Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document, fix and re-introduce where rules for access_requests and events #4749

Closed
klizhentas opened this issue Nov 8, 2020 · 2 comments
Closed

Document, fix and re-introduce where rules for access_requests and events #4749

klizhentas opened this issue Nov 8, 2020 · 2 comments
Labels
rbac Issues related to Role Based Access Control sales-onboarding Issues related to prospects
Milestone
6.0 "San Diego"

Comments

@klizhentas
Copy link
Contributor

klizhentas commented Nov 8, 2020
edited
Loading

Feature Request

Teleport's RBAC rules' where filters let developers limit the scope the roles based on the user identity and resource tags.
From Gravity's documentation:

The role developers uses special property user.spec.traits that contains user OIDC claims or SAML attribute statements after users have successfully logged into Gravity Hub.

kind: role
version: v3
metadata:
  name: developers
spec:
  allow:
    logins:
    - developers
    namespaces:
    - default
    kubernetes_groups:
    - admin
    rules:
    - resources:
      - role
      verbs:
      - read
    - resources:
      - app
      verbs:
      - list
    - resources:
      - cluster
      verbs:
      - connect
      - read
      where: contains(user.spec.traits["roles"], resource.metadata.labels["team"])

We should document this feature and enable it for many Teleport's use cases:

Limiting the scope of approvals

#3559 and #4309

Allow user to approve access requests for their team except the ones created by themselves:

kind: role
version: v3
metadata:
  name: access_request_grantor
spec:

  allow:

    rules:
    - resources:
      - access_request
         verbs: [list, read, update]

   where: contains(user.spec.traits["roles"], resource.metadata.spec.annotations["team"])     

  # deny approval of roles created by yourself
  deny:
    rules:
    - resources:
      - access_request
         verbs: [update]

     where: equals(user.metadata.name, resource.metadata.spec.requested_by)

Limiting the scope of the events

#924

Let users view their own events

kind: role
version: v3
metadata:
  name: access_request_grantor
spec:

  allow:

    rules:
    - resources:
      - event
         verbs: [list, read]

   where: contains(user.spec.traits["roles"], resource.metadata.spec.user)     

  # deny approval of roles created by yourself
  deny:
    rules:
    - resources:
      - access_request
         verbs: [list, read, update]

     where: equals(user.metadata.name, resource.metadata.spec.requested_by)
@klizhentas
Copy link
Contributor Author

@fspmarshall I think we might not need approve verb, because it is redundant with where scope and verb for access_request resource

This was referenced Nov 8, 2020
Closed
Closed
@klizhentas klizhentas added the rbac Issues related to Role Based Access Control label Nov 8, 2020
@klizhentas klizhentas added this to the 5.1 "San Diego" milestone Nov 8, 2020
@jon-can jon-can added sales-onboarding Issues related to prospects R1 labels Dec 7, 2020
@fspmarshall
Copy link
Contributor

rfd/0014 will cover this usecase.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
rbac Issues related to Role Based Access Control sales-onboarding Issues related to prospects
Projects
None yet
Milestone
6.0 "San Diego"
Development

No branches or pull requests
3 participants
@klizhentas @fspmarshall @jon-can