2.4.2 still exist problem:[Access denied] from auth to a trusted cluster

[raymond-yn]

What happened:
After i add a trusted cluster to remote auth,the cluser tag successfully appear in the web ui of remote auth.But when i want to ssh to the trusted cluster master,it tell me :"access denied to root connecting to xxxxx"
And when i keep my all conf only change teleport of the remote auth to the 2.3.5, it also happen when i connect ro the cluster i add last time.
But if i new a cluster, the new one can be ssh successfully.
So i guees the problem appear beacause the 2.4.2 remote auth generate some wrong conf.
And there is a previous issue like me #1674 。

What you expected to happen:
i can successfully ssh to the cluster matser after i add a new trusted cluster

How to reproduce it (as minimally and precisely as possible):
remote auth + proxy (2.4.2)
local auth + proxy + node (2.3.5 or 2.4.2)
Try to connect from remote proxy to local node with root account.

Environment:

• Teleport version (use teleport version):2.4.2
• Tsh version (use tsh version):2.4.2
• OS (e.g. from /etc/os-release):debian/stretch

Relevant Debug Logs If Applicable

the log of trusted matser

Mar 01 12:32:59 debian teleport[1892]: WARN             [RBAC] Denied access to server: access to node xxx is denied to role(s): [role default-implicit-role denied access: allow rules did not match; match(namespace=true, label=false, login=false)] services/role.go:1487
Mar 01 12:32:59 debian teleport[1892]: ERRO [NODE]      Permission denied: user xxxx@test1 is not authorized to login as root@xxxx: access to node xxx is denied to role(s): [role default-implicit-role denied access: allow rules did not match; match(namespace=true, label=false, login=false)] fingerprint:[email protected] SHA256:m/jzCd0snHRLT9vxje3TkdQPKl/dSwmngiMyQI18flg local:xxxxxxxxxxx:3022 remote:xxxxxxxxxxxxx:27204 user:root srv/authhandlers.go:216
Mar 01 12:32:59 debian teleport[1892]: WARN [NODE]      failed login attempt events.EventFields{"user":"xxx", "success":false, "error":"user xxx@test1 is not authorized to login as root@xxxxx: access to node xxxxx is denied to role(s): [role default-implicit-role denied access: allow rules did not match; match(namespace=true, label=false, login=false)]"} fingerprint:[email protected] SHA256:m/jzCd0snHRLT9vxje3TkdQPKl/dSwmngiMyQI18flg local:xxxxxxxxx:3022 remote:xxxxxxx:27204 user:root srv/authhandlers.go:166
Mar 01 12:33:02 debian teleport[1892]: INFO [PRESENCE]  GetServers(1) in 877.282µs local/presence.go:200
Mar 01 12:33:03 debian teleport[1892]: INFO             [AUTH] keyAuth: xxxxxxxxx:43046->xxxxxxxxxx:3025, user=root auth/tun.go:423
Mar 01 12:33:06 debian teleport[1892]: INFO [PRESENCE]  GetServers(1) in 2.626227ms local/presence.go:200
Mar 01 12:33:11 debian teleport[1892]: INFO [PRESENCE]  GetServers(1) in 1.245049ms local/presence.go:200

the log of remote matser

Mar 01 12:32:59 xxx  teleport[13864]: INFO             [CLIENT] client=xxxxxx:27204 connecting to node=xxxxxx:0@default@xxxxxxx
Mar 01 12:32:59 xxx teleport[13864]: WARN             failed to SSH: access denied to root connecting to xxxx web/terminal.go:217
Mar 01 12:32:59 xxx  teleport[13864]: ERRO             access denied to root connecting to xxx web/terminal.go:161

[klizhentas]

@russjones it does not seem like we have resolved 2.4.2 issue with trusted clusters.

[russjones]

@ThomasRaymond Just to confirm, you are expericing this issue while using the Web UI correct? Do things work for you when you use tsh?

[raymond-yn]

@russjones yes,it work well when i use tsh now.
but i think i had meet this problem when i use tsh.
i will tell you if i can reproduce it.

[russjones]

@ThomasRaymond Okay great, I reproduced the issue and fixed it in #1736, I'll roll the fix into 2.4.3.

[klizhentas]

@russjones can we close this issue?