From 9196aa88bae6e55113c44f57df0b29fc39adec1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Cie=C5=9Blak?= Date: Wed, 21 Jun 2023 11:13:54 +0200 Subject: [PATCH 1/2] permission-warning.mdx: Advise NOT TO give access,editor to users --- docs/pages/includes/permission-warning.mdx | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/pages/includes/permission-warning.mdx b/docs/pages/includes/permission-warning.mdx index ab9fb6b934fa9..4fe69514a3c5f 100644 --- a/docs/pages/includes/permission-warning.mdx +++ b/docs/pages/includes/permission-warning.mdx @@ -12,7 +12,8 @@ numbered < `1024` (e.g. `443`). - Follow the "Principle of Least Privilege" (PoLP). Don't give users permissive roles when giving them more restrictive roles will do instead. - For example, assign users the built-in `access,editor` roles. + For example, don't assign users the built-in `access,editor` roles which give + them permissions to access and edit all cluster resources. - When joining a Teleport resource service (e.g., the Database Service or Application Service) to a cluster, save the invitation token to a file. Otherwise, the token will be visible when examining the `teleport` command From eaa306cec52577d510c078822f9622bb1ceb9766 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Cie=C5=9Blak?= Date: Thu, 22 Jun 2023 12:13:52 +0200 Subject: [PATCH 2/2] Give users an alternative rather than indicating what not to do Co-authored-by: Paul Gottschling --- docs/pages/includes/permission-warning.mdx | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/pages/includes/permission-warning.mdx b/docs/pages/includes/permission-warning.mdx index 4fe69514a3c5f..f3c08a4b3a586 100644 --- a/docs/pages/includes/permission-warning.mdx +++ b/docs/pages/includes/permission-warning.mdx @@ -12,8 +12,10 @@ numbered < `1024` (e.g. `443`). - Follow the "Principle of Least Privilege" (PoLP). Don't give users permissive roles when giving them more restrictive roles will do instead. - For example, don't assign users the built-in `access,editor` roles which give - them permissions to access and edit all cluster resources. + For example, don't assign users the built-in `access,editor` roles, which give + them permissions to access and edit all cluster resources. Instead, define + RBAC roles with the minimum required permissions for each user and configure + Access Requests for elevated permissions. - When joining a Teleport resource service (e.g., the Database Service or Application Service) to a cluster, save the invitation token to a file. Otherwise, the token will be visible when examining the `teleport` command