Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding SSHPortForwarding to RoleOptions proto #49165

Merged
merged 1 commit into from
Nov 22, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 40 additions & 4 deletions api/proto/teleport/legacy/types/types.proto
Original file line number Diff line number Diff line change
Expand Up @@ -2923,6 +2923,38 @@ enum CreateDatabaseUserMode {
DB_USER_MODE_BEST_EFFORT_DROP = 3;
}

// SSHLocalPortForwarding configures access controls for local SSH port forwarding.
message SSHLocalPortForwarding {
BoolValue Enabled = 1 [
(gogoproto.nullable) = true,
(gogoproto.jsontag) = "enabled,omitempty",
(gogoproto.customtype) = "BoolOption"
];
}

// SSHRemotePortForwarding configures access controls for remote SSH port forwarding.
message SSHRemotePortForwarding {
BoolValue Enabled = 1 [
(gogoproto.nullable) = true,
(gogoproto.jsontag) = "enabled,omitempty",
(gogoproto.customtype) = "BoolOption"
];
}

// SSHPortForwarding configures what types of SSH port forwarding are allowed by a role.
message SSHPortForwarding {
// Allow local port forwarding.
SSHLocalPortForwarding Local = 1 [
(gogoproto.nullable) = true,
(gogoproto.jsontag) = "local,omitempty"
];
// Allow remote port forwarding.
SSHRemotePortForwarding Remote = 2 [
(gogoproto.nullable) = true,
(gogoproto.jsontag) = "remote,omitempty"
];
}

// RoleOptions is a set of role options
message RoleOptions {
// ForwardAgent is SSH agent forwarding.
Expand All @@ -2937,11 +2969,9 @@ message RoleOptions {
(gogoproto.casttype) = "Duration"
];

// PortForwarding defines if the certificate will have
// "permit-port-forwarding"
// in the certificate. PortForwarding is "yes" if not set,
// that's why this is a pointer
// Deprecated: Use SSHPortForwarding instead
BoolValue PortForwarding = 3 [
deprecated = true,
(gogoproto.nullable) = true,
(gogoproto.jsontag) = "port_forwarding,omitempty",
(gogoproto.customtype) = "BoolOption"
Expand Down Expand Up @@ -3108,6 +3138,12 @@ message RoleOptions {

// CreateHostUserDefaultShell is used to configure the default shell for newly provisioned host users.
string CreateHostUserDefaultShell = 31 [(gogoproto.jsontag) = "create_host_user_default_shell,omitempty"];

// SSHPortForwarding configures what types of SSH port forwarding are allowed by a role.
SSHPortForwarding SSHPortForwarding = 32 [
(gogoproto.nullable) = true,
(gogoproto.jsontag) = "ssh_port_forwarding,omitempty"
];
}

message RecordSession {
Expand Down
5,297 changes: 2,982 additions & 2,315 deletions api/types/types.pb.go

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
Expand Up @@ -402,12 +402,13 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
|mfa_verification_interval|string|MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to `max_session_ttl`.|
|permit_x11_forwarding|boolean|PermitX11Forwarding authorizes use of X11 forwarding.|
|pin_source_ip|boolean|PinSourceIP forces the same client IP for certificate generation and usage|
|port_forwarding|boolean|PortForwarding defines if the certificate will have "permit-port-forwarding" in the certificate. PortForwarding is "yes" if not set, that's why this is a pointer|
|port_forwarding|boolean|Deprecated: Use SSHPortForwarding instead|
|record_session|[object](#specoptionsrecord_session)|RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false.|
|request_access|string|RequestAccess defines the request strategy (optional|note|always) where optional is the default.|
|request_prompt|string|RequestPrompt is an optional message which tells users what they aught to request.|
|require_session_mfa|string or integer|RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN". Can be either the string or the integer representation of each option.|
|ssh_file_copy|boolean|SSHFileCopy indicates whether remote file operations via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false.|
|ssh_port_forwarding|[object](#specoptionsssh_port_forwarding)|SSHPortForwarding configures what types of SSH port forwarding are allowed by a role.|

### spec.options.cert_extensions items

Expand Down Expand Up @@ -438,6 +439,25 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
|desktop|boolean|Desktop indicates whether desktop sessions should be recorded. It defaults to true unless explicitly set to false.|
|ssh|string|SSH indicates the session mode used on SSH sessions.|

### spec.options.ssh_port_forwarding

|Field|Type|Description|
|---|---|---|
|local|[object](#specoptionsssh_port_forwardinglocal)|Allow local port forwarding.|
|remote|[object](#specoptionsssh_port_forwardingremote)|Allow remote port forwarding.|

### spec.options.ssh_port_forwarding.local

|Field|Type|Description|
|---|---|---|
|enabled|boolean||

### spec.options.ssh_port_forwarding.remote

|Field|Type|Description|
|---|---|---|
|enabled|boolean||

## resources.teleport.dev/v6

**apiVersion:** resources.teleport.dev/v6
Expand Down Expand Up @@ -829,12 +849,13 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
|mfa_verification_interval|string|MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to `max_session_ttl`.|
|permit_x11_forwarding|boolean|PermitX11Forwarding authorizes use of X11 forwarding.|
|pin_source_ip|boolean|PinSourceIP forces the same client IP for certificate generation and usage|
|port_forwarding|boolean|PortForwarding defines if the certificate will have "permit-port-forwarding" in the certificate. PortForwarding is "yes" if not set, that's why this is a pointer|
|port_forwarding|boolean|Deprecated: Use SSHPortForwarding instead|
|record_session|[object](#specoptionsrecord_session)|RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false.|
|request_access|string|RequestAccess defines the request strategy (optional|note|always) where optional is the default.|
|request_prompt|string|RequestPrompt is an optional message which tells users what they aught to request.|
|require_session_mfa|string or integer|RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN". Can be either the string or the integer representation of each option.|
|ssh_file_copy|boolean|SSHFileCopy indicates whether remote file operations via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false.|
|ssh_port_forwarding|[object](#specoptionsssh_port_forwarding)|SSHPortForwarding configures what types of SSH port forwarding are allowed by a role.|

### spec.options.cert_extensions items

Expand Down Expand Up @@ -865,3 +886,22 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
|desktop|boolean|Desktop indicates whether desktop sessions should be recorded. It defaults to true unless explicitly set to false.|
|ssh|string|SSH indicates the session mode used on SSH sessions.|

### spec.options.ssh_port_forwarding

|Field|Type|Description|
|---|---|---|
|local|[object](#specoptionsssh_port_forwardinglocal)|Allow local port forwarding.|
|remote|[object](#specoptionsssh_port_forwardingremote)|Allow remote port forwarding.|

### spec.options.ssh_port_forwarding.local

|Field|Type|Description|
|---|---|---|
|enabled|boolean||

### spec.options.ssh_port_forwarding.remote

|Field|Type|Description|
|---|---|---|
|enabled|boolean||

Original file line number Diff line number Diff line change
Expand Up @@ -402,12 +402,13 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
|mfa_verification_interval|string|MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to `max_session_ttl`.|
|permit_x11_forwarding|boolean|PermitX11Forwarding authorizes use of X11 forwarding.|
|pin_source_ip|boolean|PinSourceIP forces the same client IP for certificate generation and usage|
|port_forwarding|boolean|PortForwarding defines if the certificate will have "permit-port-forwarding" in the certificate. PortForwarding is "yes" if not set, that's why this is a pointer|
|port_forwarding|boolean|Deprecated: Use SSHPortForwarding instead|
|record_session|[object](#specoptionsrecord_session)|RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false.|
|request_access|string|RequestAccess defines the request strategy (optional|note|always) where optional is the default.|
|request_prompt|string|RequestPrompt is an optional message which tells users what they aught to request.|
|require_session_mfa|string or integer|RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN". Can be either the string or the integer representation of each option.|
|ssh_file_copy|boolean|SSHFileCopy indicates whether remote file operations via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false.|
|ssh_port_forwarding|[object](#specoptionsssh_port_forwarding)|SSHPortForwarding configures what types of SSH port forwarding are allowed by a role.|

### spec.options.cert_extensions items

Expand Down Expand Up @@ -438,3 +439,22 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
|desktop|boolean|Desktop indicates whether desktop sessions should be recorded. It defaults to true unless explicitly set to false.|
|ssh|string|SSH indicates the session mode used on SSH sessions.|

### spec.options.ssh_port_forwarding

|Field|Type|Description|
|---|---|---|
|local|[object](#specoptionsssh_port_forwardinglocal)|Allow local port forwarding.|
|remote|[object](#specoptionsssh_port_forwardingremote)|Allow remote port forwarding.|

### spec.options.ssh_port_forwarding.local

|Field|Type|Description|
|---|---|---|
|enabled|boolean||

### spec.options.ssh_port_forwarding.remote

|Field|Type|Description|
|---|---|---|
|enabled|boolean||

Original file line number Diff line number Diff line change
Expand Up @@ -402,12 +402,13 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
|mfa_verification_interval|string|MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to `max_session_ttl`.|
|permit_x11_forwarding|boolean|PermitX11Forwarding authorizes use of X11 forwarding.|
|pin_source_ip|boolean|PinSourceIP forces the same client IP for certificate generation and usage|
|port_forwarding|boolean|PortForwarding defines if the certificate will have "permit-port-forwarding" in the certificate. PortForwarding is "yes" if not set, that's why this is a pointer|
|port_forwarding|boolean|Deprecated: Use SSHPortForwarding instead|
|record_session|[object](#specoptionsrecord_session)|RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false.|
|request_access|string|RequestAccess defines the request strategy (optional|note|always) where optional is the default.|
|request_prompt|string|RequestPrompt is an optional message which tells users what they aught to request.|
|require_session_mfa|string or integer|RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN". Can be either the string or the integer representation of each option.|
|ssh_file_copy|boolean|SSHFileCopy indicates whether remote file operations via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false.|
|ssh_port_forwarding|[object](#specoptionsssh_port_forwarding)|SSHPortForwarding configures what types of SSH port forwarding are allowed by a role.|

### spec.options.cert_extensions items

Expand Down Expand Up @@ -438,3 +439,22 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
|desktop|boolean|Desktop indicates whether desktop sessions should be recorded. It defaults to true unless explicitly set to false.|
|ssh|string|SSH indicates the session mode used on SSH sessions.|

### spec.options.ssh_port_forwarding

|Field|Type|Description|
|---|---|---|
|local|[object](#specoptionsssh_port_forwardinglocal)|Allow local port forwarding.|
|remote|[object](#specoptionsssh_port_forwardingremote)|Allow remote port forwarding.|

### spec.options.ssh_port_forwarding.local

|Field|Type|Description|
|---|---|---|
|enabled|boolean||

### spec.options.ssh_port_forwarding.remote

|Field|Type|Description|
|---|---|---|
|enabled|boolean||

24 changes: 23 additions & 1 deletion docs/pages/reference/terraform-provider/data-sources/role.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -449,12 +449,13 @@ Optional:
- `mfa_verification_interval` (String) MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to `max_session_ttl`.
- `permit_x11_forwarding` (Boolean) PermitX11Forwarding authorizes use of X11 forwarding.
- `pin_source_ip` (Boolean) PinSourceIP forces the same client IP for certificate generation and usage
- `port_forwarding` (Boolean) PortForwarding defines if the certificate will have "permit-port-forwarding" in the certificate. PortForwarding is "yes" if not set, that's why this is a pointer
- `port_forwarding` (Boolean) Deprecated: Use SSHPortForwarding instead
- `record_session` (Attributes) RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false. (see [below for nested schema](#nested-schema-for-specoptionsrecord_session))
- `request_access` (String) RequestAccess defines the request strategy (optional|note|always) where optional is the default.
- `request_prompt` (String) RequestPrompt is an optional message which tells users what they aught to request.
- `require_session_mfa` (Number) RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN".
- `ssh_file_copy` (Boolean) SSHFileCopy indicates whether remote file operations via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false.
- `ssh_port_forwarding` (Attributes) SSHPortForwarding configures what types of SSH port forwarding are allowed by a role. (see [below for nested schema](#nested-schema-for-specoptionsssh_port_forwarding))

### Nested Schema for `spec.options.cert_extensions`

Expand Down Expand Up @@ -488,3 +489,24 @@ Optional:
- `desktop` (Boolean) Desktop indicates whether desktop sessions should be recorded. It defaults to true unless explicitly set to false.
- `ssh` (String) SSH indicates the session mode used on SSH sessions.


### Nested Schema for `spec.options.ssh_port_forwarding`

Optional:

- `local` (Attributes) Allow local port forwarding. (see [below for nested schema](#nested-schema-for-specoptionsssh_port_forwardinglocal))
- `remote` (Attributes) Allow remote port forwarding. (see [below for nested schema](#nested-schema-for-specoptionsssh_port_forwardingremote))

### Nested Schema for `spec.options.ssh_port_forwarding.local`

Optional:

- `enabled` (Boolean)


### Nested Schema for `spec.options.ssh_port_forwarding.remote`

Optional:

- `enabled` (Boolean)

24 changes: 23 additions & 1 deletion docs/pages/reference/terraform-provider/resources/role.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -503,12 +503,13 @@ Optional:
- `mfa_verification_interval` (String) MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to `max_session_ttl`.
- `permit_x11_forwarding` (Boolean) PermitX11Forwarding authorizes use of X11 forwarding.
- `pin_source_ip` (Boolean) PinSourceIP forces the same client IP for certificate generation and usage
- `port_forwarding` (Boolean) PortForwarding defines if the certificate will have "permit-port-forwarding" in the certificate. PortForwarding is "yes" if not set, that's why this is a pointer
- `port_forwarding` (Boolean) Deprecated: Use SSHPortForwarding instead
- `record_session` (Attributes) RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false. (see [below for nested schema](#nested-schema-for-specoptionsrecord_session))
- `request_access` (String) RequestAccess defines the request strategy (optional|note|always) where optional is the default.
- `request_prompt` (String) RequestPrompt is an optional message which tells users what they aught to request.
- `require_session_mfa` (Number) RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN".
- `ssh_file_copy` (Boolean) SSHFileCopy indicates whether remote file operations via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false.
- `ssh_port_forwarding` (Attributes) SSHPortForwarding configures what types of SSH port forwarding are allowed by a role. (see [below for nested schema](#nested-schema-for-specoptionsssh_port_forwarding))

### Nested Schema for `spec.options.cert_extensions`

Expand Down Expand Up @@ -542,3 +543,24 @@ Optional:
- `desktop` (Boolean) Desktop indicates whether desktop sessions should be recorded. It defaults to true unless explicitly set to false.
- `ssh` (String) SSH indicates the session mode used on SSH sessions.


### Nested Schema for `spec.options.ssh_port_forwarding`

Optional:

- `local` (Attributes) Allow local port forwarding. (see [below for nested schema](#nested-schema-for-specoptionsssh_port_forwardinglocal))
- `remote` (Attributes) Allow remote port forwarding. (see [below for nested schema](#nested-schema-for-specoptionsssh_port_forwardingremote))

### Nested Schema for `spec.options.ssh_port_forwarding.local`

Optional:

- `enabled` (Boolean)


### Nested Schema for `spec.options.ssh_port_forwarding.remote`

Optional:

- `enabled` (Boolean)

Loading
Loading