From 923b8553c4d16e53f4773faaef2531aa34e64dab Mon Sep 17 00:00:00 2001 From: Steven Martin Date: Fri, 5 May 2023 07:57:21 -0400 Subject: [PATCH 1/6] docs: document and logic for labels --- docs/pages/access-controls/reference.mdx | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/docs/pages/access-controls/reference.mdx b/docs/pages/access-controls/reference.mdx index 719f521383507..22b86ac6776d6 100644 --- a/docs/pages/access-controls/reference.mdx +++ b/docs/pages/access-controls/reference.mdx @@ -151,8 +151,8 @@ Label | `v3`, `v4` and `v5` Default | `v6` Default ## RBAC for hosts -A Teleport role can also define which hosts (nodes) a user can have access to. -This works by [labeling nodes](../management/admin/labels.mdx) and listing +A Teleport role defines which resources (applications, servers, databases,...) a user can have access to. +This works by [labeling resources](../management/admin/labels.mdx) and listing allow/deny labels in a role definition. Consider the following use case: @@ -186,16 +186,25 @@ spec: 'workload': ['database', 'backup'] ``` +Setting multiple entries under labels works as "and" logic to match to all entries. +As an example this entry would match to databases that have `env: prod` label and +`region` label `us-west-1` or `eu-central-1`. +```yaml + db_labels: + 'env': 'prod' + 'region': ['us-west-1', 'eu-central-1'] +``` + - Node labels can be dynamic, i.e. determined at runtime by an output of an executable. In this case, you can implement "permissions follow workload" + Resource labels can be dynamic, i.e. determined at runtime by an output of an executable. In this case, you can implement "permissions follow workload" policies (eg., any server where PostgreSQL is running becomes *automatically* accessible only by the members of the "DBA" group and nobody else). -### Extended Node labels syntax +### Extended Resource labels syntax Below are a few examples for more complex filtering using various regexes. From a02410ce1adf32cb570836fc9423589e35b2dbab Mon Sep 17 00:00:00 2001 From: Steven Martin Date: Fri, 5 May 2023 07:59:47 -0400 Subject: [PATCH 2/6] update header --- docs/pages/access-controls/reference.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/pages/access-controls/reference.mdx b/docs/pages/access-controls/reference.mdx index 22b86ac6776d6..78f790fdf84af 100644 --- a/docs/pages/access-controls/reference.mdx +++ b/docs/pages/access-controls/reference.mdx @@ -149,7 +149,7 @@ Label | `v3`, `v4` and `v5` Default | `v6` Default ------------------ | -------------- | --------------- `kubernetes_resources` | `[{"kind":"pod", "name":"*", "namespace":"*"}]` | `[]` -## RBAC for hosts +## RBAC for resources A Teleport role defines which resources (applications, servers, databases,...) a user can have access to. This works by [labeling resources](../management/admin/labels.mdx) and listing From 635712118a33ffe74e6f22834c6f5dc6a3ef7d4c Mon Sep 17 00:00:00 2001 From: Steven Martin Date: Fri, 5 May 2023 10:03:39 -0400 Subject: [PATCH 3/6] verbiage update Co-authored-by: Zac Bergquist --- docs/pages/access-controls/reference.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/pages/access-controls/reference.mdx b/docs/pages/access-controls/reference.mdx index 78f790fdf84af..75ca14f333f94 100644 --- a/docs/pages/access-controls/reference.mdx +++ b/docs/pages/access-controls/reference.mdx @@ -186,7 +186,7 @@ spec: 'workload': ['database', 'backup'] ``` -Setting multiple entries under labels works as "and" logic to match to all entries. +Multiple label entries are treated as logical "AND" operations. As an example this entry would match to databases that have `env: prod` label and `region` label `us-west-1` or `eu-central-1`. ```yaml From f567f19be2fca02575eee495f11f8dc8abb7bc6b Mon Sep 17 00:00:00 2001 From: Steven Martin Date: Fri, 5 May 2023 10:03:50 -0400 Subject: [PATCH 4/6] verbiage update Co-authored-by: Zac Bergquist --- docs/pages/access-controls/reference.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/pages/access-controls/reference.mdx b/docs/pages/access-controls/reference.mdx index 75ca14f333f94..81291bb8d54cf 100644 --- a/docs/pages/access-controls/reference.mdx +++ b/docs/pages/access-controls/reference.mdx @@ -204,7 +204,7 @@ As an example this entry would match to databases that have `env: prod` label an accessible only by the members of the "DBA" group and nobody else). -### Extended Resource labels syntax +### Extende labels syntax Below are a few examples for more complex filtering using various regexes. From fd506e03ded6873479920e26fdfb872552f7dcba Mon Sep 17 00:00:00 2001 From: Steven Martin Date: Fri, 5 May 2023 10:07:18 -0400 Subject: [PATCH 5/6] fix spelling --- docs/pages/access-controls/reference.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/pages/access-controls/reference.mdx b/docs/pages/access-controls/reference.mdx index 81291bb8d54cf..cff6f3e3ef2da 100644 --- a/docs/pages/access-controls/reference.mdx +++ b/docs/pages/access-controls/reference.mdx @@ -204,7 +204,7 @@ As an example this entry would match to databases that have `env: prod` label an accessible only by the members of the "DBA" group and nobody else). -### Extende labels syntax +### Extended labels syntax Below are a few examples for more complex filtering using various regexes. From cac79c9e79d99231e66c3c344469e0d38497ecbf Mon Sep 17 00:00:00 2001 From: Steven Martin Date: Fri, 5 May 2023 11:14:36 -0400 Subject: [PATCH 6/6] verbiage update Co-authored-by: Paul Gottschling --- docs/pages/access-controls/reference.mdx | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/docs/pages/access-controls/reference.mdx b/docs/pages/access-controls/reference.mdx index cff6f3e3ef2da..d964719196681 100644 --- a/docs/pages/access-controls/reference.mdx +++ b/docs/pages/access-controls/reference.mdx @@ -151,7 +151,7 @@ Label | `v3`, `v4` and `v5` Default | `v6` Default ## RBAC for resources -A Teleport role defines which resources (applications, servers, databases,...) a user can have access to. +A Teleport role defines which resources (e.g., applications, servers, and databases) a user can have access to. This works by [labeling resources](../management/admin/labels.mdx) and listing allow/deny labels in a role definition. @@ -186,9 +186,10 @@ spec: 'workload': ['database', 'backup'] ``` -Multiple label entries are treated as logical "AND" operations. -As an example this entry would match to databases that have `env: prod` label and -`region` label `us-west-1` or `eu-central-1`. +Teleport handles multiple label entries with logical "AND" operations. +As an example this entry would match to databases that have the `env: prod` label and a +`region` label of either `us-west-1` or `eu-central-1`: + ```yaml db_labels: 'env': 'prod'