Closed r0mant closed 1 year ago
Talking to Teleport team, the issue seems to be is that when emitting an audit event Teleport currently always expects server_id
to be present among the event fields and tries to validate it because in Teleport all events are emitted by servers:
https://github.com/gravitational/teleport/blob/branch/3.2/lib/auth/apiserver.go#L1848-L1860
Gravity, on the other hand, emits various cluster-level events as well (such as, operation completed/failed) on user's behalf so this field may not be present and as such server_id
validation is not necessary.
The proposal is to update the above code block this the following way:
// Only check events that have `server_id` defined on them. This is because Gravity sometimes
// submits events as the user instead of the builtin role.
if eventToCheck(req) {
// Validate serverID field in event matches server ID from x509 identity. This
// check makes sure nodes can only submit events for themselves.
serverID, err := s.getServerID(r)
if err != nil {
return nil, trace.Wrap(err)
}
err = events.ValidateEvent(req.Fields, serverID)
if err != nil {
log.Warnf("Rejecting audit event %v from %v: %v. System may be under attack, a "+
"node is attempting to submit events for an identity other than its own.",
req.Type, serverID, err)
return nil, trace.AccessDenied("failed to validate event")
}
}
Describe the bug
When attempting to complete the operation manually via plan complete command, an audit event fails to be emitted with the
*trace.BadParameterError invalid role auth.LocalUser
error. Full stack trace below.The error is not critical but the event is missed nonetheless.
Some brief investigation showed that the error is thrown from the same Teleport's
getServerID
method that was added as a part of security-related changes last year and which has already caused problems before e.g. with session upload.This time it fails on the following line:
https://github.com/gravitational/teleport/blob/branch/3.2-g/lib/auth/apiserver.go#L2435
For some reason it asserts
auth.BuiltinRole
there but we're gettingauth.LocalUser
. Don't know enough about Teleport internals to conclude why currently.To Reproduce
Try to complete the operation manually.
Expected behavior
Audit event should be emitted without issues.
Logs
Aforementioned stack trace:
Environment (please complete the following information):
Additional context