From d7bc83642b6362fe0e108776f8e88231e7f1fa74 Mon Sep 17 00:00:00 2001 From: Anton Miniailo Date: Wed, 27 Sep 2023 16:35:53 -0400 Subject: [PATCH] Fix usage of ClusterName from config when starting Auth server (#32682) --- .../includes/config-reference/auth-service.yaml | 5 ++++- lib/service/service.go | 17 +++++++++++++++-- lib/service/servicecfg/config.go | 4 ++-- 3 files changed, 21 insertions(+), 5 deletions(-) diff --git a/docs/pages/includes/config-reference/auth-service.yaml b/docs/pages/includes/config-reference/auth-service.yaml index b1e9a046dd0a..54e7ae63496c 100644 --- a/docs/pages/includes/config-reference/auth-service.yaml +++ b/docs/pages/includes/config-reference/auth-service.yaml @@ -110,6 +110,7 @@ auth_service: # Turns 'auth' role on. Default is 'yes' enabled: yes + # cluster_name is the name used to initiate a new cluster. # A cluster name is used as part of a signature in certificates # generated by this CA. # @@ -118,7 +119,9 @@ auth_service: # # By default an automatically generated name is used (not recommended) # - # IMPORTANT: if you change cluster_name, it will invalidate all generated + # IMPORTANT: changes to this field won't have an effect on an already created cluster. + # To change the name of an existing cluster, you can use + # the 'POST /v2/configuration/name' endpoint, but it will invalidate all generated # certificates and keys (may need to wipe out /var/lib/teleport directory) cluster_name: "main" diff --git a/lib/service/service.go b/lib/service/service.go index 78921c8f0d26..3351a713b1b9 100644 --- a/lib/service/service.go +++ b/lib/service/service.go @@ -1676,6 +1676,14 @@ func (process *TeleportProcess) initAuthService() error { } } clusterName := cfg.Auth.ClusterName.GetClusterName() + ident, err := process.storage.ReadIdentity(auth.IdentityCurrent, types.RoleAdmin) + if err != nil && !trace.IsNotFound(err) { + return trace.Wrap(err) + } + if ident != nil { + clusterName = ident.ClusterName + } + checkingEmitter, err := events.NewCheckingEmitter(events.CheckingEmitterConfig{ Inner: events.NewMultiEmitter(events.NewLoggingEmitter(), emitter), Clock: process.Clock, @@ -1714,7 +1722,12 @@ func (process *TeleportProcess) initAuthService() error { } embeddingsRetriever := ai.NewSimpleRetriever() - + cn, err := services.NewClusterNameWithRandomID(types.ClusterNameSpecV2{ + ClusterName: clusterName, + }) + if err != nil { + return trace.Wrap(err) + } // first, create the AuthServer authServer, err := auth.Init( process.ExitContext(), @@ -1725,7 +1738,7 @@ func (process *TeleportProcess) initAuthService() error { ClusterAuditConfig: cfg.Auth.AuditConfig, ClusterNetworkingConfig: cfg.Auth.NetworkingConfig, SessionRecordingConfig: cfg.Auth.SessionRecordingConfig, - ClusterName: cfg.Auth.ClusterName, + ClusterName: cn, AuthServiceName: cfg.Hostname, DataDir: cfg.DataDir, HostUUID: cfg.HostUUID, diff --git a/lib/service/servicecfg/config.go b/lib/service/servicecfg/config.go index 79b3830b6155..c6f6f6953ec4 100644 --- a/lib/service/servicecfg/config.go +++ b/lib/service/servicecfg/config.go @@ -136,7 +136,7 @@ type Config struct { // PidFile is a full path of the PID file for teleport daemon PIDFile string - // Trust is a service that manages users and credentials + // Trust is a service that manages certificate authorities Trust services.Trust // Presence service is a discovery and heartbeat tracker @@ -148,7 +148,7 @@ type Config struct { // Provisioner is a service that keeps track of provisioning tokens Provisioner services.Provisioner - // Trust is a service that manages users and credentials + // Identity is a service that manages users and credentials Identity services.Identity // Access is a service that controls access