Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disabling port forwarding via RBAC doesn't work #3249

Closed
webvictim opened this issue Jan 7, 2020 · 2 comments
Closed

Disabling port forwarding via RBAC doesn't work #3249

webvictim opened this issue Jan 7, 2020 · 2 comments
Labels
bug

Comments

@webvictim
Copy link
Contributor

What happened:

Given this role, both agent forwarding and port forwarding should be disabled:

kind: role
metadata:
  id: 1578419329305509600
  name: clusteradmin
spec:
  allow:
    kubernetes_groups:
    - system:masters
    logins:
    - root
    - '{{external.login}}'
    node_labels:
      '*': '*'
    rules:
    - resources:
      - '*'
      verbs:
      - '*'
  deny:
    logins: null
  options:
    cert_format: standard
    forward_agent: false
    max_session_ttl: 12h0m0s
    port_forwarding: false
version: v3

This is not actually the case when logging into the cluster.

> Profile URL:  https://example.gravitational.co:3080
  Logged in as: [email protected]
  Cluster:      gus-main.gravitational.co
  Roles:        clusteradmin*
  Logins:       root
  Valid until:  2020-01-08 01:59:09 -0400 AST [valid for 12h0m0s]
  Extensions:   permit-port-forwarding, permit-pty


* RBAC is only available in Teleport Enterprise
  https://gravitational.com/teleport/docs/enterprise

Changing forward_agent works fine. Changing port_forwarding does not.

What you expected to happen: Setting port_forwarding to false should remove the permit-port-forwarding trait and disable port forwarding.

How to reproduce it (as minimally and precisely as possible): Use the example role above and try logging into a cluster.

Environment:

  • Teleport version (use teleport version): Teleport Enterprise v4.1.4git:v4.1.4-0-gc487a75c go1.13.2
  • Tsh version (use tsh version): Teleport v4.1.4 git:v4.1.4-0-gc487a75c go1.13.2
  • OS (e.g. from /etc/os-release): Fedora 30
@fspmarshall
Copy link
Contributor

Try upgrading to v4.1.7 or newer; this sounds a lot like the issue fixed in #3208.

@webvictim
Copy link
Contributor Author

Absolutely correct. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@webvictim @fspmarshall