Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[entraid] add setup script for offline clusters. #47863

Merged
merged 9 commits into from
Oct 29, 2024
Merged

Conversation

tigrato
Copy link
Contributor

@tigrato tigrato commented Oct 23, 2024

This PR introduces a CLI configuration option for Entra ID, allowing the use of system credentials as the default authentication method instead of OIDC. This is particularly useful for private clusters that are not accessible via the internet, where OIDC may not be a viable option.

The UX is the following:

Enter the path to write the script file [/home/tiago/code/teleport/entraid.sh]:

Step 1: Run the Setup Script

1. Open **Azure Cloud Shell** (Bash) using **Google Chrome** or **Safari** for the best compatibility.
2. Upload the setup script using the **Upload** button in the Cloud Shell toolbar.
3. Once uploaded, execute the script by running the following command:
   $ bash entraid.sh

**Important Considerations**:
- You must have **Azure privileged administrator permissions** to complete the integration.
- Ensure you're using the **Bash** environment in Cloud Shell.
- During the script execution, you'll be prompted to run 'az login' to authenticate with Azure. **Teleport** does not store or persist your credentials.
- **Mozilla Firefox** users may experience connectivity issues in Azure Cloud Shell; using Chrome or Safari is recommended.

Once the script completes, type 'continue' to proceed, 'exit' to quit: continue

Step 2: Input Tenant ID and Client ID

With the output of Step 1, please copy and paste the following information:
Enter the Tenant ID: 1056b571-0390-4b08-86c8-2edba8d9ae79
Enter the Client ID: 1056b571-0390-4b08-86c8-2edba8d9ae79

Successfully created EntraID plugin "name".

Changelog: Added support for Entra ID directory synchronization for clusters without public internet access.

@github-actions github-actions bot added size/md tctl tctl - Teleport admin tool labels Oct 23, 2024
@tigrato tigrato force-pushed the tigrato/entra-id-sync branch from 4875073 to c0852f8 Compare October 23, 2024 17:59
Base automatically changed from tigrato/entra-id to master October 24, 2024 09:35
This PR adds a cli configuration for Entra ID where it's possible to default to system credentials instead of relying on OIDC for authentication in EntraID. OIDC is not always a possibility specially when the cluster is private and not internet acessible.

The UX is the following:

```text

Step 1: Run the Setup Script

1. Open **Azure Cloud Shell** (Bash) using **Google Chrome** or **Safari** for the best compatibility.
2. Upload the setup script using the **Upload** button in the Cloud Shell toolbar.
3. Once uploaded, execute the script by running the following command:
   $ bash entraid.sh

**Important Considerations**:
- You must have **Azure privileged administrator permissions** to complete the integration.
- Ensure you're using the **Bash** environment in Cloud Shell.
- During the script execution, you'll be prompted to run 'az login' to authenticate with Azure. **Teleport** does not store or persist your credentials.
- **Mozilla Firefox** users may experience connectivity issues in Azure Cloud Shell; using Chrome or Safari is recommended.

Once the script completes, type 'continue' to proceed, 'exit' to quit: continue

Step 2: Input Tenant ID and Client ID

With the output of Step 1, please copy and paste the following information:
Enter the Tenant ID: 1056b571-0390-4b08-86c8-2edba8d9ae79
Enter the Client ID: 1056b571-0390-4b08-86c8-2edba8d9ae79

Successfully created EntraID plugin "name".
```

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
@tigrato tigrato force-pushed the tigrato/entra-id-sync branch from 857e3e8 to ff60a0f Compare October 24, 2024 10:14
@tigrato tigrato requested a review from mvbrock October 28, 2024 10:53
tool/tctl/common/plugin/entraid.go Outdated Show resolved Hide resolved
tool/tctl/common/plugin/entraid.go Outdated Show resolved Hide resolved
tool/tctl/common/plugin/entraid.go Outdated Show resolved Hide resolved
tool/tctl/common/plugin/entraid.go Outdated Show resolved Hide resolved
tool/tctl/common/plugin/entraid.go Outdated Show resolved Hide resolved
tool/tctl/common/plugin/entraid.go Outdated Show resolved Hide resolved

**Important Considerations**:
- You must have **Azure privileged administrator permissions** to complete the integration.
- Ensure you're using the **Bash** environment in Cloud Shell.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume this means that the user's default shell should be bash.
However, given that we are calling bashe script.sh, it is not really required to be the default but to just be present in the system. I think we could omit this line for the sake of simplicity.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This shell is the azure cloud shell and it's by default bash

tool/tctl/common/plugin/entraid.go Outdated Show resolved Hide resolved
tool/tctl/common/plugin/entraid.go Show resolved Hide resolved
tool/tctl/common/plugin/entraid.go Outdated Show resolved Hide resolved
tigrato and others added 2 commits October 28, 2024 15:12
Co-authored-by: Marco Dinis <marco.dinis@goteleport.com>
Copy link
Contributor

@mvbrock mvbrock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just a few nitpicks

tool/tctl/common/plugin/entraid.go Outdated Show resolved Hide resolved
tool/tctl/common/plugin/entraid.go Show resolved Hide resolved
tool/tctl/common/plugin/entraid.go Outdated Show resolved Hide resolved
Copy link
Contributor

@marcoandredinis marcoandredinis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just left two comments but no blockers.

tool/tctl/common/plugin/entraid.go Outdated Show resolved Hide resolved
tool/tctl/common/plugin/entraid.go Show resolved Hide resolved
@tigrato tigrato force-pushed the tigrato/entra-id-sync branch from 2059099 to 8f04e0d Compare October 28, 2024 19:14
Copy link
Collaborator

@r0mant r0mant left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With a few suggestions.

Comment on lines +41 to 44
func (g *Group) IsOffice365Group() bool {
const office365Group = "Unified"
return slices.Contains(g.GroupTypes, office365Group)
}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where is this being used? I can't find it in this PR.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's being used in e

tool/tctl/common/plugin/entraid.go Outdated Show resolved Hide resolved
tool/tctl/common/plugin/entraid.go Outdated Show resolved Hide resolved
fmt.Fprintf(os.Stdout, tmpl, filepath.Base(fileLoc))

op, err := readData(os.Stdin, os.Stdout,
"Once the script completes, type 'continue' to proceed, 'exit' to quit",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: Can they continue/rerun this command if they choose to exit? I would include this information in the message, I would be wondering what happens if I exit but say want to resume later or clean up.

Comment on lines 238 to 242
{
Name: "https://example.com/my_attribute",
Value: "my_value",
Roles: []string{"requester"},
},
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How would a user know they need to modify these? Should the command ask for claim name and value as a part of this setup flow?

tool/tctl/common/plugin/entraid.go Outdated Show resolved Hide resolved
tool/tctl/common/plugin/entraid.go Show resolved Hide resolved
@tigrato tigrato added this pull request to the merge queue Oct 29, 2024
@tigrato tigrato removed this pull request from the merge queue due to a manual request Oct 29, 2024
@tigrato tigrato force-pushed the tigrato/entra-id-sync branch from a596429 to 803810a Compare October 29, 2024 17:34
@tigrato tigrato enabled auto-merge October 29, 2024 17:34
@tigrato tigrato added this pull request to the merge queue Oct 29, 2024
Merged via the queue into master with commit 768a0bd Oct 29, 2024
41 checks passed
@tigrato tigrato deleted the tigrato/entra-id-sync branch October 29, 2024 18:10
@public-teleport-github-review-bot

@tigrato See the table below for backport results.

Branch Result
branch/v16 Failed
branch/v17 Create PR

tigrato added a commit that referenced this pull request Oct 29, 2024
* [entraid] add setup script for offline clusters.

This PR adds a cli configuration for Entra ID where it's possible to default to system credentials instead of relying on OIDC for authentication in EntraID. OIDC is not always a possibility specially when the cluster is private and not internet acessible.

The UX is the following:

```text

Step 1: Run the Setup Script

1. Open **Azure Cloud Shell** (Bash) using **Google Chrome** or **Safari** for the best compatibility.
2. Upload the setup script using the **Upload** button in the Cloud Shell toolbar.
3. Once uploaded, execute the script by running the following command:
   $ bash entraid.sh

**Important Considerations**:
- You must have **Azure privileged administrator permissions** to complete the integration.
- Ensure you're using the **Bash** environment in Cloud Shell.
- During the script execution, you'll be prompted to run 'az login' to authenticate with Azure. **Teleport** does not store or persist your credentials.
- **Mozilla Firefox** users may experience connectivity issues in Azure Cloud Shell; using Chrome or Safari is recommended.

Once the script completes, type 'continue' to proceed, 'exit' to quit: continue

Step 2: Input Tenant ID and Client ID

With the output of Step 1, please copy and paste the following information:
Enter the Tenant ID: 1056b571-0390-4b08-86c8-2edba8d9ae79
Enter the Client ID: 1056b571-0390-4b08-86c8-2edba8d9ae79

Successfully created EntraID plugin "name".
```

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* move function to api

* handle code review comments

* Apply suggestions from code review

Co-authored-by: Marco Dinis <marco.dinis@goteleport.com>

* fix url

* enable group claims

* add godoc

* handle code review comments

* fix gomod

---------

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
Co-authored-by: Marco Dinis <marco.dinis@goteleport.com>
tigrato added a commit that referenced this pull request Oct 30, 2024
* [entraid] add setup script for offline clusters.

This PR adds a cli configuration for Entra ID where it's possible to default to system credentials instead of relying on OIDC for authentication in EntraID. OIDC is not always a possibility specially when the cluster is private and not internet acessible.

The UX is the following:

```text

Step 1: Run the Setup Script

1. Open **Azure Cloud Shell** (Bash) using **Google Chrome** or **Safari** for the best compatibility.
2. Upload the setup script using the **Upload** button in the Cloud Shell toolbar.
3. Once uploaded, execute the script by running the following command:
   $ bash entraid.sh

**Important Considerations**:
- You must have **Azure privileged administrator permissions** to complete the integration.
- Ensure you're using the **Bash** environment in Cloud Shell.
- During the script execution, you'll be prompted to run 'az login' to authenticate with Azure. **Teleport** does not store or persist your credentials.
- **Mozilla Firefox** users may experience connectivity issues in Azure Cloud Shell; using Chrome or Safari is recommended.

Once the script completes, type 'continue' to proceed, 'exit' to quit: continue

Step 2: Input Tenant ID and Client ID

With the output of Step 1, please copy and paste the following information:
Enter the Tenant ID: 1056b571-0390-4b08-86c8-2edba8d9ae79
Enter the Client ID: 1056b571-0390-4b08-86c8-2edba8d9ae79

Successfully created EntraID plugin "name".
```

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* move function to api

* handle code review comments

* Apply suggestions from code review

Co-authored-by: Marco Dinis <marco.dinis@goteleport.com>

* fix url

* enable group claims

* add godoc

* handle code review comments

* fix gomod

---------

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
Co-authored-by: Marco Dinis <marco.dinis@goteleport.com>
tigrato added a commit that referenced this pull request Oct 30, 2024
* [entraid] add setup script for offline clusters.

This PR adds a cli configuration for Entra ID where it's possible to default to system credentials instead of relying on OIDC for authentication in EntraID. OIDC is not always a possibility specially when the cluster is private and not internet acessible.

The UX is the following:

```text

Step 1: Run the Setup Script

1. Open **Azure Cloud Shell** (Bash) using **Google Chrome** or **Safari** for the best compatibility.
2. Upload the setup script using the **Upload** button in the Cloud Shell toolbar.
3. Once uploaded, execute the script by running the following command:
   $ bash entraid.sh

**Important Considerations**:
- You must have **Azure privileged administrator permissions** to complete the integration.
- Ensure you're using the **Bash** environment in Cloud Shell.
- During the script execution, you'll be prompted to run 'az login' to authenticate with Azure. **Teleport** does not store or persist your credentials.
- **Mozilla Firefox** users may experience connectivity issues in Azure Cloud Shell; using Chrome or Safari is recommended.

Once the script completes, type 'continue' to proceed, 'exit' to quit: continue

Step 2: Input Tenant ID and Client ID

With the output of Step 1, please copy and paste the following information:
Enter the Tenant ID: 1056b571-0390-4b08-86c8-2edba8d9ae79
Enter the Client ID: 1056b571-0390-4b08-86c8-2edba8d9ae79

Successfully created EntraID plugin "name".
```

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* move function to api

* handle code review comments

* Apply suggestions from code review

Co-authored-by: Marco Dinis <marco.dinis@goteleport.com>

* fix url

* enable group claims

* add godoc

* handle code review comments

* fix gomod

---------

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
Co-authored-by: Marco Dinis <marco.dinis@goteleport.com>
github-merge-queue bot pushed a commit that referenced this pull request Oct 30, 2024
* [entraid] add setup script for offline clusters.

This PR adds a cli configuration for Entra ID where it's possible to default to system credentials instead of relying on OIDC for authentication in EntraID. OIDC is not always a possibility specially when the cluster is private and not internet acessible.

The UX is the following:

```text

Step 1: Run the Setup Script

1. Open **Azure Cloud Shell** (Bash) using **Google Chrome** or **Safari** for the best compatibility.
2. Upload the setup script using the **Upload** button in the Cloud Shell toolbar.
3. Once uploaded, execute the script by running the following command:
   $ bash entraid.sh

**Important Considerations**:
- You must have **Azure privileged administrator permissions** to complete the integration.
- Ensure you're using the **Bash** environment in Cloud Shell.
- During the script execution, you'll be prompted to run 'az login' to authenticate with Azure. **Teleport** does not store or persist your credentials.
- **Mozilla Firefox** users may experience connectivity issues in Azure Cloud Shell; using Chrome or Safari is recommended.

Once the script completes, type 'continue' to proceed, 'exit' to quit: continue

Step 2: Input Tenant ID and Client ID

With the output of Step 1, please copy and paste the following information:
Enter the Tenant ID: 1056b571-0390-4b08-86c8-2edba8d9ae79
Enter the Client ID: 1056b571-0390-4b08-86c8-2edba8d9ae79

Successfully created EntraID plugin "name".
```



* move function to api

* handle code review comments

* Apply suggestions from code review



* fix url

* enable group claims

* add godoc

* handle code review comments

* fix gomod

---------

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
Co-authored-by: Marco Dinis <marco.dinis@goteleport.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants