From 41a6a9547a1e38383ccaf25cad9453c9e6fd8aa0 Mon Sep 17 00:00:00 2001 From: Steven Martin Date: Sat, 22 Apr 2023 16:48:32 -0400 Subject: [PATCH 1/5] docs: fix claims to roles description in access controls reference --- docs/pages/includes/role-spec.mdx | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/pages/includes/role-spec.mdx b/docs/pages/includes/role-spec.mdx index df5a4d3024ee4..506ee68347478 100644 --- a/docs/pages/includes/role-spec.mdx +++ b/docs/pages/includes/role-spec.mdx @@ -209,7 +209,9 @@ spec: # the `claims_to_roles` mapping works the same as it does in # the OIDC connector, with the added benefit that the roles being mapped to # can also be matchers. the below mapping says that users with - # the claims `groups: admins` can request any role in the system. + # claims that match to `projects: project-(.*)` can request + # roles that match with '$1-admin' with the first match group. + # Example: `projects: project-foo` claim allows requesting `foo-admin` role claims_to_roles: - claim: 'projects' # matches all group names with a leading 'product-' From 18d31401106402b1ea6895ac72c9e15c3ee44ffb Mon Sep 17 00:00:00 2001 From: Steven Martin Date: Sat, 22 Apr 2023 20:15:42 -0400 Subject: [PATCH 2/5] docs: update description --- docs/pages/includes/role-spec.mdx | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/pages/includes/role-spec.mdx b/docs/pages/includes/role-spec.mdx index 506ee68347478..806286cf1b778 100644 --- a/docs/pages/includes/role-spec.mdx +++ b/docs/pages/includes/role-spec.mdx @@ -208,8 +208,9 @@ spec: # the `claims_to_roles` mapping works the same as it does in # the OIDC connector, with the added benefit that the roles being mapped to - # can also be matchers. the below mapping says that users with - # claims that match to `projects: project-(.*)` can request + # can also be matchers. this example leverages Teleport's regular expression + # support that allows for dynamic mapping from claims. the below mapping + # says that users with claims that match with `projects: project-(.*)` can request # roles that match with '$1-admin' with the first match group. # Example: `projects: project-foo` claim allows requesting `foo-admin` role claims_to_roles: From 8a2b6aed7c1c7eaff691026c66b4a1d1e9763281 Mon Sep 17 00:00:00 2001 From: Steven Martin Date: Mon, 24 Apr 2023 15:04:53 -0700 Subject: [PATCH 3/5] verbiage update Co-authored-by: Paul Gottschling --- docs/pages/includes/role-spec.mdx | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/docs/pages/includes/role-spec.mdx b/docs/pages/includes/role-spec.mdx index 806286cf1b778..5a859c4b928f1 100644 --- a/docs/pages/includes/role-spec.mdx +++ b/docs/pages/includes/role-spec.mdx @@ -208,10 +208,13 @@ spec: # the `claims_to_roles` mapping works the same as it does in # the OIDC connector, with the added benefit that the roles being mapped to - # can also be matchers. this example leverages Teleport's regular expression - # support that allows for dynamic mapping from claims. the below mapping - # says that users with claims that match with `projects: project-(.*)` can request - # roles that match with '$1-admin' with the first match group. + # can also be matchers. + # + # This example leverages Teleport's regular expression support, which allows + # for dynamic mapping from claims. The below mapping says that users with + # claims that match "projects: project-(.*)" can request roles that match + # "$1-admin", where "$1" is the first capture group in the + # regular expression. # Example: `projects: project-foo` claim allows requesting `foo-admin` role claims_to_roles: - claim: 'projects' From be5a86828f14ebeaf327cd4c7fc0010e5bf87e4b Mon Sep 17 00:00:00 2001 From: Steven Martin Date: Tue, 25 Apr 2023 09:15:30 -0700 Subject: [PATCH 4/5] Update docs/pages/includes/role-spec.mdx Co-authored-by: Paul Gottschling --- docs/pages/includes/role-spec.mdx | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/pages/includes/role-spec.mdx b/docs/pages/includes/role-spec.mdx index 5a859c4b928f1..d75cb0e4fd546 100644 --- a/docs/pages/includes/role-spec.mdx +++ b/docs/pages/includes/role-spec.mdx @@ -215,7 +215,8 @@ spec: # claims that match "projects: project-(.*)" can request roles that match # "$1-admin", where "$1" is the first capture group in the # regular expression. - # Example: `projects: project-foo` claim allows requesting `foo-admin` role + # Example: the "projects: project-foo" claim allows a user to request the + # "foo-admin" role claims_to_roles: - claim: 'projects' # matches all group names with a leading 'product-' From deed306f2a5c6faff749a3f944fcb368950e9d92 Mon Sep 17 00:00:00 2001 From: Steven Martin Date: Wed, 3 May 2023 12:59:42 -0400 Subject: [PATCH 5/5] correct example --- docs/pages/includes/role-spec.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/pages/includes/role-spec.mdx b/docs/pages/includes/role-spec.mdx index d75cb0e4fd546..36477e8694e9a 100644 --- a/docs/pages/includes/role-spec.mdx +++ b/docs/pages/includes/role-spec.mdx @@ -215,7 +215,7 @@ spec: # claims that match "projects: project-(.*)" can request roles that match # "$1-admin", where "$1" is the first capture group in the # regular expression. - # Example: the "projects: project-foo" claim allows a user to request the + # Example: the "projects: product-foo" claim allows a user to request the # "foo-admin" role claims_to_roles: - claim: 'projects'