Improve tsh profile support.

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.

https://goteleport.com

GNU Affero General Public License v3.0

17.44k stars 1.74k forks source link

Improve tsh profile support. #3089

Open benarent opened 4 years ago

benarent commented 4 years ago

What happened: If a customer has multiple Teleport proxies, customers use ➜ $ tsh login --proxy=work.example.com to login.

If you are working with multiple Teleport proxies you need to switch each time with, and tsh sets the profile to the last one it logged in.

Examples of apps with different profile systems.

What you expected to happen

tsh user should know what their default profile is.
tsh can set a default profile.
tsh users easily list all known profiles, and output current certificate status ( e.g. time left before reauthorisation )
tsh users can login to an account using a profile alais vs full URL
tsh users can remove accounts.

klizhentas commented 3 years ago

I think user profile should be more like ini profile that never gets overwritten and our default ~/.tsh/profile.yaml should be treated like internal state database file.

So devs can write things like this:

# cluster name
[staging]
k8s-cluster=
user=alice

[prod]
...

I was also thinking about using elisp as prfofile engine:

(setq cluster 'staging)

(defun select-cluster ()
  (mapc (lambda (K) 
          (let* ((key (car K)) (fun (cdr K)))
           (define-key cluster-map (parse-cluster key) fun)))
        '(("<right>" . cluster-next-match)
          ("<left>"  . cluster-prev-match)
          ("<up>"    . ignore             )
          ("<down>"  . ignore             ))))
(add-hook 'select-cluster 'select-cluster-hook-local-keys)

...

Just kidding about lisp one :)

webvictim commented 3 years ago

Would also be nice to let devs add port forwarding, agent forwarding etc to their profile files:

[staginghost21839]
login=staginguser
agent_forwarding=yes
port_forwarding=54321:localhost:12345,3434:localhost:3434

Then tsh ssh staginghost21839 would automatically do the same as tsh ssh -A -L 54321:localhost:12345,3434:localhost:3434 -l staginguser staginghost21839

wreed4 commented 3 years ago

For what it's worth I found a work around here for easily switching between two teleport instances:

alias t_one="echo teleport.one.url.without.port.io > ~/.tsh/current-profile"
alias t_two="echo teleport.two.url.without.port.io > ~/.tsh/current-profile"

Obviously replace the url with the real one.

webvictim commented 3 years ago

We merged this recently: #5395 - it basically allows you to 'pin' a terminal to a given cluster by running eval $(tsh env) after logging in.

et304383 commented 2 years ago

For what it's worth I found a work around here for easily switching between two teleport instances:
alias t_one="echo teleport.one.url.without.port.io > ~/.tsh/current-profile"
alias t_two="echo teleport.two.url.without.port.io > ~/.tsh/current-profile"
Obviously replace the url with the real one.

I can't believe this is the way to deal with multiple profiles. At th very least, tsh login should factor in that you're already logged in and just switch the current profile over.

alwaysastudent commented 2 years ago

The easiest way to solve this is to expose an environment variable that can pick up the current profile. Then we can toggle that env variable on-demand to the profile we want.

zmb3 commented 1 year ago