Add automatic role access requests #39003
Conversation
github-actions
bot
added
size/md
tsh
There was a problem hiding this comment.
This is going to need some tweaking to get the access-control model correct. roles and search_as_roles are more different than they initially appear because search_as_roles implicitly grants read access to all resources in the list, but roles does not. We have to ensure that this API does not provide an opening for a user to test for the existence of resources for which they do not have read access. Similarly, the auth server is unable to make decisions about resources in leaf clusters, meaning that it will likely actually be common for us to be given a resource ID list where the answer to the question "what roles can I request to get access to this resource?" is undecidable, either for technical or security reasons. Given the above, I think probably this API should just fallback to returning the entire list of all roles the user has the ability to request if either A) one or more IDs is not a resource that the user already has read access to, or B) one or more IDs is for a resource in a different cluster.
Also, I think @nklaassen should be a required reviewer for this work given his expertise in this kind of thing.
atburke
force-pushed
the
atburke/auto-role-request
branch
from
2977576 to
b02574c
Compare
|
Friendly ping @nklaassen |
There was a problem hiding this comment.
Is there a GH issue or anything motivating this you could link to?
If there's not a design doc anywhere, could you include in the PR description a high level description of the usecase, the design, and an example of what this looks like on the CLI when you use it?
This is a great point and I'm not coming up with a good solve for it off the top of my head. The test for |
atburke
force-pushed
the
atburke/auto-role-request
branch
from
b4bce27 to
884f456
Compare
|
Friendly ping @nklaassen @fspmarshall |
There was a problem hiding this comment.
I think the idea of just needing an overlapping search_as_roles declaration in order to view target resources is a good one. Eventually we may want to give the UX some additional polish, possibly some kind of flag that could be set to switch the roles field to imply implicit reads so that users don't need to maintain two sources of truth for requestable roles. I think the overlapping search_as_roles idea is good enough for now though, as it lets us do the right thing from an access control perspective without adding new knobs and/or doing anything too unexpected.
Some additional test coverage in lib/auth and/or lib/services would be good (tsh adds a lot of client-side behavior, so I think its good practice to verify security-related behaviors without it in the mix). As Nic mentioned, at least one or two tests should simulate a user probing with resource IDs they aren't allowed to know about.
Overall though, I think the design is in a good place!
public-teleport-github-review-bot
bot
removed the request for review
from jakule
atburke
force-pushed
the
atburke/auto-role-request
branch
from
b89d5cd to
1207c20
Compare
atburke
force-pushed
the
atburke/auto-role-request
branch
from
1207c20 to
76246a4
Compare
tool/tsh/common/tsh.go
Outdated
| if err := promptUserForAccessRequestDetails(cf, req); err != nil { | ||
| return trace.Wrap(err) | ||
| } | ||
|
|
||
| if err := setAccessRequestReason(cf, req); err != nil { |
There was a problem hiding this comment.
I would handle setAccessRequestReason from within promptUserForAccessRequestDetails, logically it's part of that
atburke
force-pushed
the
atburke/auto-role-request
branch
from
594a1b9 to
09c2910
Compare
This change adds the optioin to automatically make a role access request during tsh ssh instead of a resource access request.
atburke
force-pushed
the
atburke/auto-role-request
branch
from
09c2910 to
3441c3d
Compare
|
/excludeflake * |
* Add automatic role requests This change adds the option to automatically make a role access request during tsh ssh instead of a resource access request.
This change adds the option to automatically make a role access request during
tsh sshinstead of the current automatic resource access request. See core goals for details on expected functionality.Changelog: Added automatic role access requests