search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.33k stars 1.74k forks source link

Accommodate SAML Auth Connectors with Thousands of Mappings #17280

Open corkrean opened 1 year ago

corkrean commented 1 year ago

What would you like Teleport to do? Split auth connectors with thousands of mappings into multiple DynamoDB items to accommodate DynamoDB's 400kb item size limit.

What problem does this solve? DynamoDB has an item size limit of 400kb. This prevents auth connectors with thousands of mappings from being stored in DynamoDB.

If a workaround exists, please include it. Use ETCD for cluster state storage.

russjones commented 1 year ago

https://github.com/gravitational/teleport/pull/14977

corkrean commented 1 year ago

Here are the logs from the tctl create -f command on a large auth connector file: 

2022-10-11T21:52:41Z DEBU [SQLITE]    Connected to: file:%2Fvar%2Flib%2Fteleport%2Fproc%2Fsqlite.db?_busy_timeout=10000&_sync=FULL&_txlock=immediate, poll stream period: 1s lite/lite.go:246
2022-10-11T21:52:41Z DEBU [SQLITE]    journal_mode=delete, synchronous=2, busy_timeout=10000 lite/lite.go:293
2022-10-11T21:52:41Z DEBU             Connecting to: [{127.0.0.1:3025 tcp }]. authclient/authclient.go:53
2022-10-11T21:52:41Z DEBU             [SAML] SSO: OBUFUSCATED
2022-10-11T21:52:41Z DEBU             [SAML] Issuer: http://www.okta.com/exk6tpg4bl7fL217y5d7 services/saml.go:103
2022-10-11T21:52:41Z DEBU             [SAML] ACS: OBFUSCATED

ERROR REPORT:
Original Error: *status.Error rpc error: code = Unknown desc = ValidationException: Item size has exceeded the maximum allowed size
    status code: 400, request id: GNJSC0P9EMSQDCTESNJ032STEFVV4KQNSO5AEMVJF66Q9ASUAAJG
Stack Trace:
    /go/src/github.com/gravitational/teleport/api/client/client.go:1683 github.com/gravitational/teleport/api/client.(*Client).UpsertSAMLConnector
    /go/src/github.com/gravitational/teleport/e/tool/tctl/resource_command.go:84 main.(*ResourceCommandE).createConnector
    /go/src/github.com/gravitational/teleport/tool/tctl/common/resource_command.go:283 github.com/gravitational/teleport/tool/tctl/common.(*ResourceCommand).Create
    /go/src/github.com/gravitational/teleport/tool/tctl/common/resource_command.go:159 github.com/gravitational/teleport/tool/tctl/common.(*ResourceCommand).TryRun
    /go/src/github.com/gravitational/teleport/e/tool/tctl/resource_command.go:42 main.(*ResourceCommandE).TryRun
    /go/src/github.com/gravitational/teleport/tool/tctl/common/tctl.go:186 github.com/gravitational/teleport/tool/tctl/common.Run
    /go/src/github.com/gravitational/teleport/e/tool/tctl/main.go:20 main.main
    /opt/go/src/runtime/proc.go:250 runtime.main
    /opt/go/src/runtime/asm_amd64.s:1571 runtime.goexit
User Message: rpc error: code = Unknown desc = ValidationException: Item size has exceeded the maximum allowed size
    status code: 400, request id: GNJSC0P9EMSQDCTESNJ032STEFVV4KQNSO5AEMVJF66Q9ASUAAJG