diff --git a/lib/services/access_request.go b/lib/services/access_request.go index 876f8417db6cd..692575c1a87e4 100644 --- a/lib/services/access_request.go +++ b/lib/services/access_request.go @@ -61,6 +61,9 @@ const ( // the access request can be reviewed. Defaults to 1 week. requestTTL = 7 * day + // InvalidKubernetesKindAccessRequest is used in part of error messages related to + // `request.kubernetes_resources` config. It's also used to determine if a returned error + // contains this string (in tests and tsh) to customize error messages shown to user. InvalidKubernetesKindAccessRequest = `your Teleport role's "request.kubernetes_resources" field` ) @@ -1685,13 +1688,13 @@ func (m *RequestValidator) pruneRequestedRolesNotMatchingKubernetesResourceKinds allowedKinds, deniedKinds := getKubeResourceKinds(m.kubernetesResource.allow[requestedRoleName]), getKubeResourceKinds(m.kubernetesResource.deny) // Any resource is allowed. - if allowedKinds == nil && deniedKinds == nil { + if len(allowedKinds) == 0 && len(deniedKinds) == 0 { goodRoles[requestedRoleName] = struct{}{} continue } // All supported kube kinds are allowed when there was nothing configured. - if allowedKinds == nil { + if len(allowedKinds) == 0 { allowedKinds = types.KubernetesResourcesKinds allowedKinds = append(allowedKinds, types.KindKubernetesCluster) } @@ -2040,8 +2043,12 @@ func getInvalidKubeKindAccessRequestsError(mappedRequestedRolesToAllowedKinds ma if requestedRoles { requestWord = "requested" } + + // This error must be in sync with web UI's RequestCheckout.tsx ("checkSupportForKubeResources"). + // Web UI relies on the exact format of this error message to determine what kube kinds are + // supported since web UI does not support all kube resources at this time. return trace.BadParameter(`%s did not allow requesting to some or all of the requested `+ - `Kubernetes resources. allowed kinds for each %s roles - %v`, + `Kubernetes resources. allowed kinds for each %s roles: %v`, InvalidKubernetesKindAccessRequest, requestWord, allowedStr) }