Package events contains event related types and logic required by the Teleport API.

Package wrappers provides protobuf wrappers for common teleport map and list types.

BoolDefaultTrue returns true if v is not set (pointer is nil) otherwise returns real boolean value.

CombineLabels combines the passed in static and dynamic labels.

CopyRulesSlice copies input slice of Rules and returns the copy.

DeduplicateApps deduplicates apps by combination of app name and public address.

DeduplicateDatabases deduplicates databases by name.

DeduplicateDesktops deduplicates desktops by name.

DeduplicateKubeClusters deduplicates kube clusters by name.

DefaultAgentMeshTunnelStrategy sets default values for a agent mesh tunnel strategy.

DefaultAuthPreference returns the default authentication preferences.

DefaultClusterAuditConfig returns the default audit log configuration.

DefaultClusterNetworkingConfig returns the default cluster networking config.

DefaultNamespace returns the default namespace.

DefaultProxyPeeringTunnelStrategy sets default values for a proxy peering tunnel strategy.

DefaultSessionRecordingConfig returns the default session recording configuration.

DefaultStaticTokens is used to get the default static tokens (empty list) when nothing is specified in file configuration.

DefaultTunnelStrategy is the default tunnel strategy used when one is not specified.

GenerateSchedule generates schedule based on the time period, using even time periods between rotation phases.

GetSortByFromString expects a string in format `<fieldName>:<asc|desc>` where index 0 is fieldName and index 1 is direction.

IsMaxFailedRecoveryAttempt determines if user reached their max failed attempts.

IsValidLabelKey checks if the supplied string matches the label key regexp.

IsValidNamespace checks if the namespace provided is valid.

LabelsAsString combines static and dynamic labels and returns a comma separated string.

LabelsToV2 converts labels from interface to V2 spec.

LocalServiceMappings returns the subset of role mappings which happen to be true Teleport services (e.g.

MatchLabels takes a map of labels and returns `true` if the resource has ALL of them.

MatchSearch goes through select field values from a resource and tries to match against the list of search values, ignoring case and order.

MaxDuration returns the maximum duration value.

MustCreateProvisionToken returns a new valid provision token or panics, used in tests.

MustNewInstallerV1 creates a new installer resource from the provided script.

NewAccessRequest assembles an AccessRequest resource.

NewAccessRequestWithResources assembles an AccessRequest resource with requested resources.

NewAppServerV3 creates a new app server instance.

NewAppServerV3FromApp creates a new app server from the provided app.

NewAppV3 creates a new app resource.

NewAuthPreference is a convenience method to to create AuthPreferenceV2.

NewAuthPreferenceFromConfigFile is a convenience method to create AuthPreferenceV2 labeled as originating from config file.

NewBool returns Bool struct based on bool value.

NewBoolOption returns Bool struct based on bool value.

NewBoolP returns Bool pointer.

NewCertAuthority returns new cert authority.

NewClusterAlert creates a new cluster alert.

NewClusterAuditConfig is a convenience method to to create ClusterAuditConfigV2.

NewClusterName is a convenience wrapper to create a ClusterName resource.

NewClusterNetworkingConfigFromConfigFile is a convenience method to create ClusterNetworkingConfigV2 labeled as originating from config file.

NewConnectionDiagnosticV1 creates a new ConnectionDiagnosticV1 resource.

NewDatabaseServerV3 creates a new database server instance.

NewDatabaseV3 creates a new database resource.

NewDuration converts the given time.Duration value to a duration.

NewGithubConnector creates a new Github connector from name and spec.

NewInstallerV1 returns a new installer resource.

NewKubernetesClusterV3 creates a new Kubernetes cluster resource.

NewKubernetesClusterV3FromLegacyCluster creates a new Kubernetes cluster resource from the legacy type.

NewKubernetesClusterV3WithoutSecrets creates a new copy of the provided cluster but without secrets/credentials.

NewKubernetesServerV3 creates a new kube server instance.

NewKubernetesServerV3FromCluster creates a new kubernetes server from the provided clusters.

NewKubeServersV3FromServer creates a list of kube servers from a legacy Server resource.

NewLegacyKubeServer creates legacy Kube server object.

NewLicense is a convenience method to create LicenseV3.

NewLock is a convenience method to create a Lock resource.

NewMFADevice creates a new MFADevice with the given name.

NewNamespace returns new namespace.

NewNetworkRestrictions creates a new NetworkRestrictions with the given name.

NewOIDCConnector returns a new OIDCConnector based off a name and OIDCConnectorSpecV3.

NewPluginData configures a new PluginData instance associated with the supplied resource name (currently, this must be the name of an access request).

NewProvisionToken returns a new provision token with the given roles.

NewProvisionTokenFromSpec returns a new provision token with the given spec.

NewRecoveryCodes creates a new RecoveryCodes with the given codes and created time.

NewRemoteCluster is a convenience way to create a RemoteCluster resource.

NewReverseTunnel returns new version of reverse tunnel.

NewRole constructs new standard V5 role.

NewRoleV3 constructs new standard V3 role.

NewRule creates a rule based on a resource name and a list of verbs.

NewSAMLConnector returns a new SAMLConnector based off a name and SAMLConnectorSpecV2.

NewServer creates an instance of Server.

NewServerWithLabels is a convenience method to create ServerV2 with a specific map of labels.

NewSessionRecordingConfigFromConfigFile is a convenience method to create SessionRecordingConfigV2 labeled as originating from config file.

NewStaticTokens is a convenience wrapper to create a StaticTokens resource.

NewTeleportRoles return a list of teleport roles from slice of strings.

NewTraceDiagnosticConnection creates a new Connection Diagnostic Trace.

NewTrustedCluster is a convenience way to create a TrustedCluster resource.

NewTunnelConnection returns new connection from V2 spec.

NewUser creates new empty user.

NewUserToken creates an instance of UserToken.

NewUserTokenSecrets creates an instance of UserTokenSecrets.

NewWebSession returns new instance of the web session based on the V2 spec.

NewWebToken returns a new web token with the given expiration and spec.

NewWindowsDesktopServiceV3 creates a new WindowsDesktopServiceV3 resource.

NewWindowsDesktopV3 creates a new WindowsDesktopV3 resource.

ParseTeleportRoles takes a comma-separated list of roles and returns a slice of teleport roles, or an error if parsing failed.

ProcessNamespace returns the default namespace in case the namespace is empty.

ProvisionTokensFromV1 converts V1 provision tokens to resource list.

ProvisionTokensToV1 converts provision tokens to V1 list.

RemoveCASecrets removes private (SSH, TLS, and JWT) keys from certificate authority.

ResourceIDFromString parses a ResourceID from a string.

ResourceIDsFromString parses a list for resource IDs from a string.

ResourceIDsToString marshals a list of ResourceIDs to a string.

ResourceIDToString marshals a ResourceID to a string.

SortClusterAlerts applies the default cluster alert sorting, prioritizing elements by a combination of severity and creation time.

V2ToLabels converts concrete type to command label interface.

WithAlertCreated sets the alert's creation time.

WithAlertExpires sets the alerts expiry time.

WithAlertLabel constructs an alert with the specified label.

WithAlertSeverity sets the severity of an alert (defaults to MEDIUM).

ActionRead grants read access (get, list).

ActionWrite allows to write (create, update, delete).

AgentMesh requires agents to create a reverse tunnel to every proxy server.

AlertLicenseExpired is an internal label that indicates that the license has expired.

AlertLink is an internal label that indicates that an alert is a link.

AlertOnLogin is an internal label that indicates an alert should be displayed to users on login.

AlertPermitAll is an internal label that indicates that an alert is suitable for display to all users.

AlertSupersedes is an internal label used to indicate when one alert supersedes another.

AlertVerbPermit is an internal label that permits a user to view the alert if they hold a specific resource permission verb (e.g.

Allow is the set of conditions that allow access.

AppTunnel is a tunnel where the application proxy dials back to the proxy.

AWSAccountIDLabel is used to identify nodes by AWS account ID found via automatic discovery, to avoid re-running installation commands on the node.

AWSInstanceIDLabel is used to identify nodes by EC2 instance ID found via automatic discovery, to avoid re-running installation commands on the node.

BotGenerationLabel is a label used to record the certificate generation counter.

BotLabel is a label used to identify a resource used by a certificate renewal bot.

EXTENSION represents a cert extension that may or may not be honored by the server.

SSH is used when extending an ssh certificate.

CloudAWS identifies that a resource was discovered in AWS.

CloudAzure identifies that a resource was discovered in Azure.

CloudGCP identifies that a resource was discovered in GCP.

CloudHostnameTag is the name of the tag in a cloud instance used to override a node's hostname.

CloudLabel is used to identify the cloud where the resource was discovered.

FIPS_DISABLED explicitly disables FIPS support for AWS S3/Dynamo.

FIPS_ENABLED explicitly enables FIPS support for AWS S3/Dynamo.

FIPS_UNSET allows setting FIPS state for AWS S3/Dynamo using configuration files or environment variables.

CONNECTIVITY is for network connectivity checks.

KUBE_PRINCIPAL is used when checking if the Kube Cluster has at least one user principals.

NODE_PRINCIPAL is used when checking if the Node has the requested principal.

RBAC_KUBE is for RBAC checks to kubernetes the cluster.

RBAC_NODE is for RBAC checks for the node.

RBAC_PRINCIPAL is used when checking if the principal is allowed per RBAC rules.

UNKNOWN_ERROR is used when we don't know the error.

DatabaseCA is a certificate authority used in database access.

INSECURE accepts any certificate provided by server.

VERIFY_CA works the same as VERIFY_FULL, but it skips the hostname check.

VERIFY_FULL performs full certificate validation.

DatabaseTunnel is a tunnel where a database proxy dials back to the proxy.

DatabaseTypeAWSKeyspaces is AWS-hosted Keyspaces database (Cassandra).

DatabaseTypeAzure is Azure-hosted database.

DatabaseTypeCassandra is AWS-hosted Keyspace database.

DatabaseTypeCloudSQL is GCP-hosted Cloud SQL database.

DatabaseTypeElastiCache is AWS-hosted ElastiCache database.

DatabaseTypeMemoryDB is AWS-hosted MemoryDB database.

DatabaseTypeRDS is AWS-hosted RDS or Aurora database.

DatabaseTypeRDSProxy is an AWS-hosted RDS Proxy.

DatabaseTypeRedshift is AWS Redshift database.

DatabaseTypeSelfHosted is the self-hosted type of database.

DefaultAPIGroup is a default group of permissions API, lets us to add different permission types.

Deny is the set of conditions that prevent access.

DiagnosticMessageFailed is the message used when we the Connection failed.

DiagnosticMessageSuccess is the message used when we the Connection was successful.

EventOrderAscending is an ascending event order.

EventOrderDescending is an descending event order.

HomeEnvVar specifies the home location for tsh configuration and data.

HostCA identifies the key as a host certificate authority.

InternalResourceIDLabel is a label used to store an ID to correlate between two resources A pratical example of this is to create a correlation between a Node Provision Token and the Node that used that token to join the cluster.

JoinMethodCircleCI indicates that the node will join with the CircleCI\ join method.

JoinMethodEC2 indicates that the node will join with the EC2 join method.

JoinMethodGitHub indicates that the node will join with the GitHub join method.

JoinMethodIAM indicates that the node will join with the IAM join method.

JoinMethodToken is the default join method, nodes join the cluster by presenting a secret token.

JWTSigner identifies type of certificate authority as JWT signer.

KindAccessPluginData is a resource directive that applies only to plugin data associated with access requests.

KindAccessRequest is an AccessRequest resource.

KindApp is a web app resource.

KindAppServer is an application server resource.

KindAppSession represents an application specific web session.

KindAuthConnector allows access to OIDC and SAML connectors.

KindAuthServer is auth server resource.

KindBilling represents access to cloud billing features.

KindCertAuthority is a certificate authority resource.

KindClusterAlert is a resource that conveys a cluster-level alert message.

KindClusterAuditConfig is the resource that holds cluster audit configuration.

KindClusterAuthPreference is the type of authentication for this cluster.

KindClusterConfig is the resource that holds cluster level configuration.

KindClusterName is a type of configuration resource that contains the cluster name.

KindClusterNetworkingConfig is the resource that holds cluster networking configuration.

KindConnectionDiagnostic is a resource that tracks the result of testing a connection.

KindConnectors is a shortcut for all authentication connector.

KindDatabase is a database resource.

KindDatabaseCertificate is a resource to control Database Certificates generation.

KindDatabaseServer is a database proxy server resource.

KindDownload represents Teleport binaries downloads.

KindEvent is structured audit logging event.

KindGithub is Github connector resource.

KindGithubConnector is Github OAuth2 connector resource.

KindGithubRequest is Github auth request resource.

KindHostCert is a host certificate.

KindIdentity is local on disk identity resource.

KindInstaller is a resource that holds a node installer script used to install teleport on discovered nodes.

KindJWT is a JWT token signer.

KindKubernetesCluster is a Kubernetes cluster.

KindKubeServer is an kubernetes server resource.

KindKubeService is a kubernetes service resource DELETE in 12.0.0.

KindLicense is a license resource.

KindLock is a lock resource.

KindMFADevice is an MFA device for a user.

KindNamespace is a namespace.

KindNetworkRestrictions are restrictions for SSH sessions.

KindNode is node resource.

KindOIDC is OIDC connector resource.

KindOIDCConnector is a OIDC connector resource.

KindOIDCRequest is OIDC auth request resource.

KindPluginData is a PluginData resource.

KindProxy is proxy resource.

KindRecoveryCodes is a resource that holds users recovery codes.

KindRemoteCluster represents remote cluster connected via reverse tunnel to proxy.

KindReverseTunnel is a reverse tunnel connection.

KindRole is a role resource.

KindSAML is SAML connector resource.

KindSAMLConnector is a SAML connector resource.

KindSAMLRequest is SAML auth request resource.

KindSemaphore is the resource that provides distributed semaphore functionality.

KindSession is a recorded SSH session.

KindSessionRecordingConfig is the resource for session recording configuration.

KindSessionTracker is a resource that tracks a live session.

KindSnowflakeSession represents a Snowflake specific web session.

KindSSHSession is an active SSH session.

KindState is local on disk process state.

KindStaticTokens is a type of configuration resource that contains static tokens.

KindToken is a provisioning token resource.

KindTrustedCluster is a resource that contains trusted cluster configuration.

KindTunnelConnection specifies connection of a reverse tunnel to proxy.

KindUsageEvent is an external cluster usage event.

KindUser is a user resource.

KindUserToken is a user token used for various user related actions.

KindUserTokenSecrets is user token secrets.

KindWebSession is a web session resource.

KindWebToken is a web token resource.

KindWindowsDesktop is a Windows desktop host.

KindWindowsDesktopService is a Windows desktop service resource.

KubeTunnel is a tunnel where the kubernetes service dials back to the proxy.

LabelPattern is a regexp that describes a valid label key.

MetaNameClusterAuditConfig is the exact name of the singleton resource holding cluster audit configuration.

MetaNameClusterAuthPreference is the type of authentication for this cluster.

MetaNameClusterName is the name of a configuration resource for cluster name.

MetaNameClusterNetworkingConfig is the exact name of the singleton resource holding cluster networking configuration.

MetaNameNetworkRestrictions is the exact name of the singleton resource for network restrictions.

MetaNameSessionRecordingConfig is the exact name of the singleton resource for session recording configuration.

MetaNameSessionTracker is the prefix of resources used to track live sessions.

MetaNameStaticTokens is the name of a configuration resource for static tokens.

NodeTunnel is a tunnel where the node connects to the proxy (dial back).

OnSessionLeaveTerminate is a moderated sessions policy constant that pauses a session once the require policies is no longer fulfilled.

OnSessionLeaveTerminate is a moderated sessions policy constant that terminates a session once the require policy is no longer fulfilled.

OpDelete is returned for Delete events.

OpGet is used for tracking, not present in the event stream.

OpInit is returned by the system whenever the system is initialized, init operation is always sent as a first event over the channel, so the client can verify that watch has been established.

OpInvalid is returned for invalid operations.

OpPut is returned for Put events.

OpUnreliable is used to indicate the event stream has become unreliable for maintaining an up-to-date view of the data.

OriginCloud is an origin value indicating that the resource was imported from a cloud provider.

OriginConfigFile is an origin value indicating that the resource is derived from static configuration.

OriginDefaults is an origin value indicating that the resource was constructed as a default value.

OriginDynamic is an origin value indicating that the resource was committed as dynamic configuration.

OriginKubernetes is an origin value indicating that the resource was created from the Kubernetes Operator.

OriginLabel is a resource metadata label name used to identify a source that the resource originates from.

GCP_KMS is a private key backed by GCP KMS.

PKCS11 is a private key backed by a PKCS11 device such as HSM.

RAW is a plaintext private key.

Multiplex is the proxy listener mode indicating the proxy should use multiplex mode where all proxy services are multiplexed on a single proxy port.

Separate is the proxy listener mode indicating that proxies are running in separate listener mode where Teleport Proxy services use different listeners.

ProxyPeering requires agents to create a reverse tunnel to a configured number of proxy servers and enables proxy to proxy communication.

ProxyTunnel is a tunnel where a proxy connects to the proxy (trusted cluster).

RecordAtNode is the default.

RecordAtNodeSync enables the nodes to stream sessions in sync mode to the auth server.

RecordAtProxy enables the recording proxy which intercepts and records all sessions.

RecordAtProxySync enables the recording proxy which intercepts and records all sessions, streams the records synchronously.

RecordOff is used to disable session recording completely.

APPROVED variant indicates that a request has been accepted by an administrating party.

DENIED variant indicates that a request has been rejected by an administrating party.

NONE variant exists to allow RequestState to be explicitly omitted in certain circumstances (e.g.

PENDING variant is the default for newly created requests.

RequestStrategyAlways indicates that client implementations should automatically generate wildcard requests on login, but that reasons are not required.

RequestStrategyOptional is the default request strategy, indicating that no special actions/requirements exist.

RequestStrategyReason indicates that client implementations should automatically generate wildcard requests on login, and users should be prompted for a reason.

HARDWARE_KEY_TOUCH means login sessions must use a hardware private key that requires touch to be used.

OFF means additional MFA enforcement is not enabled.

SESSION means MFA is required to begin server sessions.

SESSION_AND_HARDWARE_KEY means MFA is required to begin server sessions, and login sessions must use a private key backed by a hardware key.

ResourceMetadataName refers to a resource metadata field named "name".

ResourceSpecAddr refers to a resource spec field named "address".

ResourceSpecDescription refers to a resource spec field named "description".

ResourceSpecHostname refers to a resource spec field named "hostname".

ResourceSpecPublicAddr refers to a resource field named "address".

ResourceSpecType refers to a resource field named "type".

RoleAdmin is admin role.

RoleApp is a role for a app proxy in the cluster.

RoleAuth is for teleport auth server (authority, authentication and authorization).

RoleBot is a role for a bot.

RoleDatabase is a role for a database proxy in the cluster.

RoleDiscovery is a role for discovery nodes in the cluster.

RoleInstance is a role implicitly held by teleport servers (i.e.

RoleKube is a role for a kubernetes service.

RoleNode is a role for SSH node in the cluster.

RoleNop is used for actions that are already using external authz mechanisms e.g.

RoleProvisionToken is a role for nodes authenticated using provisioning tokens.

RoleProxy is a role for SSH proxy in the cluster.

RoleRemoteProxy is a role for remote SSH proxy in the cluster.

RoleSignup is for first time signing up users.

RoleTrustedCluster is a role needed for tokens used to add trusted clusters.

RoleWindowsDesktop is a role for a Windows desktop service.

RotationModeAuto is set to go through all phases by the schedule.

RotationModeManual is a manual rotation mode when all phases are set by the operator.

RotationPhaseInit = is a phase of the rotation when new certificate authority is issued, but not used It is necessary for remote trusted clusters to fetch the new certificate authority, otherwise the new clients will reject it.

RotationPhaseRollback means that rotation is rolling back to the old certificate authority.

RotationPhaseStandby is the initial phase of the rotation it means no operations have started.

RotationPhaseUpdateClients is a phase of the rotation when client credentials will have to be updated and reloaded but servers will use and respond with old credentials because clients have no idea about new credentials at first.

RotationPhaseUpdateServers is a phase of the rotation when servers will have to reload and should start serving TLS and SSH certificates signed by new CA.

RotationStateInProgress - that rotation is in progress.

RotationStateStandby is initial status of the rotation - nothing is being rotated.

MostRecent routes to the most recently heartbeated node if duplicates are present.

UnambiguousMatch only routes to distinct nodes.

SemaphoreKindConnection is the semaphore kind used by the Concurrent Session Control feature to limit concurrent connections (corresponds to the `max_connections` role option).

SemaphoreKindHostUserModification is the semaphore kind used to limit the number of operations that can occur on a unix user to one at a time.

SemaphoreKindKubernetesConnection is the semaphore kind used by the Concurrent Session Control feature to limit concurrent connections for Kubernetes (corresponds to the `max_kubernetes_connections` role option).

Pending variant represents a session that is waiting on participants to fulfill the criteria to start the session.

Running variant represents a session that has had it's criteria for starting fulfilled at least once and has transitioned to a RUNNING state.

Terminated variant represents a session that is no longer running and due for removal.

TeleportNamespace is used as the namespace prefix for any labels defined by teleport.

TeleportServiceGroup is a default group that users of the teleport automated user provisioning system get added to so already existing users are not deleted.

True holds "true" string value.

UserCA identifies the key as a user certificate authority.

USER_TOKEN_RECOVER_MFA is a request to recover a MFA.

USER_TOKEN_RECOVER_PASSWORD is a request to recover password.

USER_TOKEN_RENEWAL_BOT is a request to generate certificates for a bot user.

Default value that implies token usage was not set.

V1 is the first version of resources.

V2 is the second version of resources.

V3 is the third version of resources.

V4 is the fourth version of resources.

V5 is the fifth version of resources.

VerbCreate is used to create an object.

VerbDelete is used to remove an object.

VerbList is used to list all objects.

VerbRead is used to read a single object.

VerbReadNoSecrets is used to read a single object without secrets.

VerbRotate is used to rotate certificate authorities used only internally.

VerbUpdate is used to update an object.

Wildcard is a special wildcard character matching everything.

WindowsDesktopTunnel is a tunnel where the Windows desktop service dials back to the proxy.

CertAuthTypes lists all certificate authority types.

OriginValues lists all possible origin values.

RequestableResourceKinds lists all Teleport resource kinds users can request access to.

RotatePhases lists all supported rotation phases.

SessionRecordingModes lists all possible session recording modes.

WebSessionSubKinds lists subkinds of web session resources.

AccessCapabilities is a summary of capabilities that a user is granted via their dynamic access privileges which may not be calculable by directly examining the user's own static roles.

AccessCapabilitiesRequest encodes parameters for the GetAccessCapabilities method.

AccessRequestConditions is a matcher for allow/deny restrictions on access-requests.

AccessRequestFilter encodes filter params for access requests.

AccessRequestSpec is the specification for AccessRequest.

AccessRequestUpdate encompasses the parameters of a SetAccessRequestState call.

AccessRequest represents an access request resource specification.

AccessReview is a review to be applied to an access request.

AccessReviewConditions is a matcher for allow/deny restrictions on access reviews.

AccessReviewSubmission encodes the necessary parameters for submitting a new access review.

AccessReviewThreshold describes a filter used to match access reviews, as well as approval/denial counts which trigger state-transitions.

AcquireSemaphoreRequest holds semaphore lease acquisition parameters.

AD contains Active Directory specific database configuration.

AddressCondition represents a set of addresses.

AgentMeshTunnelStrategy requires reverse tunnels to dial every proxy.

App is a specific application that a server proxies.

AppAWS contains additional options for AWS applications.

AppServerSpecV3 is the app access server spec.

AppServerV3 represents a single proxied web app.

AppSpecV3 is the AppV3 resource spec.

AppV3 represents an app resource.

AppV3List represents a list of app resources.

AsymmetricKeyPair is a combination of a public certificate and private key that can be used for encryption and signing.

AttributeMapping maps a SAML attribute statement to teleport roles.

AuthPreferenceSpecV2 is the actual data we care about for AuthPreference.

AuthPreferenceV2 implements the AuthPreference interface.

AWS contains AWS metadata about the database.

Azure contains Azure specific database metadata.

AzureRedis contains Azure Cache for Redis specific database metadata.

BoolOption is a wrapper around bool that can take multiple values: * true, false and non-set (when pointer is nil) and can marshal itself to protobuf equivalent BoolValue.

BoolValue is a wrapper around bool, used in cases whenever bool value can have different default value when missing.

CAKeySet is the set of CA keys.

CertAuthID - id of certificate authority (it's type and domain name).

CertAuthoritySpecV2 is a host or user certificate authority that can check and if it has private key stored as well, sign it too.

CertAuthorityV2 is version 2 resource spec for Cert Authority.

CertExtension represents a key/value for a certificate extension.

CertRoles defines certificate roles.

ClaimMapping maps a claim to teleport roles.

ClusterAlert is a cluster-level alert message.

ClusterAlertSpec is a cluster alert specification.

ClusterAuditConfigSpecV2 is the actual data we care about for ClusterAuditConfig.

ClusterAuditConfigV2 represents audit log settings in the cluster.

ClusterNameSpecV2 is the actual data we care about for ClusterName.

ClusterNameV2 implements the ClusterName interface.

ClusterNetworkingConfigSpecV2 is the actual data we care about for ClusterNetworkingConfig.

ClusterNetworkingConfigV2 contains cluster-wide networking configuration.

CommandLabelV2 is a label that has a value as a result of the output generated by running command, e.g.

ConnectionDiagnosticSpecV1 is the ConnectionDiagnostic Spec.

ConnectionDiagnosticTrace describes a trace of a connection diagnostic.

ConnectionDiagnosticV1 is the result of testing a connection.

ConnectorRef holds information about OIDC connector.

CreateAppSessionRequest contains the parameters needed to request creating an application web session.

CreatedBy holds information about the person or agent who created the user.

CreateSnowflakeSessionRequest contains the parameters needed to request creating a Snowflake web session.

CreateUserParams represents the user creation parameters as called during SSO login flow.

DatabaseServerSpecV3 is the database server spec.

DatabaseServerV3 represents a database access server.

DatabaseSpecV3 is the database spec.

DatabaseStatusV3 contains runtime information about the database.

DatabaseTLS contains TLS configuration options.

DatabaseV3 represents a single proxied database.

DatabaseV3List represents a list of databases.

DeleteAppSessionRequest are the parameters used to request removal of an application web session.

DeleteSnowflakeSessionRequest are the parameters used to request removal of a Snowflake web session.

DeleteWebSessionRequest describes a request to delete a web session.

DeleteWebTokenRequest describes a request to delete a web token.

ElastiCache contains AWS ElastiCache Redis specific metadata.

Event represents an event that happened in the backend.

ExternalIdentity is OpenID Connect/SAML or Github identity that is linked to particular user and connector and lets user to log in using external credentials, e.g.

GCPCloudSQL contains parameters specific to GCP Cloud SQL databases.

GenerateAppTokenRequest are the parameters used to generate an application token.

GenerateSnowflakeJWT are the parameters used to generate a Snowflake JWT.

GetAppSessionRequest contains the parameters to request an application web session.

GetClusterAlertsRequest matches cluster alerts.

GetSnowflakeSessionRequest contains the parameters to request a Snowflake web session.

GetWebSessionRequest describes a request to query a web session.

GetWebTokenRequest describes a request to query a web token.

GithubAuthRequest is the request to start Github OAuth2 flow.

GithubClaims represents Github user information obtained during OAuth2 flow.

GithubConnectorSpecV3 is a Github connector specification.

GithubConnectorV3 represents a Github connector.

GithubConnectorV3List is a list of Github connectors.

GithubTokenInfo stores diagnostic info about Github OAuth2 token obtained during SSO flow.

Header represents a single http header passed over to the proxied application.

ImpersonateConditions specifies whether users are allowed to issue certificates for other users or groups.

InstallerSpecV1 is the specification for an Installer.

InstallerV1 represents an installer script resource.

InstallerV1List represents a list of installer resources.

JWTKeyPair is a PEM encoded keypair used for signing JWT tokens.

KubeAWS contains the AWS information about the cluster.

KubeAzure contains the Azure information about the cluster.

KubeGCP contains the GCP information about the cluster.

KubernetesCluster is a named kubernetes API endpoint handled by a Server.

KubernetesClusterSpecV3 is a specification for a Kubernetes cluster.

KubernetesClusterV3 represents a named kubernetes API endpoint.

KubernetesClusterV3List represents a list of kubernetes clusters.

KubernetesServerSpecV3 is the Kubernetes server spec.

KubernetesServerV3 represents a Kubernetes server.

LicenseSpecV3 is the actual data we care about for LicenseV3.

LicenseV3 represents License resource version V3.

ListResourcesResponse describes a non proto response to ListResources.

ListWindowsDesktopServicesRequest is a request type to ListWindowsDesktopServices.

ListWindowsDesktopServicesResponse is a response type to ListWindowsDesktopServices.

ListWindowsDesktopsRequest is a request type to ListWindowsDesktops.

ListWindowsDesktopsResponse is a response type to ListWindowsDesktops.

LocalAuthSecrets holds sensitive data used to authenticate a local user.

LockSpecV2 is a Lock specification.

LockTarget lists the attributes of interactions to be disabled.

LockV2 represents a lock.

LoginStatus is a login status of the user.

MemoryDB contains AWS MemoryDB specific metadata.

Metadata is resource metadata.

MFADevice is a multi-factor authentication device, such as a security key or an OTP app.

MySQLOptions are additional MySQL database options.

Namespace represents namespace resource specification.

NamespaceSpec is a namespace specificateion.

NetworkRestrictions specifies a list of addresses to restrict (block).

NewWebSessionRequest defines a request to create a new user web session.

OIDCAuthRequest is a request to authenticate with OIDC provider, the state about request is managed by auth server.

OIDCConnectorSpecV3 is an OIDC connector specification.

OIDCConnectorV3 represents an OIDC connector.

OIDCConnectorV3List is a list of OIDC connectors.

OIDCIdentity is a redefinition of oidc.Identity with additional methods, required for serialization to/from protobuf.

Participant stores information about a participant in the session.

PluginDataEntry wraps a mapping of arbitrary string values used by plugins to store per-resource information.

PluginDataFilter encodes filter params for plugin data.

PluginData stores a collection of values associated with a specific resource.

PluginDataUpdateParams encodes paramers for updating a PluginData field.

PluginData stores a collection of values associated with a specific resource.

ProvisionTokenSpecV2 is a specification for V2 token.

Rule includes fields mapped from `lib/githubactions.IDToken` Not all fields should be included, only ones that we expect to be useful when trying to create rules around which workflows should be allowed to authenticate against a cluster.

ProvisionTokenV1 is a provisioning token V1.

ProvisionTokenV2 specifies provisioning token.

ProvisionTokenV2List is a list of provisioning tokens.

ProxyPeeringTunnelStrategy requires reverse tunnels to dial a fixed number of proxies.

RDS contains AWS RDS specific database metadata.

RDSProxy contains AWS RDS Proxy specific database metadata.

RecoveryAttempt represents an unsuccessful attempt at recovering a user's account.

RecoveryCode describes a recovery code.

RecoveryCodesSpecV1 is the recovery codes spec.

RecoveryCodes holds a user's recovery code information.

Redshift contains AWS Redshift specific database metadata.

RegisterUsingTokenRequest is a request to register with the auth server using an authentication token.

RemoteClusterStatusV3 represents status of the remote cluster.

RemoteClusterV3 represents remote cluster resource specification.

ResorceHeader is a shared resource header used in cases when only type and name is known.

ResourceID is a unique identifier for a teleport resource.

ResourcesInNamespaceRequest is a request relating to a named resource in the given namespace.

ResourceRequest is a request relating to a named resource.

ResourcesInNamespaceRequest is a request relating to resources in the given namespace.

ResourcesWithSecretsRequest is a request relating to resources with secrets.

ResourceWithSecretsRequest is a request relating to a named resource with secrets.

ReverseTunnelSpecV2 is a specification for V2 reverse tunnel.

ReverseTunnelV2 is version 2 of the resource spec of the reverse tunnel.

Rewrite is a list of rewriting rules to apply to requests and responses.

RoleConditions is a set of conditions that must all match to be allowed or denied access.

RoleMapping provides mapping of remote roles to local roles for trusted clusters.

RoleOptions is a set of role options.

RoleSpecV5 is role specification for RoleV5.

RoleV5 represents role resource specification.

Rotation is a status of the rotation of the certificate authority.

RotationSchedule is a rotation schedule setting time switches for different phases.

Rule represents allow or deny rule that is executed to check if user or service have access to resource.

SAMLAuthRequest is a request to authenticate with SAML provider, the state about request is managed by auth server.

SAMLConnectorSpecV2 is a SAML connector specification.

SAMLConnectorV2 represents a SAML connector.

SAMLConnectorV2List is a list of SAML connectors.

SecretStore contains secret store configurations.

SemaphoreFilter encodes semaphore filtering params.

SemaphoreLease represents lease acquired for semaphore.

SemaphoreLeaseRef identifies an existent lease.

SemaphoreSpecV3 contains the data about lease.

SemaphoreV3 implements Semaphore interface.

ServerSpecV2 is a specification for V2 Server.

ServerV2 represents a Node, App, Database, Proxy or Auth server in a Teleport cluster.

ServerV2List is a list of servers.

SessionJoinPolicy defines a policy that allows a user to join sessions.

SessionRecordingConfigSpecV2 is the actual data we care about for SessionRecordingConfig.

SessionRecordingConfigV2 contains session recording configuration.

SessionRequirePolicy a requirement policy that needs to be fulfilled to grant access.

SessionTrackerFilter are filters to apply when searching for session trackers.

SessionTrackerPolicySet is a set of RBAC policies held by the session tracker that contain additional metadata from the originating role.

SessionTrackerSpecV1 is the specification for a live session.

SessionTrackerV1 represents a live session resource.

Site represents a cluster of teleport nodes who collectively trust the same certificate authority (CA) and have a common name.

SortBy defines a sort criteria.

SSHKeyPair is an SSH CA key pair.

SSODiagnosticInfo is a single SSO diagnostic info entry.

SSOWarnings conveys a user-facing main message along with auxiliary warnings.

StaticTokensSpecV2 is the actual data we care about for StaticTokensSpecV2.

StaticTokensV2 implements the StaticTokens interface.

TeamMapping represents a single team membership mapping.

TeamRolesMapping represents a single team membership mapping.

ThresholdIndexSet encodes a list of threshold indexes.

ThresholdIndexSets is a list of threshold index sets.

TLSKeyPair is a TLS key pair.

TokenRule is a rule that a joining node must match in order to use the associated token.

TOTPDevice holds the TOTP-specific fields of MFADevice.

TraitMapping maps a trait to teleport roles.

TrustedClusterSpecV2 is a Trusted Cluster specification.

TrustedClusterV2 represents a Trusted Cluster.

TrustedClusterV2List is a list of trusted cluster.

TunnelConnectionSpecV2 is a specification for V2 tunnel connection.

TunnelConnectionV2 is version 2 of the resource spec of the tunnel connection.

TunnelStrategyV1 defines possible tunnel strategy types.

U2F defines settings for U2F device.

U2FDevice holds the U2F-specific fields of MFADevice.

UserRef holds references to user.

UserSpecV2 is a specification for V2 user.

UserV2 is version 2 resource spec of the user.

Watch sets up watch on the event.

WatchKind specifies resource kind to watch.

Webauthn defines user-visible settings for server-side Web Authentication support.

WebauthnDevice holds Webauthn-specific fields of MFADevice.

WebauthnLocalAuth holds settings necessary for local webauthn use.

WebSessionFilter encodes cache watch parameters for filtering web sessions.

WebSessionSpecV2 is a specification for web session.

WebSessionV2 represents an application or UI web session.

WebTokenSpecV3 is a unique time-limited token bound to a user's web session.

WebTokenV3 describes a web token.

WhereExpr is a tree like structure representing a `where` (sub-)expression.

WhereExpr2 is a pair of `where` (sub-)expressions.

WindowsDesktopFilter are filters to apply when searching for windows desktops.

WindowsDesktopServiceSpecV3 is the windows desktop service spec.

WindowsDesktopServiceV3 represents a windows desktop access service.

WindowsDesktopSpecV3 is the Windows host spec.

WindowsDesktopV3 represents a Windows host for desktop access.

AccessRequest is a request for temporarily granted roles.

Application represents a web app.

AppServer represents a single proxied web app.

AuthPreference defines the authentication preferences for a specific cluster.

CertAuthority is a host or user certificate authority that can check and if it has private key stored as well, sign it too.

ClusterAuditConfig defines cluster-wide audit log configuration.

ClusterName defines the name of the cluster.

ClusterNetworkingConfig defines cluster networking configuration.

CommandLabel is a label that has a value as a result of the output generated by running command, e.g.

ConnectionDiagnostic represents a Connection Diagnostic.

Database represents a database proxied by a database server.

DatabaseServer represents a database access server.

Events returns new events interface.

GithubConnector defines an interface for a Github OAuth2 connector.

Installer is an installer script rseource.

KeepAliver keeps object alive.

KubeCluster represents a kubernetes cluster.

KubeServer represents a single Kubernetes server.

License defines teleport License Information.

Lock configures locking out of a particular access vector.

NetworkRestrictions defines network restrictions applied to SSH session.

OIDCConnector specifies configuration for Open ID Connect compatible external identity provider, e.g.

PluginData is used by plugins to store per-resource state.

ProvisionToken is a provisioning token.

ProxiedService is a service that is connected to a proxy.

RemoteCluster represents a remote cluster that has connected via reverse tunnel to this cluster.

Resource represents common properties for all resources.

ResourceWithLabels is a common interface for resources that have labels.

ResourceWithOrigin provides information on the origin of the resource (defaults, config-file, dynamic).

ResourceWithSecrets includes additional properties which must be provided by resources which *may* contain secrets.

ReverseTunnel is SSH reverse tunnel established between a local Proxy and a remote Proxy.

Role contains a set of permissions or settings.

SAMLConnector specifies configuration for SAML 2.0 identity providers.

Semaphore represents distributed semaphore concept.

Semaphores provides ability to control how many shared resources of some kind are acquired at the same time, used to implement concurrent sessions control in a distributed environment.

Server represents a Node, Proxy or Auth server in a Teleport cluster.

SessionRecordingConfig defines session recording configuration.

SessionTracker is a resource which tracks an active session.

StaticTokens define a list of static []ProvisionToken used to provision a node.

TrustedCluster holds information needed for a cluster that can not be directly accessed (maybe be behind firewall without any open ports) to join a parent cluster.

TunnelConnection is SSH reverse tunnel connection established to reverse tunnel proxy.

TunnelStrategy defines methods to be implemented by any TunnelStrategy.

User represents teleport embedded user or external user.

UserToken represents a temporary token used for various user related actions ie: change password.

UserTokenSecrets contains user token secrets.

Watcher returns watcher.

WebSession stores key and value used to authenticate with SSH notes on behalf of user.

WebSessionInterface defines interface to regular web sessions.

WebSessionsGetter provides access to web sessions.

WebToken is a time-limited unique token bound to a user's session.

WebTokenInterface defines interface for managing web tokens.

WebTokensGetter provides access to web tokens.

WindowsDesktop represents a Windows desktop host.

WindowsDesktopService represents a Windows desktop service instance.

AlertOption is a functional option for alert construction.

AlertSeverity represents how problematic/urgent an alert is, and is used to assist in sorting alerts for display.

Apps is a list of app resources.

AppServers represents a list of app servers.

AssertionInfo is an alias for saml2.AssertionInfo with additional methods, required for serialization to/from protobuf.

Bool is a wrapper around boolean values.

SigningAlg is the algorithm used for signing new SSH certificates using SigningKeys.

CertAuthType specifies certificate authority type.

CertExtensionMode specifies the type of extension to use in the cert.

CertExtensionType represents the certificate type the extension is for.

FIPSEndpointState represents an AWS FIPS endpoint state.

StatusType describes whether this was a success or a failure.

TraceType is an identification of the checkpoint.

Databases is a list of database resources.

DatabaseServers represents a list of database servers.

DatabaseTLSMode represents the level of TLS verification performed by DB agent when connecting to a database.

Duration is a wrapper around duration to set up custom marshal/unmarshal.

EventOrder is an ordering of events, either ascending or descending.

InstanceMetadataType is the type of cloud instance metadata client.

JoinMethod is the method used for new nodes to join the cluster.

Type is the type of keep alive, used by servers.

KubeClusters represents a list of kube clusters.

KubeServers represents a list of kube servers.

Labels is a wrapper around map that can marshal and unmarshal itself from scalar and list values.

OIDCClaims is a redefinition of jose.Claims with additional methods, required for serialization to/from protobuf.

OpType specifies operation type.

PrivateKeyType is the storage type of a private key.

ProxyListenerMode represents the cluster proxy listener mode.

RequestState represents the state of a request for escalated privilege.

RequestStrategy is an indicator of how access requests should be handled for holders of a given role.

RequireMFAType is a type of MFA requirement enforced outside of login, such as per-session MFA or per-request PIV touch.

ResourcesWithLabels is a list of labeled resources.

ResourcesWithLabelsMap is like ResourcesWithLabels, but a map from resource name to its value.

RoleConditionType specifies if it's an allow rule (true) or deny rule (false).

RoleMap is a list of mappings.

RoutingStrategy determines the strategy used to route to nodes.

Servers represents a list of servers.

SessionKind is a type of session.

SessionParticipantMode is the mode that determines what you can do when you join a session.

SessionState represents the state of a session.

SortedNamespaces sorts namespaces.

SortedTrustedCluster sorts clusters by name.

SystemRole identifies the role of an SSH connection.

SystemRoles is a TeleportRole list.

TraitMappingSet is a set of trait mappings.

TunnelType is the type of tunnel.

UserTokenUsage contains additional information about the intended usage of a user token.

WindowsDesktops represents a list of windows desktops.