Inconsistent enhanced session recording behavior based on cluster-wide recording setting.

[programmerq]

Expected Behavior

Enhanced session recording should be able to function independently, allowing nodes to join the cluster without requiring standard session recording to be enabled.

Even if we opt to not allow an "enhanced-only" recording setup, the current behavior is inconsistent, and should be addressed in some way.

Current Behavior

Nodes configured with enhanced session recording fail to join the cluster if standard session recording is disabled. They report an error indicating that session recording needs to be enabled at the cluster level for enhanced session recording to function.

This is confusing because disabling session recording on a cluster doesn't immediately cause problems for nodes with enhanced session recording enabled. New sessions won't have the standard recording, but will continue to emit the BPF events. Once the node restarts, it will bail out and refuse to start the node service because session recording is disabled.

What problem does this solve?

The suggested solution is to have a mode that allows enhanced session recording only. The use case is a system that has a large database with sensitive. If a user connects and runs commands that could return that data, enhanced session recording would not capture it. Standard recording would.

Bug Details

Teleport Version

Teleport v17.0.1

Recreation Steps

1. Set up a Teleport cluster where session recording is enabled.
2. Join a node and Enable enhanced recording.
3. Initiate a session, and note that both standard and enhanced recordings.
4. Disable session recordings cluster-wide (session_recording: "off") on the auth server.
5. Initiate a new session. Note that the node still emits enhanced recording audit events, but no regular session recording happens.
6. Restart the Teleport service on the node.
7. Observe that the node refuses to start and exits with an error.

Debug Logs

{"caller":"service/signals.go:174","message":"Critical service has exited with error, aborting.","component":"proc:1","pid":"17020.1","service":"ssh.node","error":"session recording is disabled at the cluster level. To enable enhanced session recording, enable session recording at the cluster level, then restart Teleport."}
{"caller":"cache/cache.go:1443","component":"node:1:cache","duration":"119.732357ms","level":"debug","message":"fetch and apply","timestamp":"2024-12-13T16:15:15Z"}

It seems the node only checks for the cluster session recording option at startup, while standard session recording is determined each time a new session starts.