Teleport 6.0 is a major release with new features, functionality, and bug fixes.
New Features
We have implemented Database Access, open sourced role-based access control (RBAC), and added official API and a Go client library.
Users can review the 6.0 milestone on Github for more details.
Database Access
Review the Database Access design in RFD #11.
With Database Access users can connect to PostgreSQL and MySQL databases using short-lived certificates, configure SSO authentication and role-based access controls for databases, and capture SQL query activity in the audit log.
Getting Started
Configure Database Access following the Getting Started guide.
Guides
Resources
To learn more about configuring role-based access control for Database Access, check out the RBAC section.
Architecture provides a more in-depth look at Database Access internals such as networking and security.
See Reference for an overview of Database Access related configuration and CLI commands.
Finally, check out Frequently Asked Questions.
OSS RBAC
Open source RBAC support was introduced in RFD #7.
RBAC support gives OSS administrators more granular access controls to servers and other resources with a cluster (like session recording access). An example of an RBAC policy could be: "admins can do anything, developers must never touch production servers and interns can only SSH into staging servers as guests"
In addition, some Access Workflow Plugins will now become available to open source users.
- Access Workflows Golang SDK and API
- Slack
- Gitlab
- Mattermost
- JIRA Plugin
- PagerDuty Plugin
Client libraries and API
API and Client Libraries support was introduced in RFD #10.
The new API and client library reduces the dependencies needed to use the Teleport API as well as making it easier to use. An example of using the new API is below.
// Create a client connected to the Auth server with an exported identity file.
clt, err := client.NewClient(client.Config{
Addrs: []string{"auth.example.com:3025"},
Credentials: []client.Credentials{
client.LoadIdentityFile("identity.pem"),
},
})
if err != nil {
log.Fatalf("Failed to create client: %v.", err)
}
defer clt.Close()
// Create a Access Request.
accessRequest, err := types.NewAccessRequest(uuid.New(), "access-admin", "admin")
if err != nil {
log.Fatalf("Failed to build access request: %v.", err)
}
if err = clt.CreateAccessRequest(ctx, accessRequest); err != nil {
log.Fatalf("Failed to create access request: %v.", err)
}Improvements
- Added
utmp/wtmpsupport for SSH in #5491. - Added the ability to set a Kubernetes specific public address in #5611.
- Added Proxy Protocol support to Kubernetes Access in #5299.
- Added ACME (Let's Encrypt) support to make getting and using TLS certificates easier. #5177.
- Added the ability to manage local users to the Web UI in #2945.
- Added the ability to preserve timestamps when using
tsh scpin #2889.
Fixes
- Fixed authentication failure when logging in via CLI with Access Workflows after removing
.tshdirectory in #5323. - Fixed
tsh loginfailure when--proxydiffers from actual proxy public address in #5380. - Fixed session playback issues in #2945.
- Fixed several UX issues in #5559, #5568, #4965, and #5057.
Upgrade Notes
Please follow our standard upgrade procedure to upgrade your cluster.
Note, for clusters using GitHub SSO and Trusted Clusters, when upgrading SSO users will lose connectivity to leaf clusters. Local users will not be affected.
To restore connectivity to leaf clusters for SSO users, leaf admins should update the trusted_cluster role mapping resource like below.
kind: trusted_cluster
version: v2
metadata:
name: "zztop-oss"
spec:
enabled: true
token: "bar"
web_proxy_addr: 172.10.1.1:3080
tunnel_addr: 172.10.1.1:3024
role_map:
- remote: "admin"
local: ['admin']
- remote: "^(github-.*)$"
local: ['admin']Download
Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.