Replaced echo with printf in Makefile#470
Merged
klizhentas merged 1 commit intomasterfrom Jun 30, 2016
Merged
Conversation
hatched
pushed a commit
to hatched/teleport-merge
that referenced
this pull request
Nov 30, 2022
* first version * Fix build * Fix * fixes * add app context * Add Navigator * more screens * add cluster * grpc * Add gateways * add node-pty * add tshd daemon * add main process quick reload * add tsh access * Use default terminal shell and add context menu (gravitational#444) * node-pty errors * Fix build process and include `tsh` in the package (gravitational#451) * Use single `package.json` config * Include `tsh` in app package * fix linux package target * add global search * fix tsc (errors) build step * Add mocks * Add logging to file (gravitational#455) * minor cleanups * Add keyboard shortcuts service (gravitational#462) * add sync statuses for teleport resources * add teleterm icon (gravitational#470) * Fix dev reloads of main process * minore bug fixes * implement auth * update webpack configs to v5 (gravitational#492) * arrange the cards evenly depending on the available space & add drag and drop (gravitational#486) * fix text truncation on tabs * Add logout and cluster removal * Add context menu to clusters (gravitational#500) * Add tabs shortcuts & open new tab basing on active tab (gravitational#495) * Make xterm understand resize sequence (gravitational#507) * use `Immer` in teleterm store (gravitational#516) * Add apps and kubes * Teleterm bugfixes (gravitational#519) * add command palette * Replace Gateways with Connections * add tc * Clean up * Add basic config service (gravitational#526) * add fonts config (gravitational#528) * Fix resize bug * Minor teleterm fixes (gravitational#531) * remove exit code checking before closing a tab * prevent closing `home` tab * Fix crashing errors * Remove Roles and Activities * Remove GlobalSearch * Add context menu to tab items (gravitational#533) * make quickIInput always visible on top * Add workspace service (gravitational#538) * Add recently opened documents to workspace (gravitational#547) * add recently opened documents to workspace * review fixes * review fixes * add `ClusterConnect` component * remove the `close` item and electron help items from the app menu (gravitational#560) * improve navigator behaviour (gravitational#565) * improve navigator behaviour * Add new connection handling * Add username to gateways * add kube connect command * Gateway should render instructions per DB protocol * Address design changes Co-authored-by: gzdunek <gzdunek@users.noreply.github.com>
hatched
pushed a commit
that referenced
this pull request
Dec 20, 2022
* first version * Fix build * Fix * fixes * add app context * Add Navigator * more screens * add cluster * grpc * Add gateways * add node-pty * add tshd daemon * add main process quick reload * add tsh access * Use default terminal shell and add context menu (#444) * node-pty errors * Fix build process and include `tsh` in the package (#451) * Use single `package.json` config * Include `tsh` in app package * fix linux package target * add global search * fix tsc (errors) build step * Add mocks * Add logging to file (#455) * minor cleanups * Add keyboard shortcuts service (#462) * add sync statuses for teleport resources * add teleterm icon (#470) * Fix dev reloads of main process * minore bug fixes * implement auth * update webpack configs to v5 (#492) * arrange the cards evenly depending on the available space & add drag and drop (#486) * fix text truncation on tabs * Add logout and cluster removal * Add context menu to clusters (#500) * Add tabs shortcuts & open new tab basing on active tab (#495) * Make xterm understand resize sequence (#507) * use `Immer` in teleterm store (#516) * Add apps and kubes * Teleterm bugfixes (#519) * add command palette * Replace Gateways with Connections * add tc * Clean up * Add basic config service (#526) * add fonts config (#528) * Fix resize bug * Minor teleterm fixes (#531) * remove exit code checking before closing a tab * prevent closing `home` tab * Fix crashing errors * Remove Roles and Activities * Remove GlobalSearch * Add context menu to tab items (#533) * make quickIInput always visible on top * Add workspace service (#538) * Add recently opened documents to workspace (#547) * add recently opened documents to workspace * review fixes * review fixes * add `ClusterConnect` component * remove the `close` item and electron help items from the app menu (#560) * improve navigator behaviour (#565) * improve navigator behaviour * Add new connection handling * Add username to gateways * add kube connect command * Gateway should render instructions per DB protocol * Address design changes Co-authored-by: gzdunek <gzdunek@users.noreply.github.com>
r0mant
pushed a commit
that referenced
this pull request
Mar 30, 2023
#470) This PR changes the behavior of the kubernetes_service when validating access to kubernetes clusters. Previously, the kubernetes_service would use the first kubernetes cluster it found in the Auth server backend to validate access. This was problematic because if the first kubernetes cluster was upserted with a the same name as a kubernetes cluster the user was trying to access but with different labels, the user would be able to access the cluster even though they shouldn't be able to. This PR changes the behavior of the kubernetes_service to use the in memory kubernetes cluster representation used for heartbeats instead of relying on the information received from the auth server. This would block the user from accessing the cluster if the cluster was upserted with a different set of labels since the kubernetes_service would not have the updated labels in memory and would deny access. Fixes #469
r0mant
pushed a commit
that referenced
this pull request
Mar 30, 2023
#470) This PR changes the behavior of the kubernetes_service when validating access to kubernetes clusters. Previously, the kubernetes_service would use the first kubernetes cluster it found in the Auth server backend to validate access. This was problematic because if the first kubernetes cluster was upserted with a the same name as a kubernetes cluster the user was trying to access but with different labels, the user would be able to access the cluster even though they shouldn't be able to. This PR changes the behavior of the kubernetes_service to use the in memory kubernetes cluster representation used for heartbeats instead of relying on the information received from the auth server. This would block the user from accessing the cluster if the cluster was upserted with a different set of labels since the kubernetes_service would not have the updated labels in memory and would deny access. Fixes #469
r0mant
pushed a commit
that referenced
this pull request
Mar 30, 2023
#470) This PR changes the behavior of the kubernetes_service when validating access to kubernetes clusters. Previously, the kubernetes_service would use the first kubernetes cluster it found in the Auth server backend to validate access. This was problematic because if the first kubernetes cluster was upserted with a the same name as a kubernetes cluster the user was trying to access but with different labels, the user would be able to access the cluster even though they shouldn't be able to. This PR changes the behavior of the kubernetes_service to use the in memory kubernetes cluster representation used for heartbeats instead of relying on the information received from the auth server. This would block the user from accessing the cluster if the cluster was upserted with a different set of labels since the kubernetes_service would not have the updated labels in memory and would deny access. Fixes #469
r0mant
added a commit
that referenced
this pull request
Mar 30, 2023
* Prevent tunneling if the os login doesn't exist A user.Lookup was added to srv.RunForward to prevent dialing and forwarding any data if the os login is not found. The check alone only terminates the direct-tcpip ssh channel and not the underlying ssh connection. In order for the parent process to determine if the ssh connection should be terminated it needs to know why the child exited. That was not possible by looking at the exit code and any data written to standard error of the child process was forwarded to standard error on the parent; which was used to simply log the error and move on. To pass more detailed errors to the parent, the child process spawned by srv.RunForward now json marshals the trace.Error to standard error which is then decoded by the parent process. If the parent detects the error was due to a missing user it terminates the ssh connection. tsh ssh -N was also modified to terminate if the command context of tsh OR the ssh connection to the node is closes. Prior, it only terminated if the user cancelled the process by blocking on ctx.Done(). While this was necessary to end session if the os login does not exit, it also forces tsh to exit if the node goes offline. Note: This does not include any propagation of error messages to the user, so there won't be any indication from tsh about why the connection was closed. The session also will not be terminated until the first attempt to forward data and NOT when the session is created due to the way -N is implemented. Fixes #217 * Prevent unauthorized access to kube clusters by upserting kube_servers (#470) This PR changes the behavior of the kubernetes_service when validating access to kubernetes clusters. Previously, the kubernetes_service would use the first kubernetes cluster it found in the Auth server backend to validate access. This was problematic because if the first kubernetes cluster was upserted with a the same name as a kubernetes cluster the user was trying to access but with different labels, the user would be able to access the cluster even though they shouldn't be able to. This PR changes the behavior of the kubernetes_service to use the in memory kubernetes cluster representation used for heartbeats instead of relying on the information received from the auth server. This would block the user from accessing the cluster if the cluster was upserted with a different set of labels since the kubernetes_service would not have the updated labels in memory and would deny access. Fixes #469 * Release 12.1.3 --------- Co-authored-by: Tim Ross <tim.ross@goteleport.com> Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>
r0mant
pushed a commit
that referenced
this pull request
Apr 3, 2023
#470) This PR changes the behavior of the kubernetes_service when validating access to kubernetes clusters. Previously, the kubernetes_service would use the first kubernetes cluster it found in the Auth server backend to validate access. This was problematic because if the first kubernetes cluster was upserted with a the same name as a kubernetes cluster the user was trying to access but with different labels, the user would be able to access the cluster even though they shouldn't be able to. This PR changes the behavior of the kubernetes_service to use the in memory kubernetes cluster representation used for heartbeats instead of relying on the information received from the auth server. This would block the user from accessing the cluster if the cluster was upserted with a different set of labels since the kubernetes_service would not have the updated labels in memory and would deny access. Fixes #469
r0mant
added a commit
that referenced
this pull request
Apr 3, 2023
* Prevent tunneling if the os login doesn't exist A user.Lookup was added to srv.RunForward to prevent dialing and forwarding any data if the os login is not found. The check alone only terminates the direct-tcpip ssh channel and not the underlying ssh connection. In order for the parent process to determine if the ssh connection should be terminated it needs to know why the child exited. That was not possible by looking at the exit code and any data written to standard error of the child process was forwarded to standard error on the parent; which was used to simply log the error and move on. To pass more detailed errors to the parent, the child process spawned by srv.RunForward now json marshals the trace.Error to standard error which is then decoded by the parent process. If the parent detects the error was due to a missing user it terminates the ssh connection. tsh ssh -N was also modified to terminate if the command context of tsh OR the ssh connection to the node is closes. Prior, it only terminated if the user cancelled the process by blocking on ctx.Done(). While this was necessary to end session if the os login does not exit, it also forces tsh to exit if the node goes offline. Note: This does not include any propagation of error messages to the user, so there won't be any indication from tsh about why the connection was closed. The session also will not be terminated until the first attempt to forward data and NOT when the session is created due to the way -N is implemented. Fixes #217 * Prevent unauthorized access to kube clusters by upserting kube_servers (#470) This PR changes the behavior of the kubernetes_service when validating access to kubernetes clusters. Previously, the kubernetes_service would use the first kubernetes cluster it found in the Auth server backend to validate access. This was problematic because if the first kubernetes cluster was upserted with a the same name as a kubernetes cluster the user was trying to access but with different labels, the user would be able to access the cluster even though they shouldn't be able to. This PR changes the behavior of the kubernetes_service to use the in memory kubernetes cluster representation used for heartbeats instead of relying on the information received from the auth server. This would block the user from accessing the cluster if the cluster was upserted with a different set of labels since the kubernetes_service would not have the updated labels in memory and would deny access. Fixes #469 * Release 10.3.15 --------- Co-authored-by: Tim Ross <tim.ross@goteleport.com> Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>
r0mant
pushed a commit
that referenced
this pull request
Apr 5, 2023
#470) This PR changes the behavior of the kubernetes_service when validating access to kubernetes clusters. Previously, the kubernetes_service would use the first kubernetes cluster it found in the Auth server backend to validate access. This was problematic because if the first kubernetes cluster was upserted with a the same name as a kubernetes cluster the user was trying to access but with different labels, the user would be able to access the cluster even though they shouldn't be able to. This PR changes the behavior of the kubernetes_service to use the in memory kubernetes cluster representation used for heartbeats instead of relying on the information received from the auth server. This would block the user from accessing the cluster if the cluster was upserted with a different set of labels since the kubernetes_service would not have the updated labels in memory and would deny access. Fixes #469
dboslee
pushed a commit
that referenced
this pull request
Apr 5, 2023
* Prevent tunneling if the os login doesn't exist A user.Lookup was added to srv.RunForward to prevent dialing and forwarding any data if the os login is not found. The check alone only terminates the direct-tcpip ssh channel and not the underlying ssh connection. In order for the parent process to determine if the ssh connection should be terminated it needs to know why the child exited. That was not possible by looking at the exit code and any data written to standard error of the child process was forwarded to standard error on the parent; which was used to simply log the error and move on. To pass more detailed errors to the parent, the child process spawned by srv.RunForward now json marshals the trace.Error to standard error which is then decoded by the parent process. If the parent detects the error was due to a missing user it terminates the ssh connection. tsh ssh -N was also modified to terminate if the command context of tsh OR the ssh connection to the node is closes. Prior, it only terminated if the user cancelled the process by blocking on ctx.Done(). While this was necessary to end session if the os login does not exit, it also forces tsh to exit if the node goes offline. Note: This does not include any propagation of error messages to the user, so there won't be any indication from tsh about why the connection was closed. The session also will not be terminated until the first attempt to forward data and NOT when the session is created due to the way -N is implemented. Fixes #217 * Prevent unauthorized access to kube clusters by upserting kube_servers (#470) This PR changes the behavior of the kubernetes_service when validating access to kubernetes clusters. Previously, the kubernetes_service would use the first kubernetes cluster it found in the Auth server backend to validate access. This was problematic because if the first kubernetes cluster was upserted with a the same name as a kubernetes cluster the user was trying to access but with different labels, the user would be able to access the cluster even though they shouldn't be able to. This PR changes the behavior of the kubernetes_service to use the in memory kubernetes cluster representation used for heartbeats instead of relying on the information received from the auth server. This would block the user from accessing the cluster if the cluster was upserted with a different set of labels since the kubernetes_service would not have the updated labels in memory and would deny access. Fixes #469 * Release 11.3.10 --------- Co-authored-by: Tim Ross <tim.ross@goteleport.com> Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #467
echo -eis not a POSIX compliant command to use in a Makefile.Replaced it with
printf