Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v15] Display allowed logins for leaf resources in the root web ui #39887

Merged
merged 2 commits into from
Mar 27, 2024
Merged

[v15] Display allowed logins for leaf resources in the root web ui #39887

merged 2 commits into from
Mar 27, 2024

Conversation

rosstimothy
Copy link
Contributor

Backports #38827 and #39579 to branch/v15

Changelog: Correctly show the users allowed logins when accessing leaf resources via the root cluster web ui

@rosstimothy rosstimothy marked this pull request as ready for review March 27, 2024 14:08
@github-actions github-actions bot added size/md tctl tctl - Teleport admin tool labels Mar 27, 2024
@github-actions github-actions bot requested review from avatus and fspmarshall March 27, 2024 14:08
@public-teleport-github-review-bot public-teleport-github-review-bot bot removed the request for review from fspmarshall March 27, 2024 17:30
@rosstimothy rosstimothy added this pull request to the merge queue Mar 27, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to a conflict with the base branch Mar 27, 2024
@rosstimothy
Enrich resources with additional metadata (#38827)
acd45cc 
Updates ListResources and ListUnifiedResources to optionally allow
responses to include the allowed logins per returned resource that
requesting user has access to given there roles. Logins are only
currently populated for SSH and WindowsDesktop resources. The new
types.EnrichedResource was added to facilitate transporting the
underlying resource and the additional user specific information to consumers.
@rosstimothy
Display available allowed logins for leaf resources in root web ui (#…
5d17988 
…39579)

The Proxy web api now requests that Auth include allowed logins
per resource instead of guessing logins per resource based on the
information it has cached. However, due to the way SSH sessions
are authorized, the logins are not provide to users verbatim.

Any sessions created via the root web ui to a leaf resource will use
the SSH certificate created for that user in the root cluster. New
certificates are not minted per leaf cluster. This is important
because the nodes only allow os logins for a session if they are
present in the valid prinicpals of the SSH certificate. So even
though we are now capabale of displaying all allowed logins for
leaf SSH servers in the root web ui, the user is only able to use
a subset of them. To avoid any odd UX, the Proxy will filter out
any allowed logins which do not exist in the principals of the
root SSH certificate.

The above only holds for SSH, windows desktops are not as strict
and any allowed login from a leaf cluster is now visible in the
root web ui.

Fixes #5041
@rosstimothy rosstimothy force-pushed the tross/backport-logins/v15 branch from e4338cb to 5d17988 Compare March 27, 2024 21:30
@rosstimothy rosstimothy enabled auto-merge March 27, 2024 21:30
@rosstimothy rosstimothy added this pull request to the merge queue Mar 27, 2024
Merged via the queue into branch/v15 with commit 3794111 Mar 27, 2024
35 checks passed
@rosstimothy rosstimothy deleted the tross/backport-logins/v15 branch March 27, 2024 22:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zmb3 zmb3 zmb3 approved these changes

@avatus avatus avatus approved these changes

Assignees
No one assigned
Labels
backport size/md tctl tctl - Teleport admin tool
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rosstimothy @avatus @zmb3