Add bot field to certificates and various usage events#35881
Merged
timothyb89 merged 18 commits intomasterfrom Jan 4, 2024
Merged
Add bot field to certificates and various usage events#35881timothyb89 merged 18 commits intomasterfrom
timothyb89 merged 18 commits intomasterfrom
Conversation
This adds a new certificate extension field, `teleport-bot`, to certificates issued to Machine ID bot users that can definitively identify certificates as having been issued to a bot user. Additionally, this uses the new `Bot` identity flag to mark certain usage events as originating from bot users. As such, it includes a protobuf update from Cloud [1], which pulled in some small additional (mostly comment) changes. [1] gravitational/cloud#7060
Contributor
Author
|
Outstanding TODOs:
|
timothyb89
commented
Dec 27, 2023
strideynet
reviewed
Dec 27, 2023
This makes a few changes to the bot tagging approach: * The bot name is embedded in the cert rather than just true/false * UserKind is included in events rather than just a bot flag, to allow for an unspecified value for older client nodes.
Contributor
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
strideynet
reviewed
Dec 28, 2023
Contributor
strideynet
left a comment
strideynet
left a comment
There was a problem hiding this comment.
Looks generally good. From my reading, we're only currently putting the attribute into the impersonated certs or renewed certs. Could we also make sure it goes onto the bots own certs that are produced by the joining process ?
| userActivity := make(map[string]*prehogv1.UserActivityRecord) | ||
|
|
||
| userRecord := func(userName string) *prehogv1.UserActivityRecord { | ||
| userRecord := func(userName string, v1AlphaUserKind prehogv1alpha.UserKind) *prehogv1.UserActivityRecord { |
Contributor
There was a problem hiding this comment.
Nit: I don't think it's a major concern but I can see a bit of potential raciness here if there's an issue with tracking bot status. The status of the user from the first event will set it for all future events. Perhaps we ought to put some warning or error in if the kind of the user changes ?
Contributor
Author
There was a problem hiding this comment.
I added a warning and had it override the flag. I think the behavior could go either way realistically - and given it's a bug regardless I'm not sure if I expect anything good to come from whichever behavior we use.
Contributor
There was a problem hiding this comment.
Maybe we should leave the record.UserKind as is if v1UserKind is unspecified, just in case?
Contributor
Author
There was a problem hiding this comment.
Ah, good call, we could definitely see this when aggregating events together from an outdated node. I suppose this goes both ways, right? We should allow transition from unspecified -> specified, and disallow transitions from specified -> unspecified, otherwise at least one will be logged as a warning.
Contributor
Author
There was a problem hiding this comment.
I've tweaked the logic here. It now allows identifying a previously unspecified user, ignores unspecified updates, and warns about flipping between human/bot users.
Contributor
Author
Good catch on the bot flag, I always forget the initial certs are generated from a different codepath. The flag is fixed now. |
strideynet
approved these changes
Jan 2, 2024
espadolini
reviewed
Jan 2, 2024
| userActivity := make(map[string]*prehogv1.UserActivityRecord) | ||
|
|
||
| userRecord := func(userName string) *prehogv1.UserActivityRecord { | ||
| userRecord := func(userName string, v1AlphaUserKind prehogv1alpha.UserKind) *prehogv1.UserActivityRecord { |
Contributor
There was a problem hiding this comment.
Maybe we should leave the record.UserKind as is if v1UserKind is unspecified, just in case?
public-teleport-github-review-bot
Bot
removed request for
flyinghermit and
ryanclark
timothyb89
force-pushed
the
timothyb89/bot-flag-usage-events
branch
from
17a3729 to
9d7b12d
Compare
|
@timothyb89 See the table below for backport results.
|
timothyb89
added a commit
that referenced
this pull request
Jan 5, 2024
* Add bot field to certificates and various usage events This adds a new certificate extension field, `teleport-bot`, to certificates issued to Machine ID bot users that can definitively identify certificates as having been issued to a bot user. Additionally, this uses the new `Bot` identity flag to mark certain usage events as originating from bot users. As such, it includes a protobuf update from Cloud [1], which pulled in some small additional (mostly comment) changes. [1] gravitational/cloud#7060 * Small bot flag plumbing fixes * Convert bot flag to BotName and UserKind enum This makes a few changes to the bot tagging approach: * The bot name is embedded in the cert rather than just true/false * UserKind is included in events rather than just a bot flag, to allow for an unspecified value for older client nodes. * Add a quick unit test for bot cert extensions * Fix outdated grpc * Include bot flag on initial certs * Log a warning and override user kind for usage records if they differ * Fix several unit tests; add a bot metadata test case * Fix unit tests with UserKind zero value * Rename SSH cert extension to use standard format Renames the `teleport-bot` extension to `bot-name@goteleport.com`, to better follow SSH cert extension naming conventions. * Attempt to improve unspecified userkind aggregating logic
timothyb89
added a commit
that referenced
this pull request
Jan 6, 2024
* Add bot field to certificates and various usage events This adds a new certificate extension field, `teleport-bot`, to certificates issued to Machine ID bot users that can definitively identify certificates as having been issued to a bot user. Additionally, this uses the new `Bot` identity flag to mark certain usage events as originating from bot users. As such, it includes a protobuf update from Cloud [1], which pulled in some small additional (mostly comment) changes. [1] gravitational/cloud#7060 * Small bot flag plumbing fixes * Convert bot flag to BotName and UserKind enum This makes a few changes to the bot tagging approach: * The bot name is embedded in the cert rather than just true/false * UserKind is included in events rather than just a bot flag, to allow for an unspecified value for older client nodes. * Add a quick unit test for bot cert extensions * Fix outdated grpc * Include bot flag on initial certs * Log a warning and override user kind for usage records if they differ * Fix several unit tests; add a bot metadata test case * Fix unit tests with UserKind zero value * Rename SSH cert extension to use standard format Renames the `teleport-bot` extension to `bot-name@goteleport.com`, to better follow SSH cert extension naming conventions. * Attempt to improve unspecified userkind aggregating logic
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Jan 9, 2024
…#36366) * Add bot field to certificates and various usage events (#35881) * Add bot field to certificates and various usage events This adds a new certificate extension field, `teleport-bot`, to certificates issued to Machine ID bot users that can definitively identify certificates as having been issued to a bot user. Additionally, this uses the new `Bot` identity flag to mark certain usage events as originating from bot users. As such, it includes a protobuf update from Cloud [1], which pulled in some small additional (mostly comment) changes. [1] gravitational/cloud#7060 * Small bot flag plumbing fixes * Convert bot flag to BotName and UserKind enum This makes a few changes to the bot tagging approach: * The bot name is embedded in the cert rather than just true/false * UserKind is included in events rather than just a bot flag, to allow for an unspecified value for older client nodes. * Add a quick unit test for bot cert extensions * Fix outdated grpc * Include bot flag on initial certs * Log a warning and override user kind for usage records if they differ * Fix several unit tests; add a bot metadata test case * Fix unit tests with UserKind zero value * Rename SSH cert extension to use standard format Renames the `teleport-bot` extension to `bot-name@goteleport.com`, to better follow SSH cert extension naming conventions. * Attempt to improve unspecified userkind aggregating logic * Fix failing tests
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Jan 11, 2024
…#36313) * Add bot field to certificates and various usage events (#35881) * Add bot field to certificates and various usage events This adds a new certificate extension field, `teleport-bot`, to certificates issued to Machine ID bot users that can definitively identify certificates as having been issued to a bot user. Additionally, this uses the new `Bot` identity flag to mark certain usage events as originating from bot users. As such, it includes a protobuf update from Cloud [1], which pulled in some small additional (mostly comment) changes. [1] gravitational/cloud#7060 * Small bot flag plumbing fixes * Convert bot flag to BotName and UserKind enum This makes a few changes to the bot tagging approach: * The bot name is embedded in the cert rather than just true/false * UserKind is included in events rather than just a bot flag, to allow for an unspecified value for older client nodes. * Add a quick unit test for bot cert extensions * Fix outdated grpc * Include bot flag on initial certs * Log a warning and override user kind for usage records if they differ * Fix several unit tests; add a bot metadata test case * Fix unit tests with UserKind zero value * Rename SSH cert extension to use standard format Renames the `teleport-bot` extension to `bot-name@goteleport.com`, to better follow SSH cert extension naming conventions. * Attempt to improve unspecified userkind aggregating logic * Fix broken tests
tigrato
added a commit
that referenced
this pull request
Jun 27, 2025
Teleport allows that system roles perform certain actions like creating, updating or deleting users, roles and access lists when performed by the Okta integration or creating, updating and deleting apps, kube, dbs when performed by the discovery service. When #35881 was implemented, it only contemplated two states: bot or human. If the identity wasn't a bot, it was automatically tagged as a human. This behavior is fine if we only emited audit logs for actions performed by bots or users, but that's not the case. We also emit for certain system actions. When reading the audit log, one can see that the audit log is marked as user although the username has the format: `<uuid>.<teleportClusterName>`. This PR attempts to introduce a third user kind - system - that should identity when the action was performed by a system component. This is a requirement so that Identity Security can distinguish user actions and system actions. Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Jun 27, 2025
* auditlog: introduce `USER_KIND_SYSTEM` for system roles Teleport allows that system roles perform certain actions like creating, updating or deleting users, roles and access lists when performed by the Okta integration or creating, updating and deleting apps, kube, dbs when performed by the discovery service. When #35881 was implemented, it only contemplated two states: bot or human. If the identity wasn't a bot, it was automatically tagged as a human. This behavior is fine if we only emited audit logs for actions performed by bots or users, but that's not the case. We also emit for certain system actions. When reading the audit log, one can see that the audit log is marked as user although the username has the format: `<uuid>.<teleportClusterName>`. This PR attempts to introduce a third user kind - system - that should identity when the action was performed by a system component. This is a requirement so that Identity Security can distinguish user actions and system actions. Signed-off-by: Tiago Silva <tiago.silva@goteleport.com> * add unit tests --------- Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
tigrato
added a commit
that referenced
this pull request
Jun 27, 2025
* auditlog: introduce `USER_KIND_SYSTEM` for system roles Teleport allows that system roles perform certain actions like creating, updating or deleting users, roles and access lists when performed by the Okta integration or creating, updating and deleting apps, kube, dbs when performed by the discovery service. When #35881 was implemented, it only contemplated two states: bot or human. If the identity wasn't a bot, it was automatically tagged as a human. This behavior is fine if we only emited audit logs for actions performed by bots or users, but that's not the case. We also emit for certain system actions. When reading the audit log, one can see that the audit log is marked as user although the username has the format: `<uuid>.<teleportClusterName>`. This PR attempts to introduce a third user kind - system - that should identity when the action was performed by a system component. This is a requirement so that Identity Security can distinguish user actions and system actions. Signed-off-by: Tiago Silva <tiago.silva@goteleport.com> * add unit tests --------- Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
tigrato
added a commit
that referenced
this pull request
Jun 27, 2025
* auditlog: introduce `USER_KIND_SYSTEM` for system roles Teleport allows that system roles perform certain actions like creating, updating or deleting users, roles and access lists when performed by the Okta integration or creating, updating and deleting apps, kube, dbs when performed by the discovery service. When #35881 was implemented, it only contemplated two states: bot or human. If the identity wasn't a bot, it was automatically tagged as a human. This behavior is fine if we only emited audit logs for actions performed by bots or users, but that's not the case. We also emit for certain system actions. When reading the audit log, one can see that the audit log is marked as user although the username has the format: `<uuid>.<teleportClusterName>`. This PR attempts to introduce a third user kind - system - that should identity when the action was performed by a system component. This is a requirement so that Identity Security can distinguish user actions and system actions. Signed-off-by: Tiago Silva <tiago.silva@goteleport.com> * add unit tests --------- Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
tigrato
added a commit
that referenced
this pull request
Jun 27, 2025
* auditlog: introduce `USER_KIND_SYSTEM` for system roles Teleport allows that system roles perform certain actions like creating, updating or deleting users, roles and access lists when performed by the Okta integration or creating, updating and deleting apps, kube, dbs when performed by the discovery service. When #35881 was implemented, it only contemplated two states: bot or human. If the identity wasn't a bot, it was automatically tagged as a human. This behavior is fine if we only emited audit logs for actions performed by bots or users, but that's not the case. We also emit for certain system actions. When reading the audit log, one can see that the audit log is marked as user although the username has the format: `<uuid>.<teleportClusterName>`. This PR attempts to introduce a third user kind - system - that should identity when the action was performed by a system component. This is a requirement so that Identity Security can distinguish user actions and system actions. Signed-off-by: Tiago Silva <tiago.silva@goteleport.com> * add unit tests --------- Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
tigrato
added a commit
that referenced
this pull request
Jun 27, 2025
* auditlog: introduce `USER_KIND_SYSTEM` for system roles Teleport allows that system roles perform certain actions like creating, updating or deleting users, roles and access lists when performed by the Okta integration or creating, updating and deleting apps, kube, dbs when performed by the discovery service. When #35881 was implemented, it only contemplated two states: bot or human. If the identity wasn't a bot, it was automatically tagged as a human. This behavior is fine if we only emited audit logs for actions performed by bots or users, but that's not the case. We also emit for certain system actions. When reading the audit log, one can see that the audit log is marked as user although the username has the format: `<uuid>.<teleportClusterName>`. This PR attempts to introduce a third user kind - system - that should identity when the action was performed by a system component. This is a requirement so that Identity Security can distinguish user actions and system actions. Signed-off-by: Tiago Silva <tiago.silva@goteleport.com> * add unit tests --------- Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Jun 27, 2025
) * auditlog: introduce `USER_KIND_SYSTEM` for system roles Teleport allows that system roles perform certain actions like creating, updating or deleting users, roles and access lists when performed by the Okta integration or creating, updating and deleting apps, kube, dbs when performed by the discovery service. When #35881 was implemented, it only contemplated two states: bot or human. If the identity wasn't a bot, it was automatically tagged as a human. This behavior is fine if we only emited audit logs for actions performed by bots or users, but that's not the case. We also emit for certain system actions. When reading the audit log, one can see that the audit log is marked as user although the username has the format: `<uuid>.<teleportClusterName>`. This PR attempts to introduce a third user kind - system - that should identity when the action was performed by a system component. This is a requirement so that Identity Security can distinguish user actions and system actions. * add unit tests --------- Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Jun 27, 2025
) * auditlog: introduce `USER_KIND_SYSTEM` for system roles Teleport allows that system roles perform certain actions like creating, updating or deleting users, roles and access lists when performed by the Okta integration or creating, updating and deleting apps, kube, dbs when performed by the discovery service. When #35881 was implemented, it only contemplated two states: bot or human. If the identity wasn't a bot, it was automatically tagged as a human. This behavior is fine if we only emited audit logs for actions performed by bots or users, but that's not the case. We also emit for certain system actions. When reading the audit log, one can see that the audit log is marked as user although the username has the format: `<uuid>.<teleportClusterName>`. This PR attempts to introduce a third user kind - system - that should identity when the action was performed by a system component. This is a requirement so that Identity Security can distinguish user actions and system actions. * add unit tests --------- Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Jun 27, 2025
) * auditlog: introduce `USER_KIND_SYSTEM` for system roles Teleport allows that system roles perform certain actions like creating, updating or deleting users, roles and access lists when performed by the Okta integration or creating, updating and deleting apps, kube, dbs when performed by the discovery service. When #35881 was implemented, it only contemplated two states: bot or human. If the identity wasn't a bot, it was automatically tagged as a human. This behavior is fine if we only emited audit logs for actions performed by bots or users, but that's not the case. We also emit for certain system actions. When reading the audit log, one can see that the audit log is marked as user although the username has the format: `<uuid>.<teleportClusterName>`. This PR attempts to introduce a third user kind - system - that should identity when the action was performed by a system component. This is a requirement so that Identity Security can distinguish user actions and system actions. * add unit tests --------- Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Jun 27, 2025
) * auditlog: introduce `USER_KIND_SYSTEM` for system roles Teleport allows that system roles perform certain actions like creating, updating or deleting users, roles and access lists when performed by the Okta integration or creating, updating and deleting apps, kube, dbs when performed by the discovery service. When #35881 was implemented, it only contemplated two states: bot or human. If the identity wasn't a bot, it was automatically tagged as a human. This behavior is fine if we only emited audit logs for actions performed by bots or users, but that's not the case. We also emit for certain system actions. When reading the audit log, one can see that the audit log is marked as user although the username has the format: `<uuid>.<teleportClusterName>`. This PR attempts to introduce a third user kind - system - that should identity when the action was performed by a system component. This is a requirement so that Identity Security can distinguish user actions and system actions. * add unit tests --------- Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This adds a new certificate extension field,
teleport-bot, to certificates issued to Machine ID bot users that can definitively identify certificates as having been issued to a bot user, set to the bot's unprefixed name.Additionally, this uses the new bot name field to mark certain usage events as originating from bot users. As such, it includes a protobuf update from Cloud [1], which also pulled in some small additional (mostly comment) changes.
[1] https://github.com/gravitational/cloud/pull/7060
changelog: Added new certificate extensions and usage reporting flags to explicitly identify Machine ID bots and their cluster activity