diff --git a/docs/pages/access-controls/guides/moderated-sessions.mdx b/docs/pages/access-controls/guides/moderated-sessions.mdx index c7816032a9c78..0de4ef3118123 100644 --- a/docs/pages/access-controls/guides/moderated-sessions.mdx +++ b/docs/pages/access-controls/guides/moderated-sessions.mdx @@ -70,13 +70,16 @@ The policy below specifies that the `prod-access` role must have a minimum of two users with the role `auditor` and the mode `moderator` present in the session to start it. The policy applies to SSH and Kubernetes sessions only. -When a user with this require policy starts a session, it will be pending until -the policy is fulfilled. +This policy requires that at least one user with the `auditor` role is present +as a moderator for SSH or Kubernetes sessions to start. That is applied for +servers and Kubernetes resources labeled `env: prod`. The session will not start +until the policy is fulfilled. ```yaml kind: role metadata: name: prod-access +version: v6 spec: allow: require_session_join: @@ -84,7 +87,22 @@ spec: filter: 'contains(user.spec.roles, "auditor")' kinds: ['k8s', 'ssh'] modes: ['moderator'] - count: 2 + count: 1 + logins: + - ubuntu + - debian + node_labels: + env: prod + kubernetes_labels: + env: prod + kubernetes_groups: + - prod-access + kubernetes_users: + - USER + kubernetes_resources: + - kind: pod + name: '*' + namespace: '*' ``` #### Combining Policies @@ -104,7 +122,12 @@ The following are required options for `join_sessions`: |`kinds`|`[]`[Session kind](#session-kinds)|The kind of session that the policy applies to| |`modes`|`[]`[Participant mode](#participant-modes)|The participant mode that applies to the user joining the session under this policy| -#### Example + +Joining from the UI is available for SSH sessions. Kubernetes sessions can only be joined from the CLI. + + + +#### Example Moderator Role The following allow policy attaches to the role `auditor` and allows one to join SSH and Kubernetes sessions started by a user with the role `prod-access` @@ -114,6 +137,7 @@ as a moderator or observer. kind: role metadata: name: auditor +version: v6 spec: allow: join_sessions: @@ -123,6 +147,44 @@ spec: modes: ['moderator', 'observer'] ``` +#### Joining sessions example + +Here is an example of Jeff with role `prod-access` connecting to +a SSH server in the production environment. + +```code +$ tsh ssh ubuntu@prod.teleport.example.com +Teleport > Creating session with ID: 46e2af03-62d6-4e07-a886-43fe741ca044... +Teleport > Controls + - CTRL-C: Leave the session + - t: Forcefully terminate the session (moderators only) +Teleport > User jeff joined the session. +Teleport > Waiting for required participants... +``` + +Jeff's session is paused, waiting for the required observers. + +Now Alice with the `auditor` role joins as a moderator and +the session can begin. + +```code +$ tsh join --mode=moderator 46e2af03-62d6-4e07-a886-43fe741ca044 +Teleport > Creating session with ID: 46e2af03-62d6-4e07-a886-43fe741ca044... +Teleport > Controls + - CTRL-C: Leave the session + - t: Forcefully terminate the session (moderators only) +Teleport > User jeff joined the session. +Teleport > Waiting for required participants... +Teleport > User alice joined the session. +Teleport > Connecting to prod.teleport.example.com over SSH + +ubuntu@prod.teleport.example.com % +``` + +Here is an example of joining from the UI that is available for server sessions. + +![Join Server Session from UI](../../../img/webui-active-session.png) + ### Filters Filter expressions allow for more detailed control over the scope of an allow