Rearranged folders by alexlyulkov · Pull Request #34 · gravitational/teleport

alexlyulkov · 2015-10-05T14:35:05Z

No description provided.

klizhentas · 2015-10-05T17:40:46Z

looks good, feel free to merge

Rearranged folders

Automatically discover and register Windows hosts by performing an LDAP search for computers. These hosts are labeled with a variety of teleport.dev/ labels as defined in RFD #34. Note: this change is deliberately naive and only attempts to lookup hosts once on startup. In a future update we will look at performing this lookup periodically. Updates #7761

Removing the old roles migration allows Teleport to start even in the face of invalid roles. The system will still be largely unusable, but `tctl rm` is now possible as a fallback. Added logging makes it easier to determine the bad role. Turns this scenario: ```shell $ teleport start > (...) > ERROR: initialization failed > could not parse 'where' rule: "!contains(ssh_session.participants, user.metadata.name)", error: ssh_session.participants is not defined > (teleport exits) ``` into this: ```shell $ teleport start > (...) > 2021-11-18T16:50:29-03:00 WARN [AUTH:1:CA] "Re-init the cache on error: role \"join_own_sessions_only\"\n\tcould not parse 'where' rule: \"!contains(ssh_session.participants, user.metadata.name)\", error: ssh_session.participants is not defined." cache/cache.go:725 > 2021-11-18T16:50:29-03:00 WARN [AUTH:1:CA] Cache "auth" first init failed, continuing re-init attempts in background. error:[ > ERROR REPORT: > Original Error: *trace.BadParameterError could not parse 'where' rule: "!contains(ssh_session.participants, user.metadata.name)", error: ssh_session.participants is not defined > Stack Trace: > (...) > User Message: role "join_own_sessions_only" > could not parse 'where' rule: "!contains(ssh_session.participants, user.metadata.name)", error: ssh_session.participants is not defined] cache/cache.go:678 > 2021-11-18T16:50:35-03:00 WARN [AUTH:1:CA] "Re-init the cache on error: role \"join_own_sessions_only\"\n\tcould not parse 'where' rule: \"!contains(ssh_session.participants, user.metadata.name)\", error: ssh_session.participants is not defined." cache/cache.go:725 > (teleport running, tctl works) ``` See #9059 for the larger context. * Remove Teleport 4.3 role migration * Remove unused parameters * Add role name to GetRoles validation failures

In the previous version, the proxy client would be closed immediately after addMetadataToRetryableError. This commit makes it so that the proxy client is closed only after GetAllowedDatabaseUsers finishes. When running Connect on Windows, Grzegorz ran into a problem where fetching db users for MSSQL would fail but only on Windows and only for MSSQL: Failed to fetch current user information: connection error: desc = "transport: Error while dialing failed to dial: read tcp 10.211.55.4:55519->52.14.45.73:3023: use of closed network connection". services\role.go:764 Other times the error would be connection error: desc = "transport: Error while dialing failed to dial: ssh: unexpected packet in response to channel open: <nil>"] apiserver\middleware.go:39 Surprisingly, `tsh db ls` didn't have this problem. So when thinking about what we're doing differently than tsh and how it might be related to a closed connection, I noticed that I made a bug in the code that closes the proxy client.

) In the previous version, the proxy client would be closed immediately after addMetadataToRetryableError. This commit makes it so that the proxy client is closed only after GetAllowedDatabaseUsers finishes. When running Connect on Windows, Grzegorz ran into a problem where fetching db users for MSSQL would fail but only on Windows and only for MSSQL: Failed to fetch current user information: connection error: desc = "transport: Error while dialing failed to dial: read tcp 10.211.55.4:55519->52.14.45.73:3023: use of closed network connection". services\role.go:764 Other times the error would be connection error: desc = "transport: Error while dialing failed to dial: ssh: unexpected packet in response to channel open: <nil>"] apiserver\middleware.go:39 Surprisingly, `tsh db ls` didn't have this problem. So when thinking about what we're doing differently than tsh and how it might be related to a closed connection, I noticed that I made a bug in the code that closes the proxy client.

In the previous version, the proxy client would be closed immediately after addMetadataToRetryableError. This commit makes it so that the proxy client is closed only after GetAllowedDatabaseUsers finishes. When running Connect on Windows, Grzegorz ran into a problem where fetching db users for MSSQL would fail but only on Windows and only for MSSQL: Failed to fetch current user information: connection error: desc = "transport: Error while dialing failed to dial: read tcp 10.211.55.4:55519->52.14.45.73:3023: use of closed network connection". services\role.go:764 Other times the error would be connection error: desc = "transport: Error while dialing failed to dial: ssh: unexpected packet in response to channel open: <nil>"] apiserver\middleware.go:39 Surprisingly, `tsh db ls` didn't have this problem. So when thinking about what we're doing differently than tsh and how it might be related to a closed connection, I noticed that I made a bug in the code that closes the proxy client.

#14375) Connect: Fix premature proxyClient.Close() when getting db users In the previous version, the proxy client would be closed immediately after addMetadataToRetryableError. This commit makes it so that the proxy client is closed only after GetAllowedDatabaseUsers finishes. When running Connect on Windows, Grzegorz ran into a problem where fetching db users for MSSQL would fail but only on Windows and only for MSSQL: Failed to fetch current user information: connection error: desc = "transport: Error while dialing failed to dial: read tcp 10.211.55.4:55519->52.14.45.73:3023: use of closed network connection". services\role.go:764 Other times the error would be connection error: desc = "transport: Error while dialing failed to dial: ssh: unexpected packet in response to channel open: <nil>"] apiserver\middleware.go:39 Surprisingly, `tsh db ls` didn't have this problem. So when thinking about what we're doing differently than tsh and how it might be related to a closed connection, I noticed that I made a bug in the code that closes the proxy client.

* Unit test FieldSelect

Currently the `tsh` debug log is polluted with "errors" created by the [automatic access request feature](https://goteleport.com/docs/access-controls/access-requests/resource-requests/?scope=enterprise#automatically-request-access-for-ssh) even in completely expected scenarios, e.g. when the user has no permission to create Resource Access Requests. Before this change: ``` $ tsh ssh -d alice@one-auth ...<omitted>... 2023-02-17T15:30:16-08:00 DEBU [TSH] unable to request access to node error:[ ERROR REPORT: Original Error: *trace.BadParameterError user attempted a resource request but does not have any "search_as_roles" Stack Trace: github.com/gravitational/teleport/api@v0.0.0/client/client.go:880 github.com/gravitational/teleport/api/client.(*Client).CreateAccessRequest github.com/gravitational/teleport/tool/tsh/tsh.go:2896 main.accessRequestForSSH.func1 github.com/gravitational/teleport/lib/client/api.go:1351 github.com/gravitational/teleport/lib/client.(*TeleportClient).WithRootClusterClient github.com/gravitational/teleport/tool/tsh/tsh.go:2895 main.accessRequestForSSH github.com/gravitational/teleport/tool/tsh/tsh.go:2916 main.retryWithAccessRequest github.com/gravitational/teleport/tool/tsh/tsh.go:2993 main.onSSH github.com/gravitational/teleport/tool/tsh/tsh.go:1086 main.Run github.com/gravitational/teleport/tool/tsh/tsh.go:482 main.main runtime/proc.go:250 runtime.main runtime/asm_amd64.s:1598 runtime.goexit User Message: user attempted a resource request but does not have any "search_as_roles"] tsh/tsh.go:2920 ERROR REPORT: Original Error: *trace.AccessDeniedError access denied to alice connecting to one-auth:0@default@cluster-one Stack Trace: github.com/gravitational/teleport/lib/client/client.go:1633 github.com/gravitational/teleport/lib/client.NewNodeClient github.com/gravitational/teleport/lib/client/client.go:1563 github.com/gravitational/teleport/lib/client.(*ProxyClient).ConnectToNode github.com/gravitational/teleport/lib/client/api.go:1451 github.com/gravitational/teleport/lib/client.(*TeleportClient).ConnectToNode github.com/gravitational/teleport/lib/client/api.go:1525 github.com/gravitational/teleport/lib/client.(*TeleportClient).runShellOrCommandOnSingleNode github.com/gravitational/teleport/lib/client/api.go:1408 github.com/gravitational/teleport/lib/client.(*TeleportClient).SSH github.com/gravitational/teleport/tool/tsh/tsh.go:2995 main.onSSH.func1.1 github.com/gravitational/teleport/lib/client/api.go:504 github.com/gravitational/teleport/lib/client.RetryWithRelogin github.com/gravitational/teleport/tool/tsh/tsh.go:2994 main.onSSH.func1 github.com/gravitational/teleport/tool/tsh/tsh.go:2907 main.retryWithAccessRequest github.com/gravitational/teleport/tool/tsh/tsh.go:2993 main.onSSH github.com/gravitational/teleport/tool/tsh/tsh.go:1086 main.Run github.com/gravitational/teleport/tool/tsh/tsh.go:482 main.main runtime/proc.go:250 runtime.main runtime/asm_amd64.s:1598 runtime.goexit User Message: access denied to alice connecting to one-auth:0@default@cluster-one ``` After: ``` $ tsh ssh -d alice@one-auth ...<omitted>... 2023-02-17T16:42:29-08:00 DEBU [TSH] Not attempting to automatically request access, reason: Resource Access Requests require usable "search_as_roles", none found for user "nklaassen" tsh/tsh.go:2922 ERROR REPORT: Original Error: *trace.AccessDeniedError access denied to alice connecting to one-auth:0@default@cluster-one Stack Trace: github.com/gravitational/teleport/lib/client/client.go:1633 github.com/gravitational/teleport/lib/client.NewNodeClient github.com/gravitational/teleport/lib/client/client.go:1563 github.com/gravitational/teleport/lib/client.(*ProxyClient).ConnectToNode github.com/gravitational/teleport/lib/client/api.go:1451 github.com/gravitational/teleport/lib/client.(*TeleportClient).ConnectToNode github.com/gravitational/teleport/lib/client/api.go:1525 github.com/gravitational/teleport/lib/client.(*TeleportClient).runShellOrCommandOnSingleNode github.com/gravitational/teleport/lib/client/api.go:1408 github.com/gravitational/teleport/lib/client.(*TeleportClient).SSH github.com/gravitational/teleport/tool/tsh/tsh.go:2997 main.onSSH.func1.1 github.com/gravitational/teleport/lib/client/api.go:504 github.com/gravitational/teleport/lib/client.RetryWithRelogin github.com/gravitational/teleport/tool/tsh/tsh.go:2996 main.onSSH.func1 github.com/gravitational/teleport/tool/tsh/tsh.go:2907 main.retryWithAccessRequest github.com/gravitational/teleport/tool/tsh/tsh.go:2995 main.onSSH github.com/gravitational/teleport/tool/tsh/tsh.go:1086 main.Run github.com/gravitational/teleport/tool/tsh/tsh.go:482 main.main runtime/proc.go:250 runtime.main runtime/asm_amd64.s:1598 runtime.goexit User Message: access denied to alice connecting to one-auth:0@default@cluster-one ```

The following error often confuses users: *ldap.Error LDAP Result Code 1 "Operations Error": 000004DC: LdapErr: DSID-0C090ACD, comment: In order to perform this operation a successful bind must be completed on the connection. Since Teleport always uses x509 certs to bind, this error indicates that the Teleport-issued cert is not trusted (which is likely due to Teleport's CA not being imported as a trusted root). While fixing this, unify the LDAP error handling with a common utility for converting between LDAP error codes and trace errors.

added a scope condition for the Admonition component

There have been a few support questions raised recently about very confusing error messages similar to the following: ``` RespMetadata: { StatusCode: 400, RequestID: "FVRLJR89DF3H16H4NS9I2SM6R7VV4KQNSO5AEMVJF66Q9ASUAAJG" }, Message_: "The conditional request failed" }, failed to create db <db> ConditionalCheckFailedException: The conditional request failed ``` This error is returned because a resource that already exists is trying to be created again, and when DynamoDB detects this it returns a ConditionalCheckFailedException. Instead of returning these confusing error messages directly to users we can intercept them and provide a clearer message. Apps, Databases, Desktops and KubernetesClusters have all been updated to catch AlreadyExists errors on Create and NotFound errors on Update and alter the message returned to something similar to `resource "foo" does not exist` or `resource "foo" already exists`.

…9379) There have been a few support questions raised recently about very confusing error messages similar to the following: ``` RespMetadata: { StatusCode: 400, RequestID: "FVRLJR89DF3H16H4NS9I2SM6R7VV4KQNSO5AEMVJF66Q9ASUAAJG" }, Message_: "The conditional request failed" }, failed to create db <db> ConditionalCheckFailedException: The conditional request failed ``` This error is returned because a resource that already exists is trying to be created again, and when DynamoDB detects this it returns a ConditionalCheckFailedException. Instead of returning these confusing error messages directly to users we can intercept them and provide a clearer message. Apps, Databases, Desktops and KubernetesClusters have all been updated to catch AlreadyExists errors on Create and NotFound errors on Update and alter the message returned to something similar to `resource "foo" does not exist` or `resource "foo" already exists`.

There have been a few support questions raised recently about very confusing error messages similar to the following: ``` RespMetadata: { StatusCode: 400, RequestID: "FVRLJR89DF3H16H4NS9I2SM6R7VV4KQNSO5AEMVJF66Q9ASUAAJG" }, Message_: "The conditional request failed" }, failed to create db <db> ConditionalCheckFailedException: The conditional request failed ``` This error is returned because a resource that already exists is trying to be created again, and when DynamoDB detects this it returns a ConditionalCheckFailedException. Instead of returning these confusing error messages directly to users we can intercept them and provide a clearer message. Apps, Databases, Desktops and KubernetesClusters have all been updated to catch AlreadyExists errors on Create and NotFound errors on Update and alter the message returned to something similar to `resource "foo" does not exist` or `resource "foo" already exists`.

…9397) There have been a few support questions raised recently about very confusing error messages similar to the following: ``` RespMetadata: { StatusCode: 400, RequestID: "FVRLJR89DF3H16H4NS9I2SM6R7VV4KQNSO5AEMVJF66Q9ASUAAJG" }, Message_: "The conditional request failed" }, failed to create db <db> ConditionalCheckFailedException: The conditional request failed ``` This error is returned because a resource that already exists is trying to be created again, and when DynamoDB detects this it returns a ConditionalCheckFailedException. Instead of returning these confusing error messages directly to users we can intercept them and provide a clearer message. Apps, Databases, Desktops and KubernetesClusters have all been updated to catch AlreadyExists errors on Create and NotFound errors on Update and alter the message returned to something similar to `resource "foo" does not exist` or `resource "foo" already exists`.

…9396) There have been a few support questions raised recently about very confusing error messages similar to the following: ``` RespMetadata: { StatusCode: 400, RequestID: "FVRLJR89DF3H16H4NS9I2SM6R7VV4KQNSO5AEMVJF66Q9ASUAAJG" }, Message_: "The conditional request failed" }, failed to create db <db> ConditionalCheckFailedException: The conditional request failed ``` This error is returned because a resource that already exists is trying to be created again, and when DynamoDB detects this it returns a ConditionalCheckFailedException. Instead of returning these confusing error messages directly to users we can intercept them and provide a clearer message. Apps, Databases, Desktops and KubernetesClusters have all been updated to catch AlreadyExists errors on Create and NotFound errors on Update and alter the message returned to something similar to `resource "foo" does not exist` or `resource "foo" already exists`.

…9395) There have been a few support questions raised recently about very confusing error messages similar to the following: ``` RespMetadata: { StatusCode: 400, RequestID: "FVRLJR89DF3H16H4NS9I2SM6R7VV4KQNSO5AEMVJF66Q9ASUAAJG" }, Message_: "The conditional request failed" }, failed to create db <db> ConditionalCheckFailedException: The conditional request failed ``` This error is returned because a resource that already exists is trying to be created again, and when DynamoDB detects this it returns a ConditionalCheckFailedException. Instead of returning these confusing error messages directly to users we can intercept them and provide a clearer message. Apps, Databases, Desktops and KubernetesClusters have all been updated to catch AlreadyExists errors on Create and NotFound errors on Update and alter the message returned to something similar to `resource "foo" does not exist` or `resource "foo" already exists`.

## Existing error message ``` no value for key "fake-tim" in index name ``` ## New error message ``` types.User "tim2" does not exist ```

### Existing error message ``` no value for key "fake-tim" in index name ``` ### New error message ``` types.User "tim2" does not exist ```

Fixed imports

9afc9a3

alexlyulkov assigned klizhentas Oct 5, 2015

More folders arrangments

a3db86b

alexlyulkov added a commit that referenced this pull request Oct 5, 2015

Merge pull request #34 from gravitational/alex/arrange-folders

729555a

Rearranged folders

alexlyulkov merged commit 729555a into master Oct 5, 2015

alexlyulkov deleted the alex/arrange-folders branch October 5, 2015 18:09

hatched pushed a commit to hatched/teleport-merge that referenced this pull request Nov 30, 2022

Unit test FieldSelect (gravitational#34)

3f583b7

* Unit test FieldSelect

nick-inkeep pushed a commit to nick-inkeep/teleport-docs that referenced this pull request Jun 20, 2023

Merge pull request gravitational#34 from gravitational/scopes-admonition

ac6ebb1

added a scope condition for the Admonition component

rosstimothy added a commit that referenced this pull request Jun 6, 2025

Improve cache not found error messages

0925d22

## Existing error message ``` no value for key "fake-tim" in index name ``` ## New error message ``` types.User "tim2" does not exist ```

rosstimothy added a commit that referenced this pull request Jun 6, 2025

Improve cache not found error messages

2c6ffd5

### Existing error message ``` no value for key "fake-tim" in index name ``` ### New error message ``` types.User "tim2" does not exist ```

github-merge-queue Bot pushed a commit that referenced this pull request Jun 10, 2025

Improve cache not found error messages (#55505)

e6331a7

### Existing error message ``` no value for key "fake-tim" in index name ``` ### New error message ``` types.User "tim2" does not exist ```

backport-bot-workflows Bot pushed a commit that referenced this pull request Jun 10, 2025

Improve cache not found error messages

513d259

### Existing error message ``` no value for key "fake-tim" in index name ``` ### New error message ``` types.User "tim2" does not exist ```

github-merge-queue Bot pushed a commit that referenced this pull request Jun 16, 2025

Improve cache not found error messages (#55595)

11ae0c7

### Existing error message ``` no value for key "fake-tim" in index name ``` ### New error message ``` types.User "tim2" does not exist ```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Rearranged folders#34

Rearranged folders#34
alexlyulkov merged 2 commits intomasterfrom
alex/arrange-folders

alexlyulkov commented Oct 5, 2015

Uh oh!

klizhentas commented Oct 5, 2015

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

alexlyulkov commented Oct 5, 2015

Uh oh!

klizhentas commented Oct 5, 2015

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants