +++ b/docs/pages/deploy-a-cluster/deployments/ibm.mdx @@ -7,13 +7,6 @@ We've created this guide to give customers an overview of how to use Teleport on [IBM Cloud](https://www.ibm.com/cloud). This guide provides a high-level introduction to setting up and running Teleport in production. - - -This guide shows you how to deploy the Auth Service and Proxy Service, which -Teleport Cloud manages for you. - - - We have split this guide into: - [Teleport on IBM FAQ](#teleport-on-ibm-cloud-faq) diff --git a/docs/pages/deploy-a-cluster/helm-deployments/aws.mdx b/docs/pages/deploy-a-cluster/helm-deployments/aws.mdx index d80df9a170839..5be06334bff4c 100644 --- a/docs/pages/deploy-a-cluster/helm-deployments/aws.mdx +++ b/docs/pages/deploy-a-cluster/helm-deployments/aws.mdx @@ -276,7 +276,7 @@ $ kubectl -n teleport create secret generic license --from-file=license.pem Next, configure the `teleport-cluster` Helm chart to use the `aws` mode. Create a file called `aws-values.yaml` and write the values you've chosen above to it: - + @@ -627,4 +627,4 @@ users and setting up RBAC. See the [high availability section of our Helm chart reference](../../reference/helm-reference/teleport-cluster.mdx#highavailability) for more details on high availability. -Read the [`cert-manager` documentation](https://cert-manager.io/docs/). \ No newline at end of file +Read the [`cert-manager` documentation](https://cert-manager.io/docs/). diff --git a/docs/pages/deploy-a-cluster/helm-deployments/gcp.mdx b/docs/pages/deploy-a-cluster/helm-deployments/gcp.mdx index 5ddf416553f04..b146f731bcf06 100644 --- a/docs/pages/deploy-a-cluster/helm-deployments/gcp.mdx +++ b/docs/pages/deploy-a-cluster/helm-deployments/gcp.mdx @@ -301,7 +301,7 @@ Next, configure the `teleport-cluster` Helm chart to use the `gcp` mode. Create file called `gcp-values.yaml` file and write the values you've chosen above to it: - + ```yaml chartMode: gcp diff --git a/docs/pages/deploy-a-cluster/helm-deployments/kubernetes-cluster.mdx b/docs/pages/deploy-a-cluster/helm-deployments/kubernetes-cluster.mdx index 03ba38243d212..f32a12814db4a 100644 --- a/docs/pages/deploy-a-cluster/helm-deployments/kubernetes-cluster.mdx +++ b/docs/pages/deploy-a-cluster/helm-deployments/kubernetes-cluster.mdx @@ -138,7 +138,7 @@ will use to receive notifications from Let's Encrypt, which provides TLS credentials for the Teleport Proxy Service's HTTPS endpoint. - + Write a values file (`teleport-cluster-values.yaml`) which will configure a single node Teleport cluster and provision a cert using ACME. diff --git a/docs/pages/desktop-access/active-directory-manual.mdx b/docs/pages/desktop-access/active-directory-manual.mdx index 7c0b8fa998473..0935e89c08b27 100644 --- a/docs/pages/desktop-access/active-directory-manual.mdx +++ b/docs/pages/desktop-access/active-directory-manual.mdx @@ -566,10 +566,11 @@ ssh_service: ``` - -For Teleport Cloud, Windows Desktop Service should establish a reverse tunnel to -the hosted proxy. This requires setting `proxy_server` to your cloud tenant and -providing a join token. + + +For Teleport Team and Teleport Enterprise Cloud, the Windows Desktop Service +should establish a reverse tunnel to the hosted Teleport Proxy Service. This +requires setting `proxy_server` to your cloud tenant and providing a join token. First, generate a join token with the following command: diff --git a/docs/pages/desktop-access/getting-started.mdx b/docs/pages/desktop-access/getting-started.mdx index db843155794a5..09b6019404bf6 100644 --- a/docs/pages/desktop-access/getting-started.mdx +++ b/docs/pages/desktop-access/getting-started.mdx @@ -20,8 +20,6 @@ with the static host definitions described below.
Passwordless access for local users is available starting from Teleport `v12`. @@ -91,7 +89,7 @@ for detailed information on configuring Teleport Desktop Access with this token. Copy the token to the Linux host where you will run the Desktop service as `/tmp/token`. -(!docs/pages/includes/install-linux.mdx!) +(!docs/pages/includes/install-linux-enterprise.mdx!) Create `/etc/teleport.yaml` and configure it for desktop access. Update the `proxy_server` value to your Teleport proxy service or cloud tenant, and put the Windows machine address diff --git a/docs/pages/includes/cloud/call-to-action.mdx b/docs/pages/includes/cloud/call-to-action.mdx index 9e595dfaf4d0a..17b63150da8ee 100644 --- a/docs/pages/includes/cloud/call-to-action.mdx +++ b/docs/pages/includes/cloud/call-to-action.mdx @@ -1,6 +1,5 @@ Teleport Team takes care of this setup for you so you can provide secure access diff --git a/docs/pages/includes/configure-event-handler.mdx b/docs/pages/includes/configure-event-handler.mdx index ef7cf67e77446..8e08ca0ca057a 100644 --- a/docs/pages/includes/configure-event-handler.mdx +++ b/docs/pages/includes/configure-event-handler.mdx @@ -1,8 +1,9 @@ - + Run the `configure` command to generate a sample configuration. Replace -`mytenant.teleport.sh` with the DNS name of your Teleport Enterprise Cloud tenant: +`mytenant.teleport.sh` with the DNS name of your Teleport Team or Teleport +Enterprise Cloud tenant: ```code $ teleport-event-handler configure . mytenant.teleport.sh:443 diff --git a/docs/pages/includes/database-access/create-user.mdx b/docs/pages/includes/database-access/create-user.mdx index 395f602b4462f..795f7a98b41df 100644 --- a/docs/pages/includes/database-access/create-user.mdx +++ b/docs/pages/includes/database-access/create-user.mdx @@ -4,7 +4,8 @@ To modify an existing user to provide access to the Database Service, see [Datab - + + Create a local Teleport user with the built-in `access` role: ```code @@ -14,8 +15,8 @@ $ tctl users add \ --db-names=\* \ alice ``` - - + + Create a local Teleport user with the built-in `access` and `requester` roles: ```code @@ -25,7 +26,8 @@ $ tctl users add \ --db-names=\* \ alice ``` - + + | Flag | Description | |--------------|------------------------------------------------------------------------------------------------------------------------------------------| diff --git a/docs/pages/includes/database-access/db-configure-start.mdx b/docs/pages/includes/database-access/db-configure-start.mdx index de490acba732a..4f026904a1c62 100644 --- a/docs/pages/includes/database-access/db-configure-start.mdx +++ b/docs/pages/includes/database-access/db-configure-start.mdx @@ -1,6 +1,4 @@ {{ dbName="test" }} - - On the host where you will run the Teleport Database Service, start Teleport with the appropriate configuration. @@ -12,7 +10,8 @@ your terminal, and manually adjust `/etc/teleport.yaml`. Generate a configuration file at `/etc/teleport.yaml` for the Database Service: - + + ```code $ teleport db configure create \ @@ -25,8 +24,8 @@ $ teleport db configure create \ --labels=env=dev ``` - - + + ```code $ teleport db configure create \ @@ -39,84 +38,7 @@ $ teleport db configure create \ --labels=env=dev ``` - - -Configure the Database Service to start automatically when the host boots up by -creating a systemd service for it. The instructions depend on how you installed -the Database Service. - - - - -On the host where you will run {{ service }}, start Teleport: - -```code -$ sudo systemctl enable teleport -$ sudo systemctl start teleport -``` - - - - -On the host where you will run {{ service }}, create a systemd service -configuration for Teleport, enable the Teleport service, and start Teleport: - -```code -$ sudo teleport install systemd -o /etc/systemd/system/teleport.service -$ sudo systemctl enable teleport -$ sudo systemctl start teleport -``` - - - - -You can start the Teleport Database Service without configuration file using a -CLI command: - - - -```code -$ teleport db start \ - --token=/tmp/token \ - --auth-server=teleport.example.com:443 \ - --name={{ dbName }} \ - --protocol={{ dbProtocol }} \ - --uri={{ databaseAddress }} \ - --labels=env=dev -``` - -Note that the `--auth-server` flag must point to the Teleport cluster's Proxy -Service endpoint because the Database Service always connects back to the -cluster over a reverse tunnel. - - - - -```code -$ teleport db start \ - --token=/tmp/token \ - --auth-server=mytenant.teleport.sh:443 \ - --name={{ dbName }} \ - --protocol={{ dbProtocol }} \ - --uri={{ databaseAddress }} \ - --labels=env=dev -``` - -Note that the `--auth-server` flag must point to your Teleport Cloud tenant -address. - - - - - - - - -The `--auth-server` flag must point to the Teleport cluster's Proxy Service -endpoint because the Database Service always connects back to the cluster over a -reverse tunnel. - - +(!docs/pages/includes/start-teleport.mdx service="the Teleport Database Service"!) diff --git a/docs/pages/includes/database-access/db-helm-install.mdx b/docs/pages/includes/database-access/db-helm-install.mdx index 101973bb0a461..4a838889b1614 100644 --- a/docs/pages/includes/database-access/db-helm-install.mdx +++ b/docs/pages/includes/database-access/db-helm-install.mdx @@ -1,5 +1,6 @@ {{ dbName="test" }} - + + Install the Teleport Kube Agent into your Kubernetes Cluster with the Teleport Database Service configuration. @@ -18,8 +19,8 @@ $ helm install teleport-kube-agent teleport/teleport-kube-agent \ --version (=teleport.version=) ``` - - + + Install the Teleport Kube Agent into your Kubernetes Cluster with the Teleport Database Service configuration. @@ -38,4 +39,5 @@ $ helm install teleport-kube-agent teleport/teleport-kube-agent \ --version (=cloud.version=) ``` - + + diff --git a/docs/pages/includes/database-access/redis-connect.mdx b/docs/pages/includes/database-access/redis-connect.mdx index b8808b3a7c728..e0533b764f236 100644 --- a/docs/pages/includes/database-access/redis-connect.mdx +++ b/docs/pages/includes/database-access/redis-connect.mdx @@ -10,7 +10,7 @@ Log into your Teleport cluster and see available databases: # example-redis Example Redis env=dev ``` - + ```code $ tsh login --proxy=mytenant.teleport.sh --user=alice $ tsh db ls diff --git a/docs/pages/includes/edition-prereqs-tabs.mdx b/docs/pages/includes/edition-prereqs-tabs.mdx index a460fc8c36581..689425bf20f48 100644 --- a/docs/pages/includes/edition-prereqs-tabs.mdx +++ b/docs/pages/includes/edition-prereqs-tabs.mdx @@ -1,5 +1,23 @@ - + + +- A Teleport Team account. If you do not have one, visit the [signup + page](https://goteleport.com/signup/) to begin your free trial. + +- The `tctl` admin tool and `tsh` client tool version >= (=teleport.version=). + + ```code + $ tctl version + # Teleport v(=teleport.version=) go(=teleport.golang=) + + $ tsh version + # Teleport v(=teleport.version=) go(=teleport.golang=) + ``` + + See [Installation](../installation.mdx) for details. + + + - A running Teleport cluster. For details on how to set this up, see our [Getting Started](../index.mdx) guide. @@ -18,7 +36,7 @@ + scope={["enterprise"]} label="Teleport Enterprise"> - A running Teleport Enterprise cluster. For details on how to set this up, see our Enterprise [Getting Started](../choose-an-edition/teleport-enterprise/introduction.mdx) guide. @@ -36,7 +54,7 @@ + label="Teleport Enterprise Cloud"> - A Teleport Enterprise Cloud account. If you do not have one, visit the [signup page](https://goteleport.com/signup/) to begin a free trial of Teleport Team diff --git a/docs/pages/includes/enterprise/oidcauthentication.mdx b/docs/pages/includes/enterprise/oidcauthentication.mdx index ddfb8277de76a..ffe640a6c868c 100644 --- a/docs/pages/includes/enterprise/oidcauthentication.mdx +++ b/docs/pages/includes/enterprise/oidcauthentication.mdx @@ -1,7 +1,7 @@ Configure Teleport to use OIDC authentication as the default instead of the local user database. - + You can either edit your Teleport configuration file or create a dynamic resource. diff --git a/docs/pages/includes/enterprise/samlauthentication.mdx b/docs/pages/includes/enterprise/samlauthentication.mdx index f105e636f6ef6..496f6a332efc5 100644 --- a/docs/pages/includes/enterprise/samlauthentication.mdx +++ b/docs/pages/includes/enterprise/samlauthentication.mdx @@ -2,13 +2,8 @@ - Configure Teleport to use SAML authentication as the default instead of the local user database. - - You can either edit the Teleport Auth Service configuration file or create a dynamic - resource. - - - + Use `tctl` to edit the `cluster_auth_preference` value: @@ -37,7 +32,7 @@ user database. ``` - + Update `/etc/teleport.yaml` in the `auth_service` section and restart the `teleport` daemon. diff --git a/docs/pages/includes/install-linux-enterprise.mdx b/docs/pages/includes/install-linux-enterprise.mdx new file mode 100644 index 0000000000000..2b53053e826a7 --- /dev/null +++ b/docs/pages/includes/install-linux-enterprise.mdx @@ -0,0 +1,125 @@ +Use the appropriate commands for your environment to install your package: + + + + + + + ```code + # Download Teleport's PGP public key + $ sudo curl https://apt.releases.teleport.dev/gpg \ + -o /usr/share/keyrings/teleport-archive-keyring.asc + # Source variables about OS version + $ source /etc/os-release + # Add the Teleport APT repository for v(=teleport.major_version=). You'll need to update this + # file for each major release of Teleport. + $ echo "deb [signed-by=/usr/share/keyrings/teleport-archive-keyring.asc] \ + https://apt.releases.teleport.dev/${ID?} ${VERSION_CODENAME?} stable/v(=teleport.major_version=)" \ + | sudo tee /etc/apt/sources.list.d/teleport.list > /dev/null + + $ sudo apt-get update + $ sudo apt-get install teleport-ent + ``` + + For FedRAMP/FIPS-compliant installations, install the `teleport-ent-fips` package instead: + + ```code + $ sudo apt-get install teleport-ent-fips + ``` + + + + + ```code + # Source variables about OS version + $ source /etc/os-release + # Add the Teleport YUM repository for v(=teleport.major_version=). You'll need to update this + # file for each major release of Teleport. + # First, get the major version from $VERSION_ID so this fetches the correct + # package version. + $ VERSION_ID=$(echo $VERSION_ID | grep -Eo "^[0-9]+") + $ sudo yum-config-manager --add-repo "$(rpm --eval "https://yum.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/v(=teleport.major_version=)/teleport.repo")" + $ sudo yum install teleport-ent + # + # Tip: Add /usr/local/bin to path used by sudo (so 'sudo tctl users add' will work as per the docs) + # echo "Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" > /etc/sudoers.d/secure_path + ``` + + For FedRAMP/FIPS-compliant installations, install the `teleport-ent-fips` package instead: + + ```code + $ sudo yum install teleport-ent-fips + ``` + + + + + ```code + # Source variables about OS version + $ source /etc/os-release + # Add the Teleport YUM repository for v(=teleport.major_version=). You'll need to update this + # file for each major release of Teleport. + # Use the dnf config manager plugin to add the teleport RPM repo + $ sudo dnf config-manager --add-repo "$(rpm --eval "https://yum.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/v(=teleport.major_version=)/teleport.repo")" + + # Install teleport + $ sudo dnf install teleport-ent + + # Tip: Add /usr/local/bin to path used by sudo (so 'sudo tctl users add' will work as per the docs) + # echo "Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" > /etc/sudoers.d/secure_path + ``` + + For FedRAMP/FIPS-compliant installations, install the `teleport-ent-fips` package instead: + + ```code + $ sudo dnf install teleport-ent-fips + ``` + + + + + In the example commands below, update `$SYSTEM_ARCH` with the appropriate + value (`amd64`, `arm64`, or `arm`). All example commands using this variable + will update after one is filled out. + + ```code + $ curl https://get.gravitational.com/teleport-ent-v(=teleport.version=)-linux--bin.tar.gz.sha256 + # + $ curl -O https://cdn.teleport.dev/teleport-ent-v(=teleport.version=)-linux--bin.tar.gz + $ shasum -a 256 teleport-ent-v(=teleport.version=)-linux--bin.tar.gz + # Verify that the checksums match + $ tar -xvf teleport-ent-v(=teleport.version=)-linux--bin.tar.gz + $ cd teleport-ent + $ sudo ./install + ``` + + For FedRAMP/FIPS-compliant installations of Teleport Enterprise, package URLs + will be slightly different: + + ```code + $ curl https://get.gravitational.com/teleport-ent-v(=teleport.version=)-linux--fips-bin.tar.gz.sha256 + # + $ curl -O https://cdn.teleport.dev/teleport-ent-v(=teleport.version=)-linux--fips-bin.tar.gz + $ shasum -a 256 teleport-ent-v(=teleport.version=)-linux--fips-bin.tar.gz + # Verify that the checksums match + $ tar -xvf teleport-ent-v(=teleport.version=)-linux--fips-bin.tar.gz + $ cd teleport-ent + $ sudo ./install + ``` + + + + + +(!docs/pages/includes/cloud/install-linux-cloud.mdx!) +
+ + Before installing a `teleport` binary with a version besides v(=cloud.major_version=), + read our compatibility rules to ensure that the binary is compatible with + Teleport Enterprise Cloud. + + (!docs/pages/includes/compatibility.mdx!) + +
+ + diff --git a/docs/pages/includes/install-linux.mdx b/docs/pages/includes/install-linux.mdx index 054ebf1f59c0a..4c2efd5f694b0 100644 --- a/docs/pages/includes/install-linux.mdx +++ b/docs/pages/includes/install-linux.mdx @@ -1,6 +1,23 @@ Use the appropriate commands for your environment to install your package: + + + ```code + $ curl https://goteleport.com/static/install.sh | bash -s (=cloud.version=) + ``` + +
+ + Before installing a `teleport` binary with a version besides + v(=cloud.major_version=), read our compatibility rules to ensure that the + binary is compatible with Teleport Cloud. + + (!docs/pages/includes/compatibility.mdx!) + +
+ + ```code @@ -10,7 +27,7 @@ Use the appropriate commands for your environment to install your package: - + ```code # Download Teleport's PGP public key @@ -35,7 +52,7 @@ Use the appropriate commands for your environment to install your package: ``` - + ```code # Source variables about OS version @@ -59,7 +76,7 @@ Use the appropriate commands for your environment to install your package: ``` - + ```code # Source variables about OS version @@ -83,7 +100,7 @@ Use the appropriate commands for your environment to install your package: ``` - + In the example commands below, update `$SYSTEM_ARCH` with the appropriate value (`amd64`, `arm64`, or `arm`). All example commands using this variable @@ -117,13 +134,13 @@ Use the appropriate commands for your environment to install your package: - + (!docs/pages/includes/cloud/install-linux-cloud.mdx!) -
+
Before installing a `teleport` binary with a version besides v(=cloud.major_version=), read our compatibility rules to ensure that the binary is compatible with - Teleport Cloud. + Teleport Enterprise Cloud. (!docs/pages/includes/compatibility.mdx!) diff --git a/docs/pages/includes/install-windows.mdx b/docs/pages/includes/install-windows.mdx index b7920e0822071..38eea8bf975fb 100644 --- a/docs/pages/includes/install-windows.mdx +++ b/docs/pages/includes/install-windows.mdx @@ -4,20 +4,25 @@ can be run under `cmd.exe`, PowerShell, and Windows Terminal. To install `tsh` on Windows, run the following commands in **PowerShell** (these commands will not work in `cmd.exe`): - + (!docs/pages/includes/install-windows-tsh.mdx version="(=teleport.version=)" !) - - + + (!docs/pages/includes/install-windows-tsh.mdx version="(=teleport.version=)" !) - + + - + (!docs/pages/includes/install-windows-tsh.mdx version="(=teleport.version=)" !) + + + + (!docs/pages/includes/install-windows-tsh.mdx version="(=cloud.version=)" !) - - + + diff --git a/docs/pages/includes/no-oss-prereqs-tabs.mdx b/docs/pages/includes/no-oss-prereqs-tabs.mdx new file mode 100644 index 0000000000000..c42ce6b543e34 --- /dev/null +++ b/docs/pages/includes/no-oss-prereqs-tabs.mdx @@ -0,0 +1,56 @@ + + + +- A Teleport Team account. If you do not have one, visit the [signup + page](https://goteleport.com/signup/) to begin your free trial. + +- The `tctl` admin tool and `tsh` client tool version >= (=teleport.version=). + + ```code + $ tctl version + # Teleport v(=teleport.version=) go(=teleport.golang=) + + $ tsh version + # Teleport v(=teleport.version=) go(=teleport.golang=) + ``` + + See [Installation](../installation.mdx) for details. + + + + +- A running Teleport Enterprise cluster. For details on how to set this up, see our Enterprise + [Getting Started](../choose-an-edition/teleport-enterprise/introduction.mdx) guide. + +- The Enterprise `tctl` admin tool and `tsh` client tool version >= (=teleport.version=), + which you can download by visiting your [Teleport account](https://teleport.sh). + + ```code + $ tctl version + # Teleport Enterprise v(=teleport.version=) go(=teleport.golang=) + + $ tsh version + # Teleport v(=teleport.version=) go(=teleport.golang=) + ``` + + + + +- A Teleport Enterprise Cloud account. If you do not have one, visit the [signup + page](https://goteleport.com/signup/) to begin your free trial. + +- The Enterprise `tctl` admin tool and `tsh` client tool version >= (=cloud.version=). + To download these tools, visit the [Downloads](../choose-an-edition/teleport-cloud/downloads.mdx) page. + + ```code + $ tctl version + # Teleport Enterprise v(=cloud.version=) go(=teleport.golang=) + + $ tsh version + # Teleport v(=cloud.version=) go(=teleport.golang=) + ``` + + + diff --git a/docs/pages/includes/self-hosted-prereqs-tabs.mdx b/docs/pages/includes/self-hosted-prereqs-tabs.mdx new file mode 100644 index 0000000000000..5c0fb1cd155c0 --- /dev/null +++ b/docs/pages/includes/self-hosted-prereqs-tabs.mdx @@ -0,0 +1,38 @@ + + + +- A running Teleport cluster. For details on how to set this up, see our + [Getting Started](../index.mdx) guide. + +- The `tctl` admin tool and `tsh` client tool version >= (=teleport.version=). + + ```code + $ tctl version + # Teleport v(=teleport.version=) go(=teleport.golang=) + + $ tsh version + # Teleport v(=teleport.version=) go(=teleport.golang=) + ``` + + See [Installation](../installation.mdx) for details. + + + + +- A running Teleport Enterprise cluster. For details on how to set this up, see our Enterprise + [Getting Started](../choose-an-edition/teleport-enterprise/introduction.mdx) guide. + +- The Enterprise `tctl` admin tool and `tsh` client tool version >= (=teleport.version=), + which you can download by visiting your [Teleport account](https://teleport.sh). + + ```code + $ tctl version + # Teleport Enterprise v(=teleport.version=) go(=teleport.golang=) + + $ tsh version + # Teleport v(=teleport.version=) go(=teleport.golang=) + ``` + + + diff --git a/docs/pages/includes/sso/loginerrortroubleshooting.mdx b/docs/pages/includes/sso/loginerrortroubleshooting.mdx index 6a3897e7ee9fe..3e3fa0a839fd5 100644 --- a/docs/pages/includes/sso/loginerrortroubleshooting.mdx +++ b/docs/pages/includes/sso/loginerrortroubleshooting.mdx @@ -1,9 +1,9 @@ Troubleshooting SSO configuration can be challenging. Usually a Teleport administrator must be able to: - -- Ensure that HTTP/TLS certificates are configured properly for both Teleport - proxy and the SSO provider. + +- Ensure that HTTP/TLS certificates are configured properly for both the Teleport + Proxy Service and the SSO provider. - Be able to see what SAML/OIDC claims and values are getting exported and passed by the SSO provider to Teleport. diff --git a/docs/pages/includes/tctl.mdx b/docs/pages/includes/tctl.mdx index 5bf327d1652c3..0de6d3dd8dba3 100644 --- a/docs/pages/includes/tctl.mdx +++ b/docs/pages/includes/tctl.mdx @@ -1,6 +1,9 @@ Make sure you can connect to Teleport. Log in to your cluster using `tsh`, then use `tctl` remotely: +{/* Ignoring scope linting since we use this partial throughout the docs and +cannot guarantee that it will line up with a page's configured scopes*/} +{/*lint ignore scopes*/} ```code @@ -16,7 +19,8 @@ You can run subsequent `tctl` commands in this guide on your local machine. For full privileges, you can also run `tctl` commands on your Auth Service host. - +{/*lint ignore scopes*/} + ```code $ tsh login --proxy=myinstance.teleport.sh --user=email@example.com diff --git a/docs/pages/installation.mdx b/docs/pages/installation.mdx index 3429d6dc6cb7c..658b709249864 100644 --- a/docs/pages/installation.mdx +++ b/docs/pages/installation.mdx @@ -153,7 +153,7 @@ either: `(=teleport.version=)`. - + |Image name|Troubleshooting Tools?|Image base| |-|-|-| @@ -169,7 +169,7 @@ repository](https://gallery.ecr.aws/gravitational/teleport-ent). Their use is considered deprecated, and they may be removed in future releases. - + | Image name | Includes troubleshooting tools | Image base | | - | - | - | @@ -346,7 +346,7 @@ chart. ## macOS - + You can download one of the following .pkg installers for macOS: @@ -418,7 +418,7 @@ chart. (!docs/pages/includes/enterprise/install-macos.mdx!) - + (!docs/pages/includes/cloud/install-macos.mdx!) diff --git a/docs/pages/kubernetes-access/getting-started.mdx b/docs/pages/kubernetes-access/getting-started.mdx index a4e370578d06a..025e28e463333 100644 --- a/docs/pages/kubernetes-access/getting-started.mdx +++ b/docs/pages/kubernetes-access/getting-started.mdx @@ -77,7 +77,7 @@ or up to one major version back. You can set the version override with the overr (!docs/pages/kubernetes-access/helm/includes/helm-repo-add.mdx!) - + Switch `kubectl` to the Kubernetes cluster `cookie` and run the following commands, assigning `PROXY_ADDR` to the address of your Auth Service or Proxy diff --git a/docs/pages/kubernetes-access/manage-access/federation.mdx b/docs/pages/kubernetes-access/manage-access/federation.mdx index 57301a19ea3f8..543020c82301f 100644 --- a/docs/pages/kubernetes-access/manage-access/federation.mdx +++ b/docs/pages/kubernetes-access/manage-access/federation.mdx @@ -42,7 +42,7 @@ $ tsh --proxy=main.example.com login east ``` - + When multiple Trusted Clusters are present behind the Teleport Proxy Service, the `kubeconfig` generated by [tsh login](../../reference/cli.mdx#tsh-login) will contain the @@ -52,7 +52,7 @@ login](../../reference/cli.mdx#tsh-login). For example, consider the following setup: - There are two Teleport/Kubernetes clusters, `east` and `west`. These are the names set in `cluster_name` setting in their configuration files. -- The clusters `east` and `west` are Trusted Clusters for a Teleport Cloud tenant, `mytenant.teleport.sh`. +- The clusters `east` and `west` are Trusted Clusters for a Teleport Team or Enterprise Cloud tenant, `mytenant.teleport.sh`. - Users always authenticate against `mytenant.teleport.sh` but use their certificates to access SSH nodes and the Kubernetes API in all three clusters. diff --git a/docs/pages/management/admin/troubleshooting.mdx b/docs/pages/management/admin/troubleshooting.mdx index fe3d63c0d6780..7ec24a64765c4 100644 --- a/docs/pages/management/admin/troubleshooting.mdx +++ b/docs/pages/management/admin/troubleshooting.mdx @@ -150,11 +150,11 @@ Teleport v9.0.4 git: go1.18 ### Pose your question - + If you need help, please ask on our [community forum](https://github.com/gravitational/teleport/discussions). You can also open an [issue on GitHub](https://github.com/gravitational/teleport/issues) or create a ticket through your [Teleport account](https://teleport.sh). - + If you need help, please ask on our [community forum](https://github.com/gravitational/teleport/discussions). You can also open an [issue on GitHub](https://github.com/gravitational/teleport/issues). For more information about custom features, or to try our [Enterprise edition](../../choose-an-edition/teleport-enterprise/introduction.mdx) of Teleport, please reach out to us at [sales](https://goteleport.com/signup/enterprise/). diff --git a/docs/pages/management/admin/trustedclusters.mdx b/docs/pages/management/admin/trustedclusters.mdx index 6db59f01a06a1..f7b3cf5209525 100644 --- a/docs/pages/management/admin/trustedclusters.mdx +++ b/docs/pages/management/admin/trustedclusters.mdx @@ -42,6 +42,26 @@ This guide will explain how to: ## Prerequisites + + +- A Teleport Team account. If you do not have one, visit the [signup + page](https://goteleport.com/signup/) to begin your free trial. + +- A second Teleport cluster, which will act as the leaf cluster. For details on + how to set up this cluster, see our [Getting Started](../../index.mdx) + guide. + + As an alternative, you can set up a second Teleport Team account. + +- (!docs/pages/includes/cloud/tctl-tsh-prerequisite.mdx!) + +- A Teleport Node that is joined to one of your clusters. We will refer to this + cluster as the **leaf cluster** throughout this guide. + + See [Join Services to your Cluster](../../agents/join-services-to-your-cluster.mdx) for + how to launch a Teleport Node in your cluster. + + - Two running Teleport clusters. For details on how to set up your clusters, see @@ -76,7 +96,7 @@ This guide will explain how to: + label="Teleport Enterprise Cloud"> - A Teleport Enterprise Cloud account. If you do not have one, visit the [sign up page](https://goteleport.com/signup/) to begin a free trial of Teleport @@ -981,7 +1001,7 @@ should check to see the following: cluster. Check the audit log messages on both clusters to get answers for the questions above. - + Troubleshooting "access denied" messages can be challenging. A Teleport administrator should check to see the following: @@ -995,6 +1015,7 @@ should check to see the following: ## Further reading + - Read more about how Trusted Clusters fit into Teleport's overall architecture: [Architecture Introduction](../../architecture/trustedclusters.mdx). diff --git a/docs/pages/management/admin/uninstall-teleport.mdx b/docs/pages/management/admin/uninstall-teleport.mdx index edd3a5f7cb242..4acd8a30362ea 100644 --- a/docs/pages/management/admin/uninstall-teleport.mdx +++ b/docs/pages/management/admin/uninstall-teleport.mdx @@ -70,9 +70,9 @@ $ docker stop teleport ## Step 2/3. Remove Teleport binaries - + - + Uninstall the Teleport binary using APT: @@ -95,7 +95,7 @@ $ docker stop teleport - + Uninstall the Teleport binary using YUM: @@ -120,7 +120,7 @@ $ docker stop teleport - + These are the default paths to the Teleport binaries. If you have changed these from the defaults on your system, substitute those paths here. @@ -137,7 +137,7 @@ $ docker stop teleport ``` - + These are the default paths to the Teleport binaries. If you have changed these from the defaults on your system, substitute those paths here. @@ -163,7 +163,7 @@ $ docker stop teleport - + Remove the `tsh.exe` binary from the machine: @@ -179,7 +179,7 @@ $ docker stop teleport - + Uninstall the Teleport binary using APT: @@ -207,7 +207,7 @@ $ docker stop teleport - + Uninstall the Teleport binary using YUM: @@ -238,7 +238,7 @@ $ docker stop teleport - + These are the default paths to the Teleport binaries. If you have changed these from the defaults on your system, substitute those paths here. @@ -255,7 +255,7 @@ $ docker stop teleport ``` - + These are the default paths to the Teleport binaries. If you have changed these from the defaults on your system, substitute those paths here. @@ -281,7 +281,7 @@ $ docker stop teleport - + Remove the `tsh.exe` binary from the machine: @@ -294,10 +294,10 @@ $ docker stop teleport - + - + Uninstall the Teleport binary using APT: @@ -324,7 +324,7 @@ $ docker stop teleport - + Uninstall the Teleport binary using YUM: @@ -354,7 +354,7 @@ $ docker stop teleport - + These are the default paths to the Teleport binaries. If you have changed these from the defaults on your system, substitute those paths here. @@ -371,7 +371,7 @@ $ docker stop teleport ``` - + These are the default paths to the Teleport binaries. If you have changed these from the defaults on your system, substitute those paths here. @@ -397,7 +397,7 @@ $ docker stop teleport - + Remove the `tsh.exe` binary from the machine: diff --git a/docs/pages/management/admin/users.mdx b/docs/pages/management/admin/users.mdx index 914687c44e67b..b47dbde42da64 100644 --- a/docs/pages/management/admin/users.mdx +++ b/docs/pages/management/admin/users.mdx @@ -112,7 +112,7 @@ $ tctl users rm joe ## Next steps - + In addition to users, you can use `tctl` to manage roles and other dynamic resources. See our [Teleport Resources Reference](../../reference/resources.mdx). @@ -125,7 +125,7 @@ For more information, see: - [Single Sign-On](../../access-controls/sso.mdx) - + In addition to users, you can use `tctl` to manage roles and other dynamic resources. See our [Teleport Resources Reference](../../reference/resources.mdx). diff --git a/docs/pages/management/dynamic-resources/teleport-operator.mdx b/docs/pages/management/dynamic-resources/teleport-operator.mdx index 6e74bef93b00d..decb63782b1ee 100644 --- a/docs/pages/management/dynamic-resources/teleport-operator.mdx +++ b/docs/pages/management/dynamic-resources/teleport-operator.mdx @@ -34,7 +34,7 @@ This guide covers how to: ## Prerequisites -(!docs/pages/includes/edition-prereqs-tabs.mdx!) +(!docs/pages/includes/self-hosted-prereqs-tabs.mdx!) - Kubernetes cluster (with or without `teleport-cluster` Helm chart already deployed); - [Helm](https://helm.sh/docs/intro/quickstart/) diff --git a/docs/pages/management/dynamic-resources/terraform-provider.mdx b/docs/pages/management/dynamic-resources/terraform-provider.mdx index 557bb1377934d..eecf859f92264 100644 --- a/docs/pages/management/dynamic-resources/terraform-provider.mdx +++ b/docs/pages/management/dynamic-resources/terraform-provider.mdx @@ -138,7 +138,7 @@ Paste the following into a file called `main.tf` to define an example user and role using Terraform. - + ``` (!examples/resources/terraform/terraform-user-role-cloud.tf!) ``` diff --git a/docs/pages/management/export-audit-events/datadog.mdx b/docs/pages/management/export-audit-events/datadog.mdx index c7f921631d468..e79b9745fc336 100644 --- a/docs/pages/management/export-audit-events/datadog.mdx +++ b/docs/pages/management/export-audit-events/datadog.mdx @@ -48,7 +48,7 @@ d-->h(Datadog) ## Prerequisites -(!docs/pages/includes/commercial-prereqs-tabs.mdx!) +(!docs/pages/includes/edition-prereqs-tabs.mdx!) - A [Datadog](https://www.datadoghq.com/) account. - A server, virtual machine, Kubernetes cluster, or Docker environment to run the @@ -125,12 +125,12 @@ read events. We export an identity file for the user with the `tctl auth sign` command. - + (!docs/pages/includes/plugins/identity-export.mdx user="teleport-event-handler"!) - + (!docs/pages/includes/plugins/identity-export.mdx user="teleport-event-handler"!) @@ -217,7 +217,7 @@ Earlier, we generated a file called `teleport-event-handler.toml` to configure the Fluentd event handler. This file includes setting similar to the following: - + ```toml storage = "./storage" diff --git a/docs/pages/management/export-audit-events/elastic-stack.mdx b/docs/pages/management/export-audit-events/elastic-stack.mdx index 0433024c473b1..cfec384611946 100644 --- a/docs/pages/management/export-audit-events/elastic-stack.mdx +++ b/docs/pages/management/export-audit-events/elastic-stack.mdx @@ -15,7 +15,7 @@ stores them in Elasticsearch for visualization and alerting in Kibana. ## Prerequisites -(!docs/pages/includes/commercial-prereqs-tabs.mdx!) +(!docs/pages/includes/edition-prereqs-tabs.mdx!) - Logstash version 8.4.1 or above running on a Linux host. Logstash must be listening on a TCP port that is open to traffic from - + ```code $ tctl auth sign --user=teleport-event-handler --out=identity ``` @@ -143,7 +143,7 @@ connection to the Auth Service. The plugin uses this reverse tunnel, along with your TLS credentials, to connect to the Auth Service's gRPC endpoint. - + If you are planning to use the Helm Chart, you'll need to generate the keys with the `file` format, then create a secret in Kubernetes. @@ -235,7 +235,7 @@ Earlier, we generated a file called `teleport-event-handler.toml` to configure the Fluentd event handler. This file includes setting similar to the following: - + ```toml storage = "./storage" diff --git a/docs/pages/management/export-audit-events/splunk.mdx b/docs/pages/management/export-audit-events/splunk.mdx index d46500ffe95f0..ecc9c59828949 100644 --- a/docs/pages/management/export-audit-events/splunk.mdx +++ b/docs/pages/management/export-audit-events/splunk.mdx @@ -16,7 +16,7 @@ visualization and alerting. ## Prerequisites -(!docs/pages/includes/commercial-prereqs-tabs.mdx!) +(!docs/pages/includes/edition-prereqs-tabs.mdx!) - Splunk Cloud Platform or Splunk Enterprise v9.0.1 or above. diff --git a/docs/pages/management/operations/backup-restore.mdx b/docs/pages/management/operations/backup-restore.mdx index 10b134a0ee7b1..c2d38e10b04b0 100644 --- a/docs/pages/management/operations/backup-restore.mdx +++ b/docs/pages/management/operations/backup-restore.mdx @@ -47,9 +47,10 @@ Teleport audit logs, logged events have a TTL of 1 year. | Firestore | [Follow GCP's guidelines for automated backups](https://firebase.google.com/docs/database/backups) | - + -Teleport Cloud manages all Auth Service and Proxy Service backups. +Teleport Team and Teleport Enterprise Cloud manage all Auth Service and Proxy +Service backups. While Teleport Nodes are stateless, you should ensure that you can restore their configuration files. @@ -80,7 +81,7 @@ If you're running Teleport at scale, your teams need to have an automated way to if a resource already exists, so this command can be run regularly. - + - Store your dynamic resource configurations as discrete files in a git repository. @@ -224,9 +225,10 @@ also apply to a new cluster being bootstrapped from the state of an old cluster: dynamically will need to be re-invited. - + -In Teleport Cloud, backend data is managed for you automatically. +In Teleport Team and Teleport Enterprise Cloud, backend data is managed for you +automatically. If you would like to migrate configuration resources to a self-hosted Teleport cluster, follow our recommended backup practice of storing configuration diff --git a/docs/pages/management/operations/scaling.mdx b/docs/pages/management/operations/scaling.mdx index ca84dd3bfeec7..0d3ae0053aeee 100644 --- a/docs/pages/management/operations/scaling.mdx +++ b/docs/pages/management/operations/scaling.mdx @@ -4,14 +4,7 @@ description: How to configure Teleport for large-scale deployments --- This section explains the recommended configuration settings for large-scale -deployments of Teleport. - - - -For Teleport Cloud customers, the settings in this guide are configured -automatically. - - +self-hosted deployments of Teleport. (!docs/pages/includes/cloud/call-to-action.mdx!) diff --git a/docs/pages/management/operations/upgrading.mdx b/docs/pages/management/operations/upgrading.mdx index 362bb7e7c99d5..e16a294756663 100644 --- a/docs/pages/management/operations/upgrading.mdx +++ b/docs/pages/management/operations/upgrading.mdx @@ -89,7 +89,7 @@ When upgrading multiple clusters: 2. Upgrade the Trusted Clusters. - + The Teleport Auth Service and Proxy Service are upgraded automatically. When upgrading resource services, you may upgrade in any sequence or at the same diff --git a/docs/pages/management/security/reduce-blast-radius.mdx b/docs/pages/management/security/reduce-blast-radius.mdx index 0c191ac317619..13c61089d789d 100644 --- a/docs/pages/management/security/reduce-blast-radius.mdx +++ b/docs/pages/management/security/reduce-blast-radius.mdx @@ -22,7 +22,7 @@ Teleport lets you make it mandatory for a user to enroll an MFA device when they To do so, make the following changes depending on your environment: - + Ensure that the value of `auth_service.authentication.second_factor` is `otp`, `webauthn`, or `on`: @@ -34,7 +34,7 @@ auth_service: ``` - + Obtain your existing `cluster_auth_preference` resource: @@ -99,7 +99,7 @@ auth_service: require_session_mfa: yes ``` - + Create the following `cluster_auth_preference` dynamic resource: ```yaml diff --git a/docs/pages/reference/audit.mdx b/docs/pages/reference/audit.mdx index bd4760cb36f6d..524f3808e5f99 100644 --- a/docs/pages/reference/audit.mdx +++ b/docs/pages/reference/audit.mdx @@ -16,7 +16,7 @@ There are two components of the audit log: but can be configured to be done by the proxy. - + 1. **Cluster Events:** Teleport logs events like successful user logins along with metadata like remote IP address, time, and the session ID. @@ -72,10 +72,10 @@ $ ls -l /var/lib/teleport/log/ ``` - + -Teleport Cloud manages the storage of audit logs for you. You can access your -audit logs via the Teleport Web UI by clicking: +Teleport Team and Teleport Enterprise Cloud manage the storage of audit logs for +you. You can access your audit logs via the Teleport Web UI by clicking: **Activity** > **Audit Log** @@ -180,9 +180,10 @@ $ tsh play 4c146ec8-eab6-11e6-b1b3-40167e68e931 --format=json ``` - + -Teleport Cloud automatically stores recorded sessions. +Teleport Team and Teleport Enterprise Cloud automatically store recorded +sessions. You can replay recorded sessions using the [`tsh play`](./cli.mdx#tsh-play) command or the Web UI. diff --git a/docs/pages/reference/authentication.mdx b/docs/pages/reference/authentication.mdx index a246dcac8d963..1acd2e2000727 100644 --- a/docs/pages/reference/authentication.mdx +++ b/docs/pages/reference/authentication.mdx @@ -79,12 +79,11 @@ Create the `cluster_auth_preference` resource via `tctl`: $ tctl create -f cap.yaml ``` - + You can modify these settings using dynamic configuration resources. -Log in to Teleport from your local machine so you can use the Enterprise -edition of the `tctl` admin tool: +Log in to Teleport from your local machine so you can use the `tctl` admin tool: ```code $ tsh login --proxy=myinstance.teleport.sh @@ -168,7 +167,28 @@ The user will now be unblocked from login attempts and can attempt to authentica ## Authentication connectors - + + +### GitHub + +This connector implements GitHub's OAuth 2.0 authentication flow. Please refer to GitHub's documentation on [Creating an OAuth App](https://developer.github.com/apps/building-oauth-apps/creating-an-oauth-app/) +to learn how to create and register an OAuth app. + +Here is an example of this setting in a `cluster_auth_preference` resource: + +```yaml +kind: cluster_auth_preference +metadata: + name: cluster-auth-preference +spec: + type: github +version: v2 +``` + +See [GitHub OAuth 2.0](../access-controls/sso/github-sso.mdx) for details on how to configure it. + + + ### GitHub diff --git a/docs/pages/reference/backends.mdx b/docs/pages/reference/backends.mdx index d9eab63aa2b05..65364ece7514f 100644 --- a/docs/pages/reference/backends.mdx +++ b/docs/pages/reference/backends.mdx @@ -4,15 +4,11 @@ description: How to configure Teleport deployment for high-availability using st --- A Teleport cluster stores different types of data in different locations. By -default everything is stored in a local directory at the Auth server. -Integration with other storage types is implemented based on the nature of the -stored data (size, read/write ratio, mutability, etc.). +default everything is stored in a local directory on the Auth Service host. - - -Teleport Cloud manages Auth Service and Proxy Service data for you, so there is -no need to configure a backend. - +For self-hosted Teleport deployments, you can configure Teleport to integrate +with other storage types based on the nature of the stored data (size, +read/write ratio, mutability, etc.). | Data type | Description | Supported storage backends | | - | - | - | diff --git a/docs/pages/reference/cli.mdx b/docs/pages/reference/cli.mdx index 8e9cdf6232bd2..1d473152687ae 100644 --- a/docs/pages/reference/cli.mdx +++ b/docs/pages/reference/cli.mdx @@ -1575,7 +1575,7 @@ which could result in the error, `ERROR: open /var/lib/teleport/host_uuid: permission denied`. - + When running `tctl` commands, administrators must authenticate to a Teleport cluster. This can be done in two ways: @@ -2982,7 +2982,7 @@ Starts the Machine ID client `tbot`, fetching and writing certificates to disk a #### Examples - + ```code $ tbot start \ @@ -2995,7 +2995,7 @@ $ tbot start \ ``` - + ```code $ tbot start \ diff --git a/docs/pages/reference/networking.mdx b/docs/pages/reference/networking.mdx index 3e4c8cc6ae6fe..888898c989478 100644 --- a/docs/pages/reference/networking.mdx +++ b/docs/pages/reference/networking.mdx @@ -25,7 +25,7 @@ following use cases: - You want Teleport to issue an SSH certificate for the service with additional principals, e.g., host names. - + All Teleport services (e.g., the Application Service and Database Service) have an optional `public_addr` property that you can modify in each service's @@ -157,7 +157,7 @@ In those cases, they can set up separate listeners in the config file. | 3025 | All Teleport services | TLS port used by the Auth Service to serve its gRPC API to other Teleport services in a cluster.| - + ### Proxy Service ports diff --git a/docs/pages/server-access/guides/bpf-session-recording.mdx b/docs/pages/server-access/guides/bpf-session-recording.mdx index 168874cfcf539..93f7916ad8ab3 100644 --- a/docs/pages/server-access/guides/bpf-session-recording.mdx +++ b/docs/pages/server-access/guides/bpf-session-recording.mdx @@ -241,7 +241,7 @@ To quickly check the status of the audit log, you can simply tail the logs with `tail -f /var/lib/teleport/log/events.log`. The resulting capture from Teleport will be a JSON log for each command and network request. - + Enhanced session recording events will be shown in Teleport's audit log, which you can inspect by visiting Teleport's Web UI. diff --git a/docs/pages/server-access/guides/recording-proxy-mode.mdx b/docs/pages/server-access/guides/recording-proxy-mode.mdx index f7d99feabc70f..c360b00db1e88 100644 --- a/docs/pages/server-access/guides/recording-proxy-mode.mdx +++ b/docs/pages/server-access/guides/recording-proxy-mode.mdx @@ -15,14 +15,14 @@ when gradually transitioning large server fleets to Teleport. ![Teleport OpenSSH Recording Proxy](../../../img/server-access/openssh-proxy.svg) - + Teleport Cloud only supports session recording at the Node level. If you are interested in setting up session recording, read our [Server Access Getting Started Guide](../getting-started.mdx) so you can start replacing your OpenSSH servers with Teleport Nodes. - + We consider Recording Proxy Mode to be less secure than recording at the Node level for two reasons: @@ -34,7 +34,7 @@ The Teleport Proxy Service should be available to clients and set up with TLS. ## Prerequisites -(!docs/pages/includes/edition-prereqs-tabs.mdx!) +(!docs/pages/includes/self-hosted-prereqs-tabs.mdx!) - A host where you will run an OpenSSH server. - (!docs/pages/includes/tctl.mdx!)