Skip to content

Commit

Permalink
Add tctl rm cap for resetting cluster auth preference to defaults (#…
Browse files Browse the repository at this point in the history
  • Loading branch information
andrejtokarcik authored May 19, 2021
1 parent 86a6abc commit 66ff76c
Show file tree
Hide file tree
Showing 7 changed files with 439 additions and 332 deletions.
6 changes: 6 additions & 0 deletions api/client/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -1370,3 +1370,9 @@ func (c *Client) SetClusterNetworkingConfig(ctx context.Context, netConfig types
func (c *Client) DeleteClusterNetworkingConfig(ctx context.Context) error {
return trace.NotImplemented(notImplementedMessage)
}

// ResetAuthPreference resets cluster auth preference to defaults.
func (c *Client) ResetAuthPreference(ctx context.Context) error {
_, err := c.grpc.ResetAuthPreference(ctx, &empty.Empty{})
return trail.FromGRPC(err)
}
697 changes: 368 additions & 329 deletions api/client/proto/authservice.pb.go

Large diffs are not rendered by default.

3 changes: 3 additions & 0 deletions api/client/proto/authservice.proto
Original file line number Diff line number Diff line change
Expand Up @@ -1102,4 +1102,7 @@ service AuthService {
rpc GetEvents(GetEventsRequest) returns (Events);
// In-session request for audit events.
rpc GetSessionEvents(GetSessionEventsRequest) returns (Events);

// ResetAuthPreference resets cluster auth preference to defaults.
rpc ResetAuthPreference(google.protobuf.Empty) returns (google.protobuf.Empty);
}
19 changes: 19 additions & 0 deletions lib/auth/auth_with_roles.go
Original file line number Diff line number Diff line change
Expand Up @@ -2210,6 +2210,7 @@ func (a *ServerWithRoles) SetStaticTokens(s services.StaticTokens) error {
return a.authServer.SetStaticTokens(s)
}

// GetAuthPreference gets cluster auth preference.
func (a *ServerWithRoles) GetAuthPreference() (services.AuthPreference, error) {
if err := a.action(defaults.Namespace, services.KindClusterAuthPreference, services.VerbRead); err != nil {
return nil, trace.Wrap(err)
Expand All @@ -2218,6 +2219,7 @@ func (a *ServerWithRoles) GetAuthPreference() (services.AuthPreference, error) {
return a.authServer.GetAuthPreference()
}

// SetAuthPreference sets cluster auth preference.
func (a *ServerWithRoles) SetAuthPreference(newAuthPref services.AuthPreference) error {
storedAuthPref, err := a.authServer.GetAuthPreference()
if err != nil {
Expand All @@ -2233,6 +2235,23 @@ func (a *ServerWithRoles) SetAuthPreference(newAuthPref services.AuthPreference)
return a.authServer.SetAuthPreference(newAuthPref)
}

// ResetAuthPreference resets cluster auth preference to defaults.
func (a *ServerWithRoles) ResetAuthPreference(ctx context.Context) error {
storedAuthPref, err := a.authServer.GetAuthPreference()
if err != nil {
return trace.Wrap(err)
}
if storedAuthPref.Origin() == types.OriginConfigFile {
return trace.BadParameter("config-file configuration cannot be reset")
}

if err := a.action(defaults.Namespace, services.KindClusterAuthPreference, services.VerbUpdate); err != nil {
return trace.Wrap(err)
}

return a.authServer.SetAuthPreference(types.DefaultAuthPreference())
}

// DeleteAuthPreference not implemented: can only be called locally.
func (a *ServerWithRoles) DeleteAuthPreference(context.Context) error {
return trace.NotImplemented(notImplementedMessage)
Expand Down
3 changes: 3 additions & 0 deletions lib/auth/clt.go
Original file line number Diff line number Diff line change
Expand Up @@ -2043,4 +2043,7 @@ type ClientI interface {
// GetWebToken queries the existing web token described with req.
// Implements ReadAccessPoint.
GetWebToken(ctx context.Context, req types.GetWebTokenRequest) (types.WebToken, error)

// ResetAuthPreference resets cluster auth preference to defaults.
ResetAuthPreference(ctx context.Context) error
}
12 changes: 12 additions & 0 deletions lib/auth/grpcserver.go
Original file line number Diff line number Diff line change
Expand Up @@ -2470,6 +2470,18 @@ func (g *GRPCServer) SetClusterNetworkingConfig(ctx context.Context, netConfig *
return &empty.Empty{}, nil
}

// ResetAuthPreference resets cluster auth preference to defaults.
func (g *GRPCServer) ResetAuthPreference(ctx context.Context, _ *empty.Empty) (*empty.Empty, error) {
auth, err := g.authenticate(ctx)
if err != nil {
return nil, trail.ToGRPC(err)
}
if err = auth.ServerWithRoles.ResetAuthPreference(ctx); err != nil {
return nil, trail.ToGRPC(err)
}
return &empty.Empty{}, nil
}

type grpcContext struct {
*Context
*ServerWithRoles
Expand Down
31 changes: 28 additions & 3 deletions tool/tctl/common/resource_command.go
Original file line number Diff line number Diff line change
Expand Up @@ -434,7 +434,7 @@ func (rc *ResourceCommand) createAuthPreference(client auth.ClientI, raw service

managedByStaticConfig := storedAuthPref.Origin() == types.OriginConfigFile
if !rc.confirm && managedByStaticConfig {
return trace.BadParameter(managedByStaticConfigMsg)
return trace.BadParameter(managedByStaticCreateMsg)
}

if err := client.SetAuthPreference(newAuthPref); err != nil {
Expand All @@ -446,7 +446,8 @@ func (rc *ResourceCommand) createAuthPreference(client auth.ClientI, raw service

// Delete deletes resource by name
func (rc *ResourceCommand) Delete(client auth.ClientI) (err error) {
if rc.ref.Kind == "" || rc.ref.Name == "" {
singletonResources := []string{services.KindClusterAuthPreference}
if !utils.SliceContainsStr(singletonResources, rc.ref.Kind) && (rc.ref.Kind == "" || rc.ref.Name == "") {
return trace.BadParameter("provide a full resource name to delete, for example:\n$ tctl rm cluster/east\n")
}

Expand Down Expand Up @@ -517,12 +518,34 @@ func (rc *ResourceCommand) Delete(client auth.ClientI) (err error) {
return trace.Wrap(err)
}
fmt.Printf("kubernetes service %v has been deleted\n", rc.ref.Name)
case services.KindClusterAuthPreference:
if err = resetAuthPreference(ctx, client); err != nil {
return trace.Wrap(err)
}
fmt.Printf("cluster auth preference has been reset to defaults\n")
default:
return trace.BadParameter("deleting resources of type %q is not supported", rc.ref.Kind)
}
return nil
}

func resetAuthPreference(ctx context.Context, client auth.ClientI) error {
storedAuthPref, err := client.GetAuthPreference()
if err != nil {
return trace.Wrap(err)
}

managedByStatic := storedAuthPref.Origin() == types.OriginConfigFile
if managedByStatic {
return trace.BadParameter(managedByStaticDeleteMsg)
}

if err = client.ResetAuthPreference(ctx); err != nil {
return trace.Wrap(err)
}
return nil
}

// Update updates select resource fields: expiry and labels
func (rc *ResourceCommand) Update(clt auth.ClientI) error {
if rc.ref.Kind == "" || rc.ref.Name == "" {
Expand Down Expand Up @@ -868,6 +891,8 @@ func UpsertVerb(exists bool, force bool) string {
}
}

const managedByStaticConfigMsg = `This resource is managed by static configuration. We recommend removing configuration from teleport.yaml, restarting the servers and trying this command again.
const managedByStaticCreateMsg = `This resource is managed by static configuration. We recommend removing configuration from teleport.yaml, restarting the servers and trying this command again.
If you would still like to proceed, re-run the command with both --force and --confirm flags.`

const managedByStaticDeleteMsg = `This resource is managed by static configuration. In order to reset it to defaults, remove relevant configuration from teleport.yaml and restart the servers.`

0 comments on commit 66ff76c

Please sign in to comment.