Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[v16] Fix active session filtering for legacy sessions #47564

Merged
merged 1 commit into from
Oct 15, 2024

Conversation

zmb3
Copy link
Collaborator

@zmb3 zmb3 commented Oct 14, 2024

Backport #47448 to branch/v16

changelog: fixed a bug that could allow users to list active sessions even when prohibited by RBAC.

This code never worked correctly, but mostly went unnoticed because
it is only triggered when using legacy roles prior to RoleV5.

Prior to moderated sessions, RBAC for viewing active sessions was
based on whether or not you could join a session as the OS login
that is being used, along with a pseudo-resource of kind "ssh_session".

With moderated sessions we introduced more flexible RBAC semantics
that allow you to join sessions in different modes (peer, observer,
moderator), even if you don't actually have permission to start
sessions.

In #11223 we decided that we need to support both types of RBAC checks
(legacy checks against the "ssh_session" resource, and newer checks
against the session_tracker and join_sessions policies). The code that
was doing the legacy checks was flawed for two reasons:

1. It used (types.SessionTracker).GetKind() (which will always be
   "session_tracker") instead of
   (types.SessionTracker).GetSessionKind().
2. When checking whether the session was SSH, it was checking for
   the legacy "ssh_session" value, instead of the "ssh" value that
   session trackers actually use.
@public-teleport-github-review-bot public-teleport-github-review-bot bot removed the request for review from nklaassen October 15, 2024 07:44
@zmb3 zmb3 added this pull request to the merge queue Oct 15, 2024
Merged via the queue into branch/v16 with commit f0b72e8 Oct 15, 2024
42 checks passed
@zmb3 zmb3 deleted the bot/backport-47448-branch/v16 branch October 15, 2024 14:07
@camscale camscale mentioned this pull request Oct 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants