search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.69k stars 1.77k forks source link

There should be a way to differentiate app access by leaf cluster #10671

Open programmerq opened 2 years ago

programmerq commented 2 years ago

Description

What happened:

Given a root cluster that has two leaf clusters that happen to have application access instances with the same name, there is no way to differentiate which leaf cluster needs to be used when accessing the application by URL.

Say I have multiple leaf clusters that all have a 'jenkins' application, and my root cluster is teleport.example.com.

If I navigate to jenkins.teleport.example.com, I will be prompted to authenticate to the root cluster, and then I will be redirected to one of the leaf cluster applications that has the name "jenkins". I don't know which leaf cluster's jenkins instance I will end up on, and there's no obvious way to force it to switch once logged in.

What you expected to happen:

Users should be able to share permalinks to leaf clusters accessed through a root cluster without asking the user to remember to first navigate to the root cluster application pane and manually select the application to launch.

Reproduction Steps

As minimally and precisely as possible, describe step-by-step how to reproduce the problem.

  1. Join two or more leaf clusters to a root cluster
  2. Configure different application apps on each leaf cluster, but use the same short name.
  3. Try to access <appname>.<rootcluster> and observe that you are prompted to log in and then get dropped on a seemingly arbitrary instance.

Server Details

Client Details

Debug Logs

Please include or attach debug logs, when appropriate. Obfuscate sensitive information!

2022-02-28T18:24:37Z DEBU [APP:SERVI] Ping -> 127.0.0.1:3024. leaseID:1 target:localhost:3024 reversetunnel/agent.go:482
2022-02-28T18:24:37Z DEBU [PROXY:SER] Ping <- 127.0.0.1:43012 latency:40.782µs nodeID:e5f14a8c-d023-4652-9ae6-d4835ee431bc.z4221rt.telepath.cf trace.fields:map[cluster:z4221rt.telepath.cf] reversetunnel/localsite.go:432
2022-02-28T18:24:38Z INFO [AUDIT]     user.login cluster_name:z4221rt.telepath.cf code:T1000I ei:0 event:user.login method:local success:true time:2022-02-28T18:24:38.197Z uid:31990a8a-55df-4226-a6e7-66774b8b9f30 user:admin events/emitter.go:324
2022-02-28T18:24:38Z DEBU [KEYGEN]    generated user key for [root ubuntu ec2-user admin] with expiry on (1646115878) 2022-03-01 06:24:38.200173118 +0000 UTC native/native.go:256
2022-02-28T18:24:38Z INFO [CA]        Generating TLS certificate {0x76bb8b8 0xc002397dc0 1.3.9999.2.6=#0c012a,1.3.9999.2.5=#0c012a,1.3.9999.1.7=#13137a3432323172742e74656c65706174682e6366,1.3.9999.1.3=#13077a343232317274,1.3.9999.1.2=#130e73797374656d3a6d617374657273,CN=admin,O=admin+O=contractor,POSTALCODE={\"logins\":[\"root\"\,\"ubuntu\"\,\"ec2-user\"\,\"admin\"]},STREET=z4221rt.telepath.cf,L=root+L=ubuntu+L=ec2-user+L=admin,ST=system:masters 2022-03-01 06:24:38.203869569 +0000 UTC [] [] 5 []}. common_name:admin dns_names:[] locality:[root ubuntu ec2-user admin] not_after:2022-03-01 06:24:38.203869569 +0000 UTC org:[admin contractor] org_unit:[] tlsca/ca.go:725
2022-02-28T18:24:38Z INFO [AUDIT]     cert.create cert_type:user cluster_name:z4221rt.telepath.cf code:TC000I ei:0 event:cert.create identity:map[database_names:[*] database_users:[*] expires:2022-03-01T06:24:38.203869569Z kubernetes_cluster:z4221rt kubernetes_groups:[system:masters] logins:[root ubuntu ec2-user admin] roles:[admin contractor] route_to_cluster:z4221rt.telepath.cf teleport_cluster:z4221rt.telepath.cf traits:map[logins:[root ubuntu ec2-user admin]] user:admin] time:2022-02-28T18:24:38.207Z uid:57270efb-bd80-4491-ab68-455c7e4d8d50 events/emitter.go:324
2022-02-28T18:24:38Z DEBU [AUTH]      ClientCertPool -> cert(z4221rt.telepath.cf issued by z4221rt.telepath.cf:42817243038357298379752581691509527899) auth/middleware.go:616
2022-02-28T18:24:38Z DEBU [AUTH]      ClientCertPool -> cert(z4221rt.telepath.cf issued by z4221rt.telepath.cf:138215912911903924263106714324805031713) auth/middleware.go:616
2022-02-28T18:24:38Z DEBU [AUTH:1]    Server certificate cert(e5f14a8c-d023-4652-9ae6-d4835ee431bc.z4221rt.telepath.cf issued by z4221rt.telepath.cf:42817243038357298379752581691509527899). auth/middleware.go:300
2022-02-28T18:24:38Z DEBU [RBAC]      Grant access to cluster z4221lf.telepath.cf - no role in [admin contractor] uses cluster labels and the cluster is not labeled. services/role.go:1191
2022-02-28T18:24:38Z DEBU [RBAC]      Grant access to cluster z4221lg.telepath.cf - no role in [admin contractor] uses cluster labels and the cluster is not labeled. services/role.go:1191
2022-02-28T18:24:39Z DEBU [RBAC]      Grant access to cluster z4221lf.telepath.cf - no role in [admin contractor] uses cluster labels and the cluster is not labeled. services/role.go:1191
2022-02-28T18:24:39Z DEBU [RBAC]      Grant access to cluster z4221lg.telepath.cf - no role in [admin contractor] uses cluster labels and the cluster is not labeled. services/role.go:1191
2022-02-28T18:24:39Z DEBU [WEB]       Creating application web session for example.z4221lf.telepath.cf in z4221lf.telepath.cf. web/apps.go:154
2022-02-28T18:24:39Z DEBU [KEYGEN]    generated user key for [root ubuntu ec2-user admin] with expiry on (1646115878) 2022-03-01 06:24:38.001486911 +0000 UTC native/native.go:256
2022-02-28T18:24:39Z INFO [CA]        Generating TLS certificate {0x76bb8b8 0xc000c459d0 1.3.9999.2.6=#0c012a,1.3.9999.2.5=#0c012a,1.3.9999.1.7=#13137a3432323172742e74656c65706174682e6366,1.3.9999.1.5=#13137a343232316c662e74656c65706174682e6366,1.3.9999.1.6=#131b6578616d706c652e7a343232316c662e74656c65706174682e6366,1.3.9999.1.4=#132434663232646263632d316334652d343834342d623136332d626331303834623634363534,1.3.9999.1.3=#13077a343232317274,1.3.9999.1.2=#130e73797374656d3a6d617374657273,CN=admin,OU=usage:apps,O=admin+O=contractor,POSTALCODE={\"logins\":[\"root\"\,\"ubuntu\"\,\"ec2-user\"\,\"admin\"]},STREET=z4221rt.telepath.cf,L=root+L=ubuntu+L=ec2-user+L=admin,ST=system:masters 2022-03-01 06:24:38.005513049 +0000 UTC [] [] 5 []}. common_name:admin dns_names:[] locality:[root ubuntu ec2-user admin] not_after:2022-03-01 06:24:38.005513049 +0000 UTC org:[admin contractor] org_unit:[usage:apps] tlsca/ca.go:725
2022-02-28T18:24:39Z INFO [AUDIT]     cert.create cert_type:user cluster_name:z4221rt.telepath.cf code:TC000I ei:0 event:cert.create identity:map[database_names:[*] database_users:[*] expires:2022-03-01T06:24:38.005513049Z kubernetes_cluster:z4221rt kubernetes_groups:[system:masters] logins:[root ubuntu ec2-user admin] roles:[admin contractor] route_to_app:map[cluster_name:z4221lf.telepath.cf name: public_addr:example.z4221lf.telepath.cf session_id:4f22dbcc-1c4e-4844-b163-bc1084b64654] route_to_cluster:z4221rt.telepath.cf teleport_cluster:z4221rt.telepath.cf traits:map[logins:[root ubuntu ec2-user admin]] usage:[usage:apps] user:admin] time:2022-02-28T18:24:39.07Z uid:ffd9c722-5527-46ef-b1b9-4c475f84c8d9 events/emitter.go:324
2022-02-28T18:24:39Z DEBU [AUTH]      Generated application web session for admin with TTL 11h59m58.938690751s. auth/sessions.go:105
2022-02-28T18:24:39Z INFO [AUDIT]     app.session.start addr.remote:192.168.78.191:1192 app_name:example app_public_addr:example.z4221lf.telepath.cf app_uri:http://example.com/ cluster_name:z4221lf.telepath.cf code:T2007I ei:0 event:app.session.start namespace:default public_addr:example.z4221lf.telepath.cf server_id:e5f14a8c-d023-4652-9ae6-d4835ee431bc sid:4f22dbcc-1c4e-4844-b163-bc1084b64654 time:2022-02-28T18:24:39.074Z uid:4560df2c-dfcd-417d-9e67-368b856f5c9e user:admin events/emitter.go:324
2022-02-28T18:24:39Z INFO [AUDIT]     app.session.start addr.remote:192.168.78.191:1192 app_name:example app_public_addr:example.z4221lf.telepath.cf app_uri:http://example.com/ cluster_name:z4221lf.telepath.cf code:T2007I ei:0 event:app.session.start namespace:default public_addr:example.z4221lf.telepath.cf server_id:e5f14a8c-d023-4652-9ae6-d4835ee431bc sid:4f22dbcc-1c4e-4844-b163-bc1084b64654 time:2022-02-28T18:24:39.074Z uid:4560df2c-dfcd-417d-9e67-368b856f5c9e user:admin events/emitter.go:324
2022-02-28T18:24:39Z DEBU [PROXY:SER] Dialing from @web-proxy to @local-node. cluster:z4221lf.telepath.cf reversetunnel/remotesite.go:617
2022-02-28T18:24:39Z DEBU [PROXY:SER] Requesting connection to @local-node [847d5de3-f2c1-446b-a23a-e96e6e1ae87a.z4221lf.telepath.cf] in remote cluster. cluster:z4221lf.telepath.cf reversetunnel/remotesite.go:726
2022-02-28T18:24:39Z DEBU [PROXY:SER] Dialing from @web-proxy to @local-node. cluster:z4221lf.telepath.cf reversetunnel/remotesite.go:617
2022-02-28T18:24:39Z DEBU [PROXY:SER] Requesting connection to @local-node [847d5de3-f2c1-446b-a23a-e96e6e1ae87a.z4221lf.telepath.cf] in remote cluster. cluster:z4221lf.telepath.cf reversetunnel/remotesite.go:726
2022-02-28T18:24:39Z DEBU [PROXY:SER] Dialing from @web-proxy to @local-node. cluster:z4221lf.telepath.cf reversetunnel/remotesite.go:617
2022-02-28T18:24:39Z DEBU [PROXY:SER] Requesting connection to @local-node [847d5de3-f2c1-446b-a23a-e96e6e1ae87a.z4221lf.telepath.cf] in remote cluster. cluster:z4221lf.telepath.cf reversetunnel/remotesite.go:726
2022-02-28T18:24:39Z INFO [APP:WEB]   Round trip: GET /, code: 200, duration: 54.565982ms tls:version: 304, tls:resume:false, tls:csuite:1301, tls:server:example.z4221rt.telepath.cf forward/fwd.go:187

Here's the logs from the root cluster authproxy node logs at the time that the user logs in when navigating to the appname on the root cluster. It seems to just pick a leaf cluster and go with it even though there are multiple applications with that name.

Additionally, if a user tries to access an application on one leaf cluster using the teleport gui "launch" selector, it'll silently log them out of the other one since they will all be accessed over the same exact DNS name. The session seems to get updated to point to only one cluster at a time.

gz#4221

programmerq commented 1 year ago

https://github.com/gravitational/teleport/issues/21238 seems related

TeleLos commented 1 year ago

I see same behavior when the application is installed using teleport-kube-service. Root Cluster: 12.3.1 (telepor.sh), Grafana app named grafana connected using teleport-kube-agent v12.2.4 Leaf Cluser: 11.3.9 (cloud.gravitational.io) , Grafana app named grafana connected using teleport-kube-agent v11.3.5

Connect to root cluster UI. Select the leaf cluster in the drop down menu Select Applications in the Resources menu Launch the grafana application

You will be directed to the grafana app of the root server instead of the leaf.

Tener commented 1 year ago

The URL for different apps on different leaf clusters with the same name is, unfortunately, shared. This means the user can only be logged in to one of those simultaneously within the same browser session. Using multiple separate browser profiles works but is unwieldy.

The good news is that the login link is stable and can be bookmarked. This is the URL behind "Launch" button. You can copy the link it leads to without hassle. For example, app "dumper" on leaf cluster accessed via root cluster:

https://root.teleport.example.com:3080/web/launch/dumper.root.teleport.example.com/leaf.teleport.example.com/dumper.leaf.teleport.example.com

Now, I can imagine extending the current routing scheme to distinguish apps between leaf clusters. For example, given leaf cluster:

> tctl get remote_cluster
kind: remote_cluster
metadata:
  id: 1684509092991901000
  name: leaf.teleport.example.com
status:
  connection: online
  last_heartbeat: "2023-05-19T15:11:22.939414Z"
version: v3

We could use cluster name or cluster id (potentially encoded), to create scoped URL. Some ideas: