Check if resource request is possible before attempting#13586
Merged
Check if resource request is possible before attempting#13586
Conversation
github-actions
bot
added
the
tsh
strideynet
approved these changes
Jun 16, 2022
nklaassen
force-pushed
the
nklaassen/ssh-request-fix
branch
from
c580cd6 to
709a37e
Compare
espadolini
approved these changes
Jun 17, 2022
Contributor
|
@nklaassen See the table below for backport results.
|
nklaassen
added a commit
that referenced
this pull request
Jun 17, 2022
nklaassen
added a commit
that referenced
this pull request
Jun 17, 2022
Closed
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Currently if a user attempts
tsh ssh user1@node1where they are allowed tolistnode1but not login withuser1,tshwill attempt to create a resource access request for it even if the user is not allowed to create any resource requests (no configuredsearch_as_roles). This is a regression caused by #13326.The change here is to attempt to populate and validate the request on the server side, without actually creating the request by setting a
dry_runflag. If there is any error, fail immediately with the original SSH error and do not prompt the user for a request reason or attempt to create an access request.The server side validation is better than anything we can do client side because it actually has access to all roles, including roles the user does not currently have but could potentially request.
Another improvement with this change,
tsh ssh user1@node1will never prompt the user to create an access request if the user is not able to request access tonode1with loginuser1but could with another login (the current check does not consider logins until after prompting the user and attempting to create the request).The validation is slightly less smart if the requested node is in a leaf cluster - auth doesn't know about the leaf roles that will be mapped, but will still return an error if the user has no
search_as_rolesconfigured OR cannot list the node, so this will still be an improvement.Before this change:
After this change: