Windows user creation#24780
Conversation
|
@zmb3 @timothyb89 @gabrielcorado friendly ping |
| Log: log, | ||
| GenerateUserCert: func(ctx context.Context, username string, ttl time.Duration) (certDER, keyDER []byte, err error) { | ||
| return s.generateUserCert(ctx, username, ttl, desktop) | ||
| return s.generateUserCert(ctx, username, ttl, desktop, createUsers, groups) |
There was a problem hiding this comment.
I could be mistaken, but my understanding is that a role that allows for creating users looks like
kind: "role"
version: "v5"
metadata:
name: "example"
spec:
options:
create_desktop_user: true
allow:
desktop_groups: [ "reader", "writer", "{{external.desktop_groups}}" ]
windows_desktop_logins: ['DBAdmin']
windows_desktop_labels:
'env': ['staging', 'test']and that such a role would only allow a user to create the DBAdmin user with the given desktop_groups on nodes with the labels env: staging or env: test. However, afaict, the certificate created here won't restrict the system to only creating the DBAdmin user in those groups -- for example, a user might have another role like
kind: "role"
version: "v5"
metadata:
name: "another-example"
spec:
options:
create_desktop_user: true
allow:
desktop_groups: [ "reader" ]
windows_desktop_logins: ['SystemAdmin']
windows_desktop_labels:
'env': ['staging', 'test']In that case, the user's intention would be to only allow SystemAdmin to be created and given the reader group on env: staging/test nodes, however groups, err := authCtx.Checker.DesktopGroups(desktop) would result in a groups = ["reader", "writer", "{{external.desktop_groups}}"] and createUsers would be true. In which case if the user were logging in as SystemAdmin, that user would be created and then added to all of ["reader", "writer", "{{external.desktop_groups}}"].
There was a problem hiding this comment.
Yes, this is how it would work, this behavior matches what we have in server access, login is not considered there when gathering groups, only node labels, host_groups and create_host_user
There was a problem hiding this comment.
Gotcha. I see that as an error prone API design and think we should reconsider making it "role-bound", but beyond the scope here.
Co-authored-by: Isaiah Becker-Mayer <isaiah@goteleport.com>
Co-authored-by: Isaiah Becker-Mayer <isaiah@goteleport.com>
…n' into probakowski/windows_user_creation
| deny: {} | ||
| options: | ||
| cert_format: "" | ||
| create_desktop_user: null |
There was a problem hiding this comment.
Can we add an omitempty so this doesn't happen? It's odd for a boolean to also be able to be null.
There was a problem hiding this comment.
All our booleans are nullable so it follows the convention here
public-teleport-github-review-bot
Bot
removed the request for review
from timothyb89
|
@probakowski See the table below for backport results.
|
* Windows auto user creation * changes in role * fix roles * make grpc * fix imports * fix test * fix test * fix test * fix test * fix test * windows labels * rename OID, add json tags * params to struct * grpc * Update lib/services/role.go Co-authored-by: Isaiah Becker-Mayer <isaiah@goteleport.com> * Update lib/services/access_checker.go Co-authored-by: Isaiah Becker-Mayer <isaiah@goteleport.com> * grpc * bump e * only add extension when we create user --------- Co-authored-by: Isaiah Becker-Mayer <isaiah@goteleport.com>
* Windows auto user creation * changes in role * fix roles * make grpc * fix imports * fix test * fix test * fix test * fix test * fix test * windows labels * rename OID, add json tags * params to struct * grpc * Update lib/services/role.go Co-authored-by: Isaiah Becker-Mayer <isaiah@goteleport.com> * Update lib/services/access_checker.go Co-authored-by: Isaiah Becker-Mayer <isaiah@goteleport.com> * grpc * bump e * only add extension when we create user --------- Co-authored-by: Isaiah Becker-Mayer <isaiah@goteleport.com>
* Windows user creation (#24780) * Windows auto user creation * changes in role * fix roles * make grpc * fix imports * fix test * fix test * fix test * fix test * fix test * windows labels * rename OID, add json tags * params to struct * grpc * Update lib/services/role.go Co-authored-by: Isaiah Becker-Mayer <isaiah@goteleport.com> * Update lib/services/access_checker.go Co-authored-by: Isaiah Becker-Mayer <isaiah@goteleport.com> * grpc * bump e * only add extension when we create user --------- Co-authored-by: Isaiah Becker-Mayer <isaiah@goteleport.com> * grpc --------- Co-authored-by: Isaiah Becker-Mayer <isaiah@goteleport.com>
* Windows auto user creation * changes in role * fix roles * make grpc * fix imports * fix test * fix test * fix test * fix test * fix test * windows labels * rename OID, add json tags * params to struct * grpc * Update lib/services/role.go * Update lib/services/access_checker.go * grpc * bump e * only add extension when we create user --------- Co-authored-by: Isaiah Becker-Mayer <isaiah@goteleport.com>
4 participants
This change adds automatic user creation for non-AD Windows desktops.
It also bumps
ereference