Skip to content

route based on match quality score#40559

Merged
fspmarshall merged 1 commit intomasterfrom
fspmarshall/route-score-proto
Apr 18, 2024
Merged

route based on match quality score#40559
fspmarshall merged 1 commit intomasterfrom
fspmarshall/route-score-proto

Conversation

@fspmarshall
Copy link
Copy Markdown
Contributor

@fspmarshall fspmarshall commented Apr 15, 2024
edited
Loading

Improves the quality of teleport ssh routing by scoring matches, with stronger matches being given priority.

When a user attempts to ssh into a teleport node, the teleport proxy needs to decide what node to route to based on the host value typed in by the user. The proxy does this both by matching the exact literal and, if the user entered a valid hostname, by matching nodes whose IPs match the IPs associated with that hostname. This can lead to unexpected behavior when multiple nodes share the same IP address. Take the following example nodes:

kind: node
metadata:
  name: 3d3fd67b-17de-4491-a0a7-4d42f3f43e6a
spec:
  addr: 1.2.3.4:123
  hostname: node1.example.com
  # ...
version: v2
---
kind: node
metadata:
  name: 2623bd07-e2aa-43c9-9562-fad37a627ffd
spec:
  addr: 1.2.3.4:456
  hostname: node2.example.com
  # ...
version: v2

Given the above, a user running tsh ssh alice@node1.example.com should be unambiguous, but if node1.example.com corresponds to a valid DNS entry, the resolved IPs will make the match ambiguous because node2.example.com shares the same IP.

This PR changes the behavior of route matching to prioritize nodes that match the literal value typed in by the user over indirect/resolved matches when both match kinds are present.

note: this change only affects routing to direct dial and agentless nodes. tunnel nodes continue to only be routable by ID/hostname, which are always considered direct matches.

changelog: fixed spurious ambiguous host errors in ssh routing

@github-actions github-actions Bot requested review from justinas and ravicious April 15, 2024 17:22
zmb3
zmb3 reviewed Apr 15, 2024
View reviewed changes
Comment thread api/utils/route_test.go
@rosstimothy rosstimothy self-requested a review April 17, 2024 18:10
@fspmarshall fspmarshall force-pushed the fspmarshall/route-score-proto branch 2 times, most recently from c04eb24 to 51277ce Compare April 18, 2024 16:23
rosstimothy
rosstimothy approved these changes Apr 18, 2024
View reviewed changes
Comment thread api/utils/route.go Outdated
@fspmarshall fspmarshall force-pushed the fspmarshall/route-score-proto branch from 51277ce to 16d064c Compare April 18, 2024 20:22
@fspmarshall fspmarshall added this pull request to the merge queue Apr 18, 2024
Merged via the queue into master with commit 82281e1 Apr 18, 2024
@fspmarshall fspmarshall deleted the fspmarshall/route-score-proto branch April 18, 2024 23:21
@public-teleport-github-review-bot
Copy link
Copy Markdown

public-teleport-github-review-bot Bot commented Apr 18, 2024

@fspmarshall See the table below for backport results.

Branch Result
branch/v13 Failed
branch/v14 Failed
branch/v15 Create PR

@fspmarshall fspmarshall mentioned this pull request Apr 19, 2024
Merged
fspmarshall added a commit that referenced this pull request Apr 19, 2024
@fspmarshall
route based on match quality score (#40559)
c737521
@fspmarshall fspmarshall mentioned this pull request Apr 19, 2024
Merged
github-merge-queue Bot pushed a commit that referenced this pull request Apr 19, 2024
@fspmarshall
route based on match quality score (#40559) (#40709)
1d1bb97
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zmb3 zmb3 zmb3 approved these changes

@rosstimothy rosstimothy rosstimothy approved these changes

Assignees

No one assigned

Labels

size/md

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fspmarshall @zmb3 @rosstimothy