Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add remote address to failed/succeeded Bot/Instance joins #41452

Merged
merged 3 commits into from May 17, 2024
Merged

Add remote address to failed/succeeded Bot/Instance joins #41452

merged 3 commits into from May 17, 2024

Conversation

strideynet
Copy link
Contributor

Closes #41421 partially - there's still a few potential cases where due to how we propagate the client IP, we actually don't know it until part of the way through the joining process (for challenge-response methods like IAM). We could eventually refactor to improve this and get this information at the start of the process.

changelog: Adds the remote address to audit log events emitted when a join for a Bot or Instance fails or succeeds.

hugoShaka
hugoShaka reviewed May 13, 2024
View reviewed changes
lib/auth/join_azure.go
@@ -372,6 +372,7 @@ func (a *Server) RegisterUsingAzureMethod(
if err != nil {
return nil, trace.Wrap(err)
}
joinRequest = req.RegisterUsingTokenRequest
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So before we were always calling handleJoinFailure with nil?

Also if I understand correctly, we don't log any information server-side if the challenge failes?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah it looks like there was a bug previously for IAM/Azure, my fault, but essentially it would never show the additional info.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this line be before the challenge block so we can log the details of the failed challenges?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately previous design has shot us in the foot here - we don't know the RegisterUsingTokenRequest before we've issued the challenge and received the response from the client. I have no clue why the client doesn't send this until we've issued the challenge /shrug

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

😭 This makes troubleshooting failed joins way harder

@strideynet
Copy link
Contributor Author

@justinas are you able to take a look at this tomorrow, I'd like to try and get this shipped in the next release to unblock a customer's troubleshooting on Cloud.

@public-teleport-github-review-bot public-teleport-github-review-bot bot removed the request for review from justinas May 17, 2024 09:24
@strideynet strideynet added this pull request to the merge queue May 17, 2024
Merged via the queue into master with commit 9730962 May 17, 2024
40 checks passed
@strideynet strideynet deleted the strideynet/improve-failed-join-logging branch May 17, 2024 10:02
@public-teleport-github-review-bot
Copy link

@strideynet See the table below for backport results.

Branch Result
branch/v13 Failed
branch/v14 Failed
branch/v15 Failed

strideynet added a commit that referenced this pull request May 17, 2024
@strideynet
Add remote address to failed/succeeded Bot/Instance joins (#41452)
4b61a37 
* Add connection metadata to instance join/bot join events

* Add RemoteAddr to join failure/succsss logging
strideynet added a commit that referenced this pull request May 17, 2024
@strideynet
Add remote address to failed/succeeded Bot/Instance joins (#41452)
5789203 
* Add connection metadata to instance join/bot join events

* Add RemoteAddr to join failure/succsss logging
strideynet added a commit that referenced this pull request May 17, 2024
@strideynet
Add remote address to failed/succeeded Bot/Instance joins (#41452)
f06c712 
* Add connection metadata to instance join/bot join events

* Add RemoteAddr to join failure/succsss logging
This was referenced May 17, 2024
Merged
Merged
Merged
github-merge-queue bot pushed a commit that referenced this pull request May 17, 2024
@strideynet
Add remote address to failed/succeeded Bot/Instance joins (#41452) (#…
e7c780b 
…41699)

* Add connection metadata to instance join/bot join events

* Add RemoteAddr to join failure/succsss logging
github-merge-queue bot pushed a commit that referenced this pull request May 17, 2024
@strideynet
Add remote address to failed/succeeded Bot/Instance joins (#41452) (#…
f51b5e4 
…41700)

* Add connection metadata to instance join/bot join events

* Add RemoteAddr to join failure/succsss logging
github-merge-queue bot pushed a commit that referenced this pull request May 17, 2024
@strideynet
Add remote address to failed/succeeded Bot/Instance joins (#41452) (#…
1e4e923 
…41698)

* Add connection metadata to instance join/bot join events

* Add RemoteAddr to join failure/succsss logging
justinas pushed a commit that referenced this pull request May 20, 2024
@strideynet @justinas
Add remote address to failed/succeeded Bot/Instance joins (#41452)
e87ca92 
* Add connection metadata to instance join/bot join events

* Add RemoteAddr to join failure/succsss logging
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marcoandredinis marcoandredinis marcoandredinis approved these changes

@hugoShaka hugoShaka hugoShaka approved these changes

Assignees
No one assigned
Labels
backport/branch/v13 backport/branch/v14 backport/branch/v15 size/sm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Include source info for node/bot join fails
3 participants
@strideynet @marcoandredinis @hugoShaka