Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow auth to reject outdated clients #38026

Merged
merged 1 commit into from
Feb 13, 2024
Merged

Allow auth to reject outdated clients #38026

merged 1 commit into from
Feb 13, 2024

Conversation

rosstimothy
Copy link
Contributor

@rosstimothy rosstimothy commented Feb 9, 2024
edited
Loading

Setting TELEPORT_UNSTABLE_REJECT_OLD_CLIENTS=yes on the Auth process now enforces that any clients connected are running a supported version. Clients connecting with an unsupported major version are terminated by Auth.

Changelog: Optionally permit the auth server to terminate client connections from unsupported versions.

@rosstimothy rosstimothy force-pushed the tross/deny_old_clients branch 6 times, most recently from fee0e7d to 5bb13b2 Compare February 9, 2024 19:57
@rosstimothy rosstimothy changed the base branch from master to tross/semver_version February 9, 2024 19:57
@rosstimothy rosstimothy force-pushed the tross/semver_version branch 4 times, most recently from c21a745 to 046c483 Compare February 9, 2024 20:27
@rosstimothy rosstimothy force-pushed the tross/deny_old_clients branch 3 times, most recently from 6b9668d to cedcb1a Compare February 9, 2024 20:41
@rosstimothy rosstimothy marked this pull request as ready for review February 9, 2024 20:53
@rosstimothy
Copy link
Contributor Author

FYI @zmb3 @fspmarshall @espadolini this implements what we discussed in the scale meeting yesterday.

@gravitational gravitational deleted a comment from github-actions bot Feb 9, 2024
@rosstimothy
Allow auth to reject outdated clients
8879db8 
Setting `TELEPORT_UNSTABLE_REJECT_OLD_CLIENTS=yes` on the Auth process now
enforces that any clients connected are running a supported version.
Clients connecting with an unsupported major version are terminated
by Auth.
@rosstimothy rosstimothy added this pull request to the merge queue Feb 13, 2024
Merged via the queue into master with commit 1edf43d Feb 13, 2024
34 checks passed
@rosstimothy rosstimothy deleted the tross/deny_old_clients branch February 13, 2024 22:37
@public-teleport-github-review-bot
Copy link

@rosstimothy See the table below for backport results.

Branch Result
branch/v13 Failed
branch/v14 Failed
branch/v15 Create PR

@rosstimothy rosstimothy mentioned this pull request Feb 13, 2024
Merged
rosstimothy added a commit that referenced this pull request Feb 13, 2024
@rosstimothy
Allow auth to reject outdated clients (#38026)
5b96ddc 
Setting `TELEPORT_UNSTABLE_REJECT_OLD_CLIENTS=yes` on the Auth process now
enforces that any clients connected are running a supported version.
Clients connecting with an unsupported major version are terminated
by Auth.
@rosstimothy rosstimothy mentioned this pull request Feb 13, 2024
Merged
rosstimothy added a commit that referenced this pull request Feb 13, 2024
@rosstimothy
Allow auth to reject outdated clients (#38026)
e3831b2 
Setting `TELEPORT_UNSTABLE_REJECT_OLD_CLIENTS=yes` on the Auth process now
enforces that any clients connected are running a supported version.
Clients connecting with an unsupported major version are terminated
by Auth.
@rosstimothy rosstimothy mentioned this pull request Feb 13, 2024
Merged
github-merge-queue bot pushed a commit that referenced this pull request Feb 14, 2024
@rosstimothy
Allow auth to reject outdated clients (#38026) (#38187)
a17724e 
Setting `TELEPORT_UNSTABLE_REJECT_OLD_CLIENTS=yes` on the Auth process now
enforces that any clients connected are running a supported version.
Clients connecting with an unsupported major version are terminated
by Auth.
github-merge-queue bot pushed a commit that referenced this pull request Feb 14, 2024
@rosstimothy
Allow auth to reject outdated clients (#38026) (#38186)
5dd736a 
Setting `TELEPORT_UNSTABLE_REJECT_OLD_CLIENTS=yes` on the Auth process now
enforces that any clients connected are running a supported version.
Clients connecting with an unsupported major version are terminated
by Auth.
@rosstimothy rosstimothy mentioned this pull request May 2, 2024
Closed
@rosstimothy rosstimothy mentioned this pull request May 6, 2024
Merged
rosstimothy added a commit that referenced this pull request May 13, 2024
@rosstimothy
Reject unsupported clients by default
0baf477 
#38026 made rejecting client running unusupported major versions an
opt-in behavior. Moving forward(v16 and beyond) this is now going
to be an opt-out behavior(TELEPORT_UNSTABLE_ALLOW_OLD_CLIENTS=yes).
In addition, a cluster alert is now being emitted once for the life
of an Auth process if it rejects an unsupported client - with
visibility limited to users with token:create permissions.
github-merge-queue bot pushed a commit that referenced this pull request May 13, 2024
@rosstimothy
Reject unsupported clients by default (#41239)
ffa3dba 
#38026 made rejecting client running unusupported major versions an
opt-in behavior. Moving forward(v16 and beyond) this is now going
to be an opt-out behavior(TELEPORT_UNSTABLE_ALLOW_OLD_CLIENTS=yes).
In addition, a cluster alert is now being emitted once for the life
of an Auth process if it rejects an unsupported client - with
visibility limited to users with token:create permissions.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zmb3 zmb3 zmb3 approved these changes

@espadolini espadolini espadolini approved these changes

Assignees
No one assigned
Labels
backport/branch/v13 backport/branch/v14 backport/branch/v15 size/md
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rosstimothy @espadolini @zmb3