From b4f4e7142befe00ac232c3dc2bd0b70f9275164b Mon Sep 17 00:00:00 2001 From: Paul Gottschling Date: Mon, 10 Jun 2024 14:11:34 -0400 Subject: [PATCH] Reorganize Kubernetes Access and Desktop Access This change moves most of the guides in these sections in to the Protect Resources section of Admin Guides. Some guides are more like references, though, and this change moves these guides into Reference. --- docs/pages/admin-guides.mdx | 2 + docs/pages/admin-guides/protect-resources.mdx | 23 ++ .../protect-resources/desktop-access.mdx | 15 ++ .../active-directory-manual.mdx | 0 .../desktop-access}/clipboard.mdx | 0 .../desktop-access/directory-sharing.mdx | 0 .../desktop-access/getting-started.mdx | 0 .../desktop-access/introduction.mdx | 0 .../desktop-access}/sessions.mdx | 2 +- .../desktop-access/troubleshooting.mdx | 0 .../desktop-access}/user-creation.mdx | 0 .../protect-resources}/kubernetes-access.mdx | 2 - .../kubernetes-access/getting-started.mdx | 0 .../kubernetes-access/introduction.mdx | 0 .../kubernetes-access/manage-access.mdx | 0 .../kubernetes-access/register-clusters.mdx | 0 .../dynamic-registration.mdx | 0 .../register-clusters/iam-joining.mdx | 0 .../register-clusters/static-kubeconfig.mdx | 0 .../kubernetes-access/troubleshooting.mdx | 0 docs/pages/desktop-access.mdx | 24 -- docs/pages/desktop-access/reference.mdx | 14 -- docs/pages/reference.mdx | 7 +- docs/pages/reference/cli.mdx | 1 + .../cli/desktop-access.mdx} | 0 docs/pages/reference/config-references.mdx | 1 + .../database-access-config.mdx} | 0 docs/pages/reference/faq.mdx | 1 + .../faq/kubernetes-access.mdx} | 0 docs/pages/reference/monitoring.mdx | 8 +- docs/pages/reference/monitoring/audit.mdx | 235 +----------------- .../reference/monitoring/audit/audit.mdx | 234 +++++++++++++++++ .../monitoring/audit/desktop-events.mdx} | 0 docs/pages/reference/rbac.mdx | 2 + .../rbac}/controls.mdx | 2 +- .../rbac/desktop-access.mdx} | 0 package.json | 2 +- 37 files changed, 300 insertions(+), 275 deletions(-) create mode 100644 docs/pages/admin-guides/protect-resources/desktop-access.mdx rename docs/pages/{ => admin-guides/protect-resources}/desktop-access/active-directory-manual.mdx (100%) rename docs/pages/{desktop-access/reference => admin-guides/protect-resources/desktop-access}/clipboard.mdx (100%) rename docs/pages/{ => admin-guides/protect-resources}/desktop-access/directory-sharing.mdx (100%) rename docs/pages/{ => admin-guides/protect-resources}/desktop-access/getting-started.mdx (100%) rename docs/pages/{ => admin-guides/protect-resources}/desktop-access/introduction.mdx (100%) rename docs/pages/{desktop-access/reference => admin-guides/protect-resources/desktop-access}/sessions.mdx (97%) rename docs/pages/{ => admin-guides/protect-resources}/desktop-access/troubleshooting.mdx (100%) rename docs/pages/{desktop-access/reference => admin-guides/protect-resources/desktop-access}/user-creation.mdx (100%) rename docs/pages/{ => admin-guides/protect-resources}/kubernetes-access.mdx (84%) rename docs/pages/{ => admin-guides/protect-resources}/kubernetes-access/getting-started.mdx (100%) rename docs/pages/{ => admin-guides/protect-resources}/kubernetes-access/introduction.mdx (100%) rename docs/pages/{ => admin-guides/protect-resources}/kubernetes-access/manage-access.mdx (100%) rename docs/pages/{ => admin-guides/protect-resources}/kubernetes-access/register-clusters.mdx (100%) rename docs/pages/{ => admin-guides/protect-resources}/kubernetes-access/register-clusters/dynamic-registration.mdx (100%) rename docs/pages/{ => admin-guides/protect-resources}/kubernetes-access/register-clusters/iam-joining.mdx (100%) rename docs/pages/{ => admin-guides/protect-resources}/kubernetes-access/register-clusters/static-kubeconfig.mdx (100%) rename docs/pages/{ => admin-guides/protect-resources}/kubernetes-access/troubleshooting.mdx (100%) delete mode 100644 docs/pages/desktop-access.mdx delete mode 100644 docs/pages/desktop-access/reference.mdx rename docs/pages/{desktop-access/reference/cli.mdx => reference/cli/desktop-access.mdx} (100%) rename docs/pages/{desktop-access/reference/configuration.mdx => reference/config-references/database-access-config.mdx} (100%) rename docs/pages/{kubernetes-access/faq.mdx => reference/faq/kubernetes-access.mdx} (100%) create mode 100644 docs/pages/reference/monitoring/audit/audit.mdx rename docs/pages/{desktop-access/reference/audit.mdx => reference/monitoring/audit/desktop-events.mdx} (100%) rename docs/pages/{kubernetes-access => reference/rbac}/controls.mdx (99%) rename docs/pages/{desktop-access/rbac.mdx => reference/rbac/desktop-access.mdx} (100%) diff --git a/docs/pages/admin-guides.mdx b/docs/pages/admin-guides.mdx index 4141a2e1bff9c..fc6592d7f0332 100644 --- a/docs/pages/admin-guides.mdx +++ b/docs/pages/admin-guides.mdx @@ -33,6 +33,8 @@ Guides for enrolling servers, databases, and other infrastructure resources with - [Protect Linux Servers with Teleport (section)](admin-guides/protect-resources/server-access.mdx): How to enroll Linux servers in your Teleport cluster to enable secure SSH access. - [Teleport Agents (section)](admin-guides/protect-resources/agents.mdx): How to use Teleport Agents, which enable users to connect to resources in your infrastructure. - [Teleport Auto-Discovery (section)](admin-guides/protect-resources/auto-discovery.mdx): Learn how to use the Teleport Discovery Service, which automatically enrolls resources by query APIs +- [Teleport Desktop Access (section)](admin-guides/protect-resources/desktop-access.mdx): How to proctect Windows Desktops with Teleport +- [Teleport Kubernetes Access (section)](admin-guides/protect-resources/kubernetes-access.mdx): Protect Kubernetes clusters with Teleport ## Self-Hosting Teleport diff --git a/docs/pages/admin-guides/protect-resources.mdx b/docs/pages/admin-guides/protect-resources.mdx index 9e6c2af2b25c4..6c90e0c02594a 100644 --- a/docs/pages/admin-guides/protect-resources.mdx +++ b/docs/pages/admin-guides/protect-resources.mdx @@ -44,3 +44,26 @@ Learn how to use the Teleport Discovery Service, which automatically enrolls res - [Automatically Enroll Kubernetes Clusters (section)](protect-resources/auto-discovery/kubernetes.mdx): Register Kubernetes clusters with your Teleport cluster by polling service discovery endpoints. - [Enroll Kubernetes Services as Teleport Applications (section)](protect-resources/auto-discovery/kubernetes-applications.mdx): Teleport can automatically detect applications running in your Kubernetes clusters and register them with Teleport for secure access. - [Server Auto-Discovery (section)](protect-resources/auto-discovery/servers.mdx): You can set up the Teleport Discovery Service to automatically enroll servers in your infrastructure. + +## Teleport Desktop Access + +How to proctect Windows Desktops with Teleport ([more info](protect-resources/desktop-access.mdx)) + +- [Automatic User Creation](protect-resources/desktop-access/user-creation.mdx): Using Automatic User Creation with Teleport desktop access. +- [Clipboard Sharing](protect-resources/desktop-access/clipboard.mdx): Using Clipboard Sharing with Teleport desktop access. +- [Configure access for Active Directory manually](protect-resources/desktop-access/active-directory-manual.mdx): Explains how to manually connect Teleport to an Active Directory domain. +- [Configure access for local Windows users](protect-resources/desktop-access/getting-started.mdx): Use Teleport to configure passwordless access for local Windows users. +- [Directory Sharing](protect-resources/desktop-access/directory-sharing.mdx): Teleport desktop Directory Sharing lets you easily send files to a remote desktop. +- [Manage Access to Windows Resources](protect-resources/desktop-access/introduction.mdx): Demonstrates how you can manage access to Windows desktops with Teleport. +- [Session Recording and Playback](protect-resources/desktop-access/sessions.mdx): Recording and playing back Teleport desktop access sessions. +- [Troubleshooting Desktop Access](protect-resources/desktop-access/troubleshooting.mdx): Common issues and resolutions for Teleport's desktop access + +## Teleport Kubernetes Access + +Protect Kubernetes clusters with Teleport ([more info](protect-resources/kubernetes-access.mdx)) + +- [Access Kubernetes Clusters with Teleport](protect-resources/kubernetes-access/introduction.mdx): Learn how Teleport can protect your Kubernetes clusters with RBAC, audit logging, and more. +- [Enroll a Kubernetes Cluster](protect-resources/kubernetes-access/getting-started.mdx): Demonstrates how to enroll a Kubernetes cluster as a resource protected by Teleport. +- [Kubernetes Access Troubleshooting](protect-resources/kubernetes-access/troubleshooting.mdx): Troubleshooting common issues with Kubernetes access +- [Registering Kubernetes Clusters with Teleport (section)](protect-resources/kubernetes-access/register-clusters.mdx): How to manually add a Kubernetes cluster to Teleport after creating it. +- [Setting Up Teleport Access Controls for Kubernetes](protect-resources/kubernetes-access/manage-access.mdx): How to configure Teleport roles to access clusters, groups, users, and resources in Kubernetes. diff --git a/docs/pages/admin-guides/protect-resources/desktop-access.mdx b/docs/pages/admin-guides/protect-resources/desktop-access.mdx new file mode 100644 index 0000000000000..c411f8060c073 --- /dev/null +++ b/docs/pages/admin-guides/protect-resources/desktop-access.mdx @@ -0,0 +1,15 @@ +--- +title: Teleport Desktop Access +description: How to proctect Windows Desktops with Teleport +--- + +{/*TOPICS*/} + +- [Automatic User Creation](desktop-access/user-creation.mdx): Using Automatic User Creation with Teleport desktop access. +- [Clipboard Sharing](desktop-access/clipboard.mdx): Using Clipboard Sharing with Teleport desktop access. +- [Configure access for Active Directory manually](desktop-access/active-directory-manual.mdx): Explains how to manually connect Teleport to an Active Directory domain. +- [Configure access for local Windows users](desktop-access/getting-started.mdx): Use Teleport to configure passwordless access for local Windows users. +- [Directory Sharing](desktop-access/directory-sharing.mdx): Teleport desktop Directory Sharing lets you easily send files to a remote desktop. +- [Manage Access to Windows Resources](desktop-access/introduction.mdx): Demonstrates how you can manage access to Windows desktops with Teleport. +- [Session Recording and Playback](desktop-access/sessions.mdx): Recording and playing back Teleport desktop access sessions. +- [Troubleshooting Desktop Access](desktop-access/troubleshooting.mdx): Common issues and resolutions for Teleport's desktop access diff --git a/docs/pages/desktop-access/active-directory-manual.mdx b/docs/pages/admin-guides/protect-resources/desktop-access/active-directory-manual.mdx similarity index 100% rename from docs/pages/desktop-access/active-directory-manual.mdx rename to docs/pages/admin-guides/protect-resources/desktop-access/active-directory-manual.mdx diff --git a/docs/pages/desktop-access/reference/clipboard.mdx b/docs/pages/admin-guides/protect-resources/desktop-access/clipboard.mdx similarity index 100% rename from docs/pages/desktop-access/reference/clipboard.mdx rename to docs/pages/admin-guides/protect-resources/desktop-access/clipboard.mdx diff --git a/docs/pages/desktop-access/directory-sharing.mdx b/docs/pages/admin-guides/protect-resources/desktop-access/directory-sharing.mdx similarity index 100% rename from docs/pages/desktop-access/directory-sharing.mdx rename to docs/pages/admin-guides/protect-resources/desktop-access/directory-sharing.mdx diff --git a/docs/pages/desktop-access/getting-started.mdx b/docs/pages/admin-guides/protect-resources/desktop-access/getting-started.mdx similarity index 100% rename from docs/pages/desktop-access/getting-started.mdx rename to docs/pages/admin-guides/protect-resources/desktop-access/getting-started.mdx diff --git a/docs/pages/desktop-access/introduction.mdx b/docs/pages/admin-guides/protect-resources/desktop-access/introduction.mdx similarity index 100% rename from docs/pages/desktop-access/introduction.mdx rename to docs/pages/admin-guides/protect-resources/desktop-access/introduction.mdx diff --git a/docs/pages/desktop-access/reference/sessions.mdx b/docs/pages/admin-guides/protect-resources/desktop-access/sessions.mdx similarity index 97% rename from docs/pages/desktop-access/reference/sessions.mdx rename to docs/pages/admin-guides/protect-resources/desktop-access/sessions.mdx index 7e4903e2287d5..92450ace27b84 100644 --- a/docs/pages/desktop-access/reference/sessions.mdx +++ b/docs/pages/admin-guides/protect-resources/desktop-access/sessions.mdx @@ -62,7 +62,7 @@ Recorded sessions can be viewed in the *Session Recordings* page under the *Activity* section in the *Management* area. Desktop recordings show a desktop icon in the first column to distinguish them from SSH recordings. -![Desktop Session Recording](../../../img/desktop-access/session-recording@2x.png) +![Desktop Session Recording](../../../../img/desktop-access/session-recording@2x.png) Click the play button to open the player in a new tab. To export desktop session recordings to video for playback outside of Teleport, use the diff --git a/docs/pages/desktop-access/troubleshooting.mdx b/docs/pages/admin-guides/protect-resources/desktop-access/troubleshooting.mdx similarity index 100% rename from docs/pages/desktop-access/troubleshooting.mdx rename to docs/pages/admin-guides/protect-resources/desktop-access/troubleshooting.mdx diff --git a/docs/pages/desktop-access/reference/user-creation.mdx b/docs/pages/admin-guides/protect-resources/desktop-access/user-creation.mdx similarity index 100% rename from docs/pages/desktop-access/reference/user-creation.mdx rename to docs/pages/admin-guides/protect-resources/desktop-access/user-creation.mdx diff --git a/docs/pages/kubernetes-access.mdx b/docs/pages/admin-guides/protect-resources/kubernetes-access.mdx similarity index 84% rename from docs/pages/kubernetes-access.mdx rename to docs/pages/admin-guides/protect-resources/kubernetes-access.mdx index b7a273b80abb8..96d63052885d4 100644 --- a/docs/pages/kubernetes-access.mdx +++ b/docs/pages/admin-guides/protect-resources/kubernetes-access.mdx @@ -7,10 +7,8 @@ description: Protect Kubernetes clusters with Teleport - [Access Kubernetes Clusters with Teleport](kubernetes-access/introduction.mdx): Learn how Teleport can protect your Kubernetes clusters with RBAC, audit logging, and more. - [Enroll a Kubernetes Cluster](kubernetes-access/getting-started.mdx): Demonstrates how to enroll a Kubernetes cluster as a resource protected by Teleport. -- [Kubernetes Access FAQ](kubernetes-access/faq.mdx): Frequently asked questions about Teleport Kubernetes Access - [Kubernetes Access Troubleshooting](kubernetes-access/troubleshooting.mdx): Troubleshooting common issues with Kubernetes access - [Setting Up Teleport Access Controls for Kubernetes](kubernetes-access/manage-access.mdx): How to configure Teleport roles to access clusters, groups, users, and resources in Kubernetes. -- [Teleport Kubernetes Access Controls](kubernetes-access/controls.mdx): How the Teleport Kubernetes Service applies RBAC to manage access to Kubernetes ## Registering Kubernetes Clusters with Teleport diff --git a/docs/pages/kubernetes-access/getting-started.mdx b/docs/pages/admin-guides/protect-resources/kubernetes-access/getting-started.mdx similarity index 100% rename from docs/pages/kubernetes-access/getting-started.mdx rename to docs/pages/admin-guides/protect-resources/kubernetes-access/getting-started.mdx diff --git a/docs/pages/kubernetes-access/introduction.mdx b/docs/pages/admin-guides/protect-resources/kubernetes-access/introduction.mdx similarity index 100% rename from docs/pages/kubernetes-access/introduction.mdx rename to docs/pages/admin-guides/protect-resources/kubernetes-access/introduction.mdx diff --git a/docs/pages/kubernetes-access/manage-access.mdx b/docs/pages/admin-guides/protect-resources/kubernetes-access/manage-access.mdx similarity index 100% rename from docs/pages/kubernetes-access/manage-access.mdx rename to docs/pages/admin-guides/protect-resources/kubernetes-access/manage-access.mdx diff --git a/docs/pages/kubernetes-access/register-clusters.mdx b/docs/pages/admin-guides/protect-resources/kubernetes-access/register-clusters.mdx similarity index 100% rename from docs/pages/kubernetes-access/register-clusters.mdx rename to docs/pages/admin-guides/protect-resources/kubernetes-access/register-clusters.mdx diff --git a/docs/pages/kubernetes-access/register-clusters/dynamic-registration.mdx b/docs/pages/admin-guides/protect-resources/kubernetes-access/register-clusters/dynamic-registration.mdx similarity index 100% rename from docs/pages/kubernetes-access/register-clusters/dynamic-registration.mdx rename to docs/pages/admin-guides/protect-resources/kubernetes-access/register-clusters/dynamic-registration.mdx diff --git a/docs/pages/kubernetes-access/register-clusters/iam-joining.mdx b/docs/pages/admin-guides/protect-resources/kubernetes-access/register-clusters/iam-joining.mdx similarity index 100% rename from docs/pages/kubernetes-access/register-clusters/iam-joining.mdx rename to docs/pages/admin-guides/protect-resources/kubernetes-access/register-clusters/iam-joining.mdx diff --git a/docs/pages/kubernetes-access/register-clusters/static-kubeconfig.mdx b/docs/pages/admin-guides/protect-resources/kubernetes-access/register-clusters/static-kubeconfig.mdx similarity index 100% rename from docs/pages/kubernetes-access/register-clusters/static-kubeconfig.mdx rename to docs/pages/admin-guides/protect-resources/kubernetes-access/register-clusters/static-kubeconfig.mdx diff --git a/docs/pages/kubernetes-access/troubleshooting.mdx b/docs/pages/admin-guides/protect-resources/kubernetes-access/troubleshooting.mdx similarity index 100% rename from docs/pages/kubernetes-access/troubleshooting.mdx rename to docs/pages/admin-guides/protect-resources/kubernetes-access/troubleshooting.mdx diff --git a/docs/pages/desktop-access.mdx b/docs/pages/desktop-access.mdx deleted file mode 100644 index e473d82d0eff1..0000000000000 --- a/docs/pages/desktop-access.mdx +++ /dev/null @@ -1,24 +0,0 @@ ---- -title: Teleport Desktop Access -description: How to proctect Windows Desktops with Teleport ---- - -{/*TOPICS*/} - -- [Configure access for Active Directory manually](desktop-access/active-directory-manual.mdx): Explains how to manually connect Teleport to an Active Directory domain. -- [Configure access for local Windows users](desktop-access/getting-started.mdx): Use Teleport to configure passwordless access for local Windows users. -- [Directory Sharing](desktop-access/directory-sharing.mdx): Teleport desktop Directory Sharing lets you easily send files to a remote desktop. -- [Manage Access to Windows Resources](desktop-access/introduction.mdx): Demonstrates how you can manage access to Windows desktops with Teleport. -- [Role-Based Access Control for Desktops](desktop-access/rbac.mdx): Role-based access control (RBAC) for desktops protected by Teleport. -- [Troubleshooting Desktop Access](desktop-access/troubleshooting.mdx): Common issues and resolutions for Teleport's desktop access - -## Desktop Access Reference - -Comprehensive guides to configuring and auditing desktop access. ([more info](desktop-access/reference.mdx)) - -- [Automatic User Creation](desktop-access/reference/user-creation.mdx): Using Automatic User Creation with Teleport desktop access. -- [Clipboard Sharing](desktop-access/reference/clipboard.mdx): Using Clipboard Sharing with Teleport desktop access. -- [Desktop Access Audit Events Reference](desktop-access/reference/audit.mdx): Audit events reference for Teleport desktop access. -- [Desktop Access CLI Reference](desktop-access/reference/cli.mdx): CLI reference for Teleport desktop access. -- [Desktop Access Configuration Reference](desktop-access/reference/configuration.mdx): Configuration reference for Teleport desktop access. -- [Session Recording and Playback](desktop-access/reference/sessions.mdx): Recording and playing back Teleport desktop access sessions. diff --git a/docs/pages/desktop-access/reference.mdx b/docs/pages/desktop-access/reference.mdx deleted file mode 100644 index 1b203b73119c0..0000000000000 --- a/docs/pages/desktop-access/reference.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: Desktop Access Reference -description: Comprehensive guides to configuring and auditing desktop access. -layout: tocless-doc ---- - -{/*TOPICS*/} - -- [Automatic User Creation](reference/user-creation.mdx): Using Automatic User Creation with Teleport desktop access. -- [Clipboard Sharing](reference/clipboard.mdx): Using Clipboard Sharing with Teleport desktop access. -- [Desktop Access Audit Events Reference](reference/audit.mdx): Audit events reference for Teleport desktop access. -- [Desktop Access CLI Reference](reference/cli.mdx): CLI reference for Teleport desktop access. -- [Desktop Access Configuration Reference](reference/configuration.mdx): Configuration reference for Teleport desktop access. -- [Session Recording and Playback](reference/sessions.mdx): Recording and playing back Teleport desktop access sessions. diff --git a/docs/pages/reference.mdx b/docs/pages/reference.mdx index 09b2afed55c95..5bfa87df09f5d 100644 --- a/docs/pages/reference.mdx +++ b/docs/pages/reference.mdx @@ -9,6 +9,7 @@ description: Comprehensive guides to commands, configuration options, and other Contains guides to frequently asked questions for various Teleport features and use cases. ([more info](reference/faq.mdx)) +- [Kubernetes Access FAQ](reference/faq/kubernetes-access.mdx): Frequently asked questions about Teleport Kubernetes Access - [Teleport Enterprise Cloud FAQ](reference/faq/cloud-hosting.mdx): Teleport cloud frequently asked questions. - [Teleport FAQ](reference/faq/faq.mdx): Frequently Asked Questions About Using Teleport @@ -29,6 +30,8 @@ References for concepts and tools available for operating Teleport. ([more info] Available options for configuring access to Teleport privileges and infrastructure resources. ([more info](reference/rbac.mdx)) - [Access Controls for Servers](reference/rbac/server-rbac.mdx): Role-based access control (RBAC) for Teleport server access. +- [Role-Based Access Control for Desktops](reference/rbac/desktop-access.mdx): Role-based access control (RBAC) for desktops protected by Teleport. +- [Teleport Kubernetes Access Controls](reference/rbac/controls.mdx): How the Teleport Kubernetes Service applies RBAC to manage access to Kubernetes ## Teleport Architecture Guides @@ -52,6 +55,7 @@ Guides to the inner workings of components within a Teleport cluster. ([more inf Comprehensive lists of commands, arguments, and flags for Teleport CLI tools. ([more info](reference/cli.mdx)) - [CLI Reference Introduction](reference/cli/overview.mdx): Detailed guide and reference documentation for Teleport's command line interface (CLI) tools. +- [Desktop Access CLI Reference](reference/cli/desktop-access.mdx): CLI reference for Teleport desktop access. - [tbot CLI reference](reference/cli/tbot.mdx): Comprehensive reference of subcommands, flags, and arguments for the tbot CLI tool. - [tctl CLI reference](reference/cli/tctl.mdx): Comprehensive reference of subcommands, flags, and arguments for the tctl CLI tool. - [teleport CLI Reference](reference/cli/teleport.mdx): Comprehensive reference of subcommands, flags, and arguments for the teleport CLI tool. @@ -61,6 +65,7 @@ Comprehensive lists of commands, arguments, and flags for Teleport CLI tools. ([ Comprehensive guides to configuring Teleport. ([more info](reference/config-references.mdx)) +- [Desktop Access Configuration Reference](reference/config-references/database-access-config.mdx): Configuration reference for Teleport desktop access. - [Helm Chart Reference (section)](reference/config-references/helm-reference.mdx): Comprehensive lists of configuration values in Teleport's Helm charts - [Predicate Language](reference/config-references/predicate-language.mdx): How to use Teleport's predicate language to define filter conditions. - [Teleport Configuration Reference](reference/config-references/config.mdx): The detailed guide and reference documentation for configuring Teleport for SSH and Kubernetes access. @@ -71,9 +76,9 @@ Comprehensive guides to configuring Teleport. ([more info](reference/config-refe How to obtain information about activity in your Teleport cluster. ([more info](reference/monitoring.mdx)) -- [Audit Events and Records](reference/monitoring/audit.mdx): Reference of Teleport Audit Events and Session Records - [Distributed Tracing Configuration Reference](reference/monitoring/configuration.mdx): Configuration reference for Distributed Tracing. - [Distributed Tracing](reference/monitoring/tracing.mdx): How to enable tracing within Teleport. - [Health Monitoring](reference/monitoring/monitoring.mdx): Monitoring health and readiness. - [Metrics](reference/monitoring/metrics.mdx): How to enable and consume metrics - [Profiling](reference/monitoring/profiles.mdx): Collecting pprof profiles. +- [Teleport Audit Event References (section)](reference/monitoring/audit.mdx): Reference guides to audit events that you can export and track in Teleport. diff --git a/docs/pages/reference/cli.mdx b/docs/pages/reference/cli.mdx index 8fbebebcceb21..4839854a4974a 100644 --- a/docs/pages/reference/cli.mdx +++ b/docs/pages/reference/cli.mdx @@ -6,6 +6,7 @@ description: Comprehensive lists of commands, arguments, and flags for Teleport {/*TOPICS*/} - [CLI Reference Introduction](cli/overview.mdx): Detailed guide and reference documentation for Teleport's command line interface (CLI) tools. +- [Desktop Access CLI Reference](cli/desktop-access.mdx): CLI reference for Teleport desktop access. - [tbot CLI reference](cli/tbot.mdx): Comprehensive reference of subcommands, flags, and arguments for the tbot CLI tool. - [tctl CLI reference](cli/tctl.mdx): Comprehensive reference of subcommands, flags, and arguments for the tctl CLI tool. - [teleport CLI Reference](cli/teleport.mdx): Comprehensive reference of subcommands, flags, and arguments for the teleport CLI tool. diff --git a/docs/pages/desktop-access/reference/cli.mdx b/docs/pages/reference/cli/desktop-access.mdx similarity index 100% rename from docs/pages/desktop-access/reference/cli.mdx rename to docs/pages/reference/cli/desktop-access.mdx diff --git a/docs/pages/reference/config-references.mdx b/docs/pages/reference/config-references.mdx index fbee02639d660..9d552d34e094c 100644 --- a/docs/pages/reference/config-references.mdx +++ b/docs/pages/reference/config-references.mdx @@ -5,6 +5,7 @@ description: Comprehensive guides to configuring Teleport. {/*TOPICS*/} +- [Desktop Access Configuration Reference](config-references/database-access-config.mdx): Configuration reference for Teleport desktop access. - [Predicate Language](config-references/predicate-language.mdx): How to use Teleport's predicate language to define filter conditions. - [Teleport Configuration Reference](config-references/config.mdx): The detailed guide and reference documentation for configuring Teleport for SSH and Kubernetes access. - [Teleport Resource Reference](config-references/resources.mdx): Reference documentation for Teleport resources diff --git a/docs/pages/desktop-access/reference/configuration.mdx b/docs/pages/reference/config-references/database-access-config.mdx similarity index 100% rename from docs/pages/desktop-access/reference/configuration.mdx rename to docs/pages/reference/config-references/database-access-config.mdx diff --git a/docs/pages/reference/faq.mdx b/docs/pages/reference/faq.mdx index 5329523b3b715..b823f0150e789 100644 --- a/docs/pages/reference/faq.mdx +++ b/docs/pages/reference/faq.mdx @@ -5,5 +5,6 @@ description: Contains guides to frequently asked questions for various Teleport {/*TOPICS*/} +- [Kubernetes Access FAQ](faq/kubernetes-access.mdx): Frequently asked questions about Teleport Kubernetes Access - [Teleport Enterprise Cloud FAQ](faq/cloud-hosting.mdx): Teleport cloud frequently asked questions. - [Teleport FAQ](faq/faq.mdx): Frequently Asked Questions About Using Teleport diff --git a/docs/pages/kubernetes-access/faq.mdx b/docs/pages/reference/faq/kubernetes-access.mdx similarity index 100% rename from docs/pages/kubernetes-access/faq.mdx rename to docs/pages/reference/faq/kubernetes-access.mdx diff --git a/docs/pages/reference/monitoring.mdx b/docs/pages/reference/monitoring.mdx index 2af6110da6786..2584229eb70db 100644 --- a/docs/pages/reference/monitoring.mdx +++ b/docs/pages/reference/monitoring.mdx @@ -5,9 +5,15 @@ description: How to obtain information about activity in your Teleport cluster. {/*TOPICS*/} -- [Audit Events and Records](monitoring/audit.mdx): Reference of Teleport Audit Events and Session Records - [Distributed Tracing Configuration Reference](monitoring/configuration.mdx): Configuration reference for Distributed Tracing. - [Distributed Tracing](monitoring/tracing.mdx): How to enable tracing within Teleport. - [Health Monitoring](monitoring/monitoring.mdx): Monitoring health and readiness. - [Metrics](monitoring/metrics.mdx): How to enable and consume metrics - [Profiling](monitoring/profiles.mdx): Collecting pprof profiles. + +## Teleport Audit Event References + +Reference guides to audit events that you can export and track in Teleport. ([more info](monitoring/audit.mdx)) + +- [Audit Events and Records](monitoring/audit/audit.mdx): Reference of Teleport Audit Events and Session Records +- [Desktop Access Audit Events Reference](monitoring/audit/desktop-events.mdx): Audit events reference for Teleport desktop access. diff --git a/docs/pages/reference/monitoring/audit.mdx b/docs/pages/reference/monitoring/audit.mdx index ff45f06ef67a5..85e774c784cc6 100644 --- a/docs/pages/reference/monitoring/audit.mdx +++ b/docs/pages/reference/monitoring/audit.mdx @@ -1,234 +1,9 @@ --- -title: Audit Events and Records -description: Reference of Teleport Audit Events and Session Records +title: Teleport Audit Event References +description: Reference guides to audit events that you can export and track in Teleport. --- -Teleport logs cluster activity by emitting various events into its audit log. -There are two components of the audit log: +{/*TOPICS*/} - - - -- **Cluster Events:** Teleport logs events like successful user logins along - with metadata like remote IP address, time, and the session ID. -- **Recorded Sessions:** Every SSH, desktop, or Kubernetes shell session is recorded and - can be replayed later. By default, the recording is done by Teleport Nodes, - but can be configured to be done by the proxy. - - - - -- **Cluster Events:** Teleport logs events like successful user logins along - with metadata like remote IP address, time, and the session ID. -- **Recorded Sessions:** Every SSH, desktop, or Kubernetes shell session is recorded and - can be replayed later. Teleport Cloud manages the storage of session - recording data. - - - - - - -You can use -[Enhanced Session Recording with BPF](../server-access/guides/bpf-session-recording.mdx) -to get even more comprehensive audit logs with advanced security. - - - -## Events - - - - -Teleport supports multiple storage backends for storing audit events. The `dir` -backend uses the local filesystem of an Auth Service host. When this backend is -used, events are written to the filesystem in JSON format. The `dir` backend rotates -the event file approximately once every 24 hours, but never deletes captured events. - -For High Availability configurations, users can refer to our -[Athena](./backends.mdx#athena), [DynamoDB](./backends.mdx#dynamodb) or -[Firestore](./backends.mdx#firestore) chapters for information on how to -configure the SSH events and recorded sessions to be stored on network storage. -When these backends are in use, audit events will eventually expire and be -removed from the log. The default retention period is 1 year, but this can be -overridden using the `retention_period` configuration parameter. - -It is even possible to store audit logs in multiple places at the same time. For -more information on how to configure the audit log, refer to the `storage` -section of the example configuration file in the -[Teleport Configuration Reference](./config.mdx). - -Let's examine the Teleport audit log using the `dir` backend. The event log is -stored in Teleport's data dir under the `log` directory. This is usually -`/var/lib/teleport/log`. Each day is represented as a file: - -```code -$ ls -l /var/lib/teleport/log/ - -# total 104 -# -rw-r----- 1 root root 31638 Jan 22 20:00 2017-01-23.00:00:00.log -# -rw-r----- 1 root root 91256 Jan 31 21:00 2017-02-01.00:00:00.log -# -rw-r----- 1 root root 15815 Feb 32 22:54 2017-02-03.00:00:00.log -``` - - - - -Teleport Enterprise Cloud manages the storage of audit logs for you. You can -access your audit logs via the Teleport Web UI by clicking: - -**Activity** > **Audit Log** - - - - -Audit logs use JSON format. They are human readable but can also be -programmatically parsed. Each line represents an event and has the following -format: - -```javascript -{ - // Event type. See below for the list of all possible event types. - "event": "session.start", - // A unique ID for the event log. Useful for deduplication. - "uid": "59cf8d1b-7b36-4894-8e90-9d9713b6b9ef", - // Teleport user name - "user": "ekontsevoy", - // OS login - "login": "root", - // Server namespace. This field is reserved for future use. - "namespace": "default", - // Unique server ID - "server_id": "f84f7386-5e22-45ff-8f7d-b8079742e63f", - // Server Labels - "server_labels": { - "datacenter": "us-east-1", - "label-b": "x" - } - // Session ID. Can be used to replay the session. - "sid": "8d3895b6-e9dd-11e6-94de-40167e68e931", - // Address of the SSH node - "addr.local": "10.5.l.15:3022", - // Address of the connecting client (user) - "addr.remote": "73.223.221.14:42146", - // Terminal size - "size": "80:25", - // Timestamp - "time": "2017-02-03T06:54:05Z" -} -``` - -## Event types - -Below are some possible types of audit events. - - - -This list is not comprehensive. We recommend exporting audit events to a -platform that automatically parses event payloads so you can group and filter -them by their `event` key and discover trends. To set up audit event exporting, -read [Exporting Teleport Audit Events](../management/export-audit-events.mdx). - - - -| Event Type | Description | -| - | - | -| auth | Authentication attempt. Adds the following fields: `{"success": "false", "error": "access denied"}` | -| session.start | Started an interactive shell session. | -| session.end | An interactive shell session has ended. | -| session.join | A new user has joined the existing interactive shell session. | -| session.leave | A user has left the session. | -| session.disk | A list of files opened during the session. *Requires Enhanced Session Recording*. | -| session.network | A list of network connections made during the session. *Requires Enhanced Session Recording*. | -| session.command | A list of commands ran during the session. *Requires Enhanced Session Recording*. | -| session.recording.access | A session recording has been accessed. | -| exec | Remote command has been executed via SSH, like `tsh ssh root@node ls /`. The following fields will be logged: `{"command": "ls /", "exitCode": 0, "exitError": ""}` | -| scp | Remote file copy has been executed. The following fields will be logged: `{"path": "/path/to/file.txt", "len": 32344, "action": "read" }` | -| resize | Terminal has been resized. | -| user.login | A user logged into web UI or via tsh. The following fields will be logged: `{"user": "alice@example.com", "method": "local"}` . | -| app.session.start | A user accessed an application | -| app.session.chunk | A record of activity during an app session | -| join_token.create | A new join token has been created. Adds the following fields: `{"roles": ["Node", "Db"], "join_method": "token"}` | - -## Recorded sessions - -In addition to logging start and end events, Teleport can also record the entire session. -For SSH or Kubernetes sessions this captures the entire stream of bytes from the PTY. -For desktop sessions the recording includes the contents of the screen. - - - - -Teleport can store the recorded sessions in an [AWS S3 bucket](./backends.mdx#s3) -or in a local filesystem (including NFS). - -The recorded sessions are stored as raw bytes in the `sessions` directory under -`log`. Each session is a protobuf-encoded stream of binary data. - -You can replay recorded sessions using the [`tsh play`](./cli/tsh.mdx#tsh-play) -command or the Web UI. - -For example, replay a session via CLI: - -```code -$ tsh play 4c146ec8-eab6-11e6-b1b3-40167e68e931 -``` - -Print the session events in JSON to stdout: - -```code -$ tsh play 4c146ec8-eab6-11e6-b1b3-40167e68e931 --format=json -``` - - - - -Teleport Enterprise Cloud automatically stores recorded sessions. - -You can replay recorded sessions using the [`tsh play`](./cli/tsh.mdx#tsh-play) -command or the Web UI. - -For example, replay a session via CLI: - -```code -$ tsh play 4c146ec8-eab6-11e6-b1b3-40167e68e931 -``` - -Print the session events in JSON to stdout: - -```code -$ tsh play 4c146ec8-eab6-11e6-b1b3-40167e68e931 --format=json -``` - - - - -### Modes - - -Available only for SSH sessions and when Teleport is configured with -`auth_service.session_recording: node`. - - -Modes define how Teleport deals with recording failures, such as a full disk -error. They are configured per-service at the role level, where the strictest -value takes precedence. The available modes are: - -|Mode|After a recording failure| -|----|-------------------------| -|Best effort (`best_effort`)|Disables recording without terminating the session.| -|Strict (`strict`)|Immediately terminates the session.| - -If the user role doesn’t specify a recording mode, `best_effort` will be used. Here -is an example of a role configured to use strict mode for SSH sessions: - -```yaml -kind: role -version: v5 -metadata: - name: ssh-strict -spec: - options: - record_session: - ssh: strict -``` +- [Audit Events and Records](audit/audit.mdx): Reference of Teleport Audit Events and Session Records +- [Desktop Access Audit Events Reference](audit/desktop-events.mdx): Audit events reference for Teleport desktop access. diff --git a/docs/pages/reference/monitoring/audit/audit.mdx b/docs/pages/reference/monitoring/audit/audit.mdx new file mode 100644 index 0000000000000..ff45f06ef67a5 --- /dev/null +++ b/docs/pages/reference/monitoring/audit/audit.mdx @@ -0,0 +1,234 @@ +--- +title: Audit Events and Records +description: Reference of Teleport Audit Events and Session Records +--- + +Teleport logs cluster activity by emitting various events into its audit log. +There are two components of the audit log: + + + + +- **Cluster Events:** Teleport logs events like successful user logins along + with metadata like remote IP address, time, and the session ID. +- **Recorded Sessions:** Every SSH, desktop, or Kubernetes shell session is recorded and + can be replayed later. By default, the recording is done by Teleport Nodes, + but can be configured to be done by the proxy. + + + + +- **Cluster Events:** Teleport logs events like successful user logins along + with metadata like remote IP address, time, and the session ID. +- **Recorded Sessions:** Every SSH, desktop, or Kubernetes shell session is recorded and + can be replayed later. Teleport Cloud manages the storage of session + recording data. + + + + + + +You can use +[Enhanced Session Recording with BPF](../server-access/guides/bpf-session-recording.mdx) +to get even more comprehensive audit logs with advanced security. + + + +## Events + + + + +Teleport supports multiple storage backends for storing audit events. The `dir` +backend uses the local filesystem of an Auth Service host. When this backend is +used, events are written to the filesystem in JSON format. The `dir` backend rotates +the event file approximately once every 24 hours, but never deletes captured events. + +For High Availability configurations, users can refer to our +[Athena](./backends.mdx#athena), [DynamoDB](./backends.mdx#dynamodb) or +[Firestore](./backends.mdx#firestore) chapters for information on how to +configure the SSH events and recorded sessions to be stored on network storage. +When these backends are in use, audit events will eventually expire and be +removed from the log. The default retention period is 1 year, but this can be +overridden using the `retention_period` configuration parameter. + +It is even possible to store audit logs in multiple places at the same time. For +more information on how to configure the audit log, refer to the `storage` +section of the example configuration file in the +[Teleport Configuration Reference](./config.mdx). + +Let's examine the Teleport audit log using the `dir` backend. The event log is +stored in Teleport's data dir under the `log` directory. This is usually +`/var/lib/teleport/log`. Each day is represented as a file: + +```code +$ ls -l /var/lib/teleport/log/ + +# total 104 +# -rw-r----- 1 root root 31638 Jan 22 20:00 2017-01-23.00:00:00.log +# -rw-r----- 1 root root 91256 Jan 31 21:00 2017-02-01.00:00:00.log +# -rw-r----- 1 root root 15815 Feb 32 22:54 2017-02-03.00:00:00.log +``` + + + + +Teleport Enterprise Cloud manages the storage of audit logs for you. You can +access your audit logs via the Teleport Web UI by clicking: + +**Activity** > **Audit Log** + + + + +Audit logs use JSON format. They are human readable but can also be +programmatically parsed. Each line represents an event and has the following +format: + +```javascript +{ + // Event type. See below for the list of all possible event types. + "event": "session.start", + // A unique ID for the event log. Useful for deduplication. + "uid": "59cf8d1b-7b36-4894-8e90-9d9713b6b9ef", + // Teleport user name + "user": "ekontsevoy", + // OS login + "login": "root", + // Server namespace. This field is reserved for future use. + "namespace": "default", + // Unique server ID + "server_id": "f84f7386-5e22-45ff-8f7d-b8079742e63f", + // Server Labels + "server_labels": { + "datacenter": "us-east-1", + "label-b": "x" + } + // Session ID. Can be used to replay the session. + "sid": "8d3895b6-e9dd-11e6-94de-40167e68e931", + // Address of the SSH node + "addr.local": "10.5.l.15:3022", + // Address of the connecting client (user) + "addr.remote": "73.223.221.14:42146", + // Terminal size + "size": "80:25", + // Timestamp + "time": "2017-02-03T06:54:05Z" +} +``` + +## Event types + +Below are some possible types of audit events. + + + +This list is not comprehensive. We recommend exporting audit events to a +platform that automatically parses event payloads so you can group and filter +them by their `event` key and discover trends. To set up audit event exporting, +read [Exporting Teleport Audit Events](../management/export-audit-events.mdx). + + + +| Event Type | Description | +| - | - | +| auth | Authentication attempt. Adds the following fields: `{"success": "false", "error": "access denied"}` | +| session.start | Started an interactive shell session. | +| session.end | An interactive shell session has ended. | +| session.join | A new user has joined the existing interactive shell session. | +| session.leave | A user has left the session. | +| session.disk | A list of files opened during the session. *Requires Enhanced Session Recording*. | +| session.network | A list of network connections made during the session. *Requires Enhanced Session Recording*. | +| session.command | A list of commands ran during the session. *Requires Enhanced Session Recording*. | +| session.recording.access | A session recording has been accessed. | +| exec | Remote command has been executed via SSH, like `tsh ssh root@node ls /`. The following fields will be logged: `{"command": "ls /", "exitCode": 0, "exitError": ""}` | +| scp | Remote file copy has been executed. The following fields will be logged: `{"path": "/path/to/file.txt", "len": 32344, "action": "read" }` | +| resize | Terminal has been resized. | +| user.login | A user logged into web UI or via tsh. The following fields will be logged: `{"user": "alice@example.com", "method": "local"}` . | +| app.session.start | A user accessed an application | +| app.session.chunk | A record of activity during an app session | +| join_token.create | A new join token has been created. Adds the following fields: `{"roles": ["Node", "Db"], "join_method": "token"}` | + +## Recorded sessions + +In addition to logging start and end events, Teleport can also record the entire session. +For SSH or Kubernetes sessions this captures the entire stream of bytes from the PTY. +For desktop sessions the recording includes the contents of the screen. + + + + +Teleport can store the recorded sessions in an [AWS S3 bucket](./backends.mdx#s3) +or in a local filesystem (including NFS). + +The recorded sessions are stored as raw bytes in the `sessions` directory under +`log`. Each session is a protobuf-encoded stream of binary data. + +You can replay recorded sessions using the [`tsh play`](./cli/tsh.mdx#tsh-play) +command or the Web UI. + +For example, replay a session via CLI: + +```code +$ tsh play 4c146ec8-eab6-11e6-b1b3-40167e68e931 +``` + +Print the session events in JSON to stdout: + +```code +$ tsh play 4c146ec8-eab6-11e6-b1b3-40167e68e931 --format=json +``` + + + + +Teleport Enterprise Cloud automatically stores recorded sessions. + +You can replay recorded sessions using the [`tsh play`](./cli/tsh.mdx#tsh-play) +command or the Web UI. + +For example, replay a session via CLI: + +```code +$ tsh play 4c146ec8-eab6-11e6-b1b3-40167e68e931 +``` + +Print the session events in JSON to stdout: + +```code +$ tsh play 4c146ec8-eab6-11e6-b1b3-40167e68e931 --format=json +``` + + + + +### Modes + + +Available only for SSH sessions and when Teleport is configured with +`auth_service.session_recording: node`. + + +Modes define how Teleport deals with recording failures, such as a full disk +error. They are configured per-service at the role level, where the strictest +value takes precedence. The available modes are: + +|Mode|After a recording failure| +|----|-------------------------| +|Best effort (`best_effort`)|Disables recording without terminating the session.| +|Strict (`strict`)|Immediately terminates the session.| + +If the user role doesn’t specify a recording mode, `best_effort` will be used. Here +is an example of a role configured to use strict mode for SSH sessions: + +```yaml +kind: role +version: v5 +metadata: + name: ssh-strict +spec: + options: + record_session: + ssh: strict +``` diff --git a/docs/pages/desktop-access/reference/audit.mdx b/docs/pages/reference/monitoring/audit/desktop-events.mdx similarity index 100% rename from docs/pages/desktop-access/reference/audit.mdx rename to docs/pages/reference/monitoring/audit/desktop-events.mdx diff --git a/docs/pages/reference/rbac.mdx b/docs/pages/reference/rbac.mdx index 471300b42865e..4eb98953919b7 100644 --- a/docs/pages/reference/rbac.mdx +++ b/docs/pages/reference/rbac.mdx @@ -6,3 +6,5 @@ description: Available options for configuring access to Teleport privileges and {/*TOPICS*/} - [Access Controls for Servers](rbac/server-rbac.mdx): Role-based access control (RBAC) for Teleport server access. +- [Role-Based Access Control for Desktops](rbac/desktop-access.mdx): Role-based access control (RBAC) for desktops protected by Teleport. +- [Teleport Kubernetes Access Controls](rbac/controls.mdx): How the Teleport Kubernetes Service applies RBAC to manage access to Kubernetes diff --git a/docs/pages/kubernetes-access/controls.mdx b/docs/pages/reference/rbac/controls.mdx similarity index 99% rename from docs/pages/kubernetes-access/controls.mdx rename to docs/pages/reference/rbac/controls.mdx index 92fccb3b6b821..c1c36b4285f45 100644 --- a/docs/pages/kubernetes-access/controls.mdx +++ b/docs/pages/reference/rbac/controls.mdx @@ -201,7 +201,7 @@ headers](https://kubernetes.io/docs/reference/access-authn-authz/authentication/ to send requests to the API server with one Kubernetes user and zero or more Kubernetes groups. -![Impersonation](../../img/k8s/auth.svg) +![Impersonation](../../../../img/k8s/auth.svg) The `kubernetes_users` and `kubernetes_groups` fields indicate which users and groups to allow a user to assume when they send requests to a Kubernetes API diff --git a/docs/pages/desktop-access/rbac.mdx b/docs/pages/reference/rbac/desktop-access.mdx similarity index 100% rename from docs/pages/desktop-access/rbac.mdx rename to docs/pages/reference/rbac/desktop-access.mdx diff --git a/package.json b/package.json index d6fe1a6814c1d..ba1e3034eebc9 100644 --- a/package.json +++ b/package.json @@ -2,7 +2,7 @@ "name": "teleport-ui", "version": "1.0.0", "scripts": { - "all-topics": "node docs/gen-topic-pages/index.js --in docs/pages/admin-guides,docs/pages/database-access,docs/pages/access-controls,docs/pages/desktop-access,docs/pages/kubernetes-access,docs/pages/connect-your-client,docs/pages/machine-id,docs/pages/reference,docs/pages/application-access", + "all-topics": "node docs/gen-topic-pages/index.js --in docs/pages/admin-guides,docs/pages/database-access,docs/pages/access-controls,docs/pages/connect-your-client,docs/pages/machine-id,docs/pages/reference,docs/pages/application-access", "build-ui": "yarn build-ui-oss && yarn build-ui-e", "build-ui-oss": "yarn workspace @gravitational/teleport build", "build-ui-e": "yarn workspace @gravitational/teleport.e build",