gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.54k stars 1.75k forks source link

Removed leaf cluster prevents user from logging in via tsh #6605

Open stevenGravy opened 3 years ago

stevenGravy commented 3 years ago

Description

What happened:

A user that logs into a leaf cluster and relogins in later is prevented if the cluster is removed. They get a error on callback The ~/.tsh folder needs to be removed or possibly altered to reset the user's cluster on login.

What you expected to happen:

If a leaf cluster is removed, the user should revert back to the root cluster as their logged in cluster.

Reproduction Steps

As minimally and precisely as possible, describe step-by-step how to reproduce the problem.

  1. Create a leaf cluster that is connected to a root cluster 2.Have the user log into the leaf cluster
  2. Take down the leaf cluster
  3. Login to the leaf cluster (not that the user who got the error was using a SSO auth)

Server Details

Client Details

Logs

in the auth server that prevents a user from authenticating completely to start a session.

INFO [AUDIT]     user.login cluster_name:tele1c code:T1001W ei:0 error:[remote cluster "leaf.example.com" is not found] event:user.login message:remote cluster "leaf.example.com" is not found method:oidc success:false time:2021-04-27T12:24:55.623Z uid:7096aa60-6199-465d-b085-bd41d5ed1edd events/emitter.go:323
ERRO [WEB]       Error while processing callback. auth:oidc error:[
ERROR REPORT:
Original Error: *trace.NotFoundError remote cluster "leaf.example.com" is not found
Stack Trace:
        /go/src/github.com/gravitational/teleport/lib/services/local/presence.go:688 github.com/gravitational/teleport/lib/services/local.(*PresenceService).getRemoteCluster
        /go/src/github.com/gravitational/teleport/lib/services/local/presence.go:702 github.com/gravitational/teleport/lib/services/local.(*PresenceService).GetRemoteCluster
        /go/src/github.com/gravitational/teleport/lib/auth/auth.go:681 github.com/gravitational/teleport/lib/auth.(*Server).generateUserCert
        /go/src/github.com/gravitational/teleport/lib/auth/github.go:337 github.com/gravitational/teleport/lib/auth.(*Server).createSessionCert
        /go/src/github.com/gravitational/teleport/lib/auth/oidc.go:386 github.com/gravitational/teleport/lib/auth.(*Server).validateOIDCAuthCallback
        /go/src/github.com/gravitational/teleport/lib/auth/oidc.go:235 github.com/gravitational/teleport/lib/auth.(*Server).ValidateOIDCAuthCallback
        /go/src/github.com/gravitational/teleport/lib/auth/auth_with_roles.go:1634 github.com/gravitational/teleport/lib/auth.(*ServerWithRoles).ValidateOIDCAuthCallback
        /go/src/github.com/gravitational/teleport/lib/auth/apiserver.go:1381 github.com/gravitational/teleport/lib/auth.(*
awly commented 3 years ago

We should improve the error message to help the user switch to a valid cluster (without deleting ~/.tsh).

Automatically switching to the root cluster might lead to unexpected behavior, like an automated script running tsh ssh user@node backup.sh. We shouldn't quietly redirect the command to the root cluster node there.