[v13] Get accessInfo based on user on access request drop#31136
Merged
ravicious merged 1 commit intobranch/v13from Aug 29, 2023
Merged
[v13] Get accessInfo based on user on access request drop#31136ravicious merged 1 commit intobranch/v13from
ravicious merged 1 commit intobranch/v13from
Conversation
That's how it used to be before user login state was introduced. When dropping a resource access request, we want to restore certs back to the state before the access request was assumed, so that the user access is not limited only to select resources. In the past, this was done by calculating accessInfo from a plan user object. This approach had the side effect of refreshing the role list of the user based on the current backend state without the need to provide credentials again. Teleport Connect used this side effect to make the setup of Connect My Computer interaction-free. Theoretically, it'd be beneficial for `tsh request drop` to use login state rather than the current backend state, as it'd make it impossible to "escalate" privileges by refreshing the list of roles without authenticating again. However, this brakes the setup of Connect My Computer as it expects GenerateUserCerts to return a role list based on a current user role list. This commit reverts that change. An alternative would be to change Connect My Computer setup to require a one-time relogin midway through.
Tener
approved these changes
Aug 29, 2023
mdwn
approved these changes
Aug 29, 2023
strideynet
approved these changes
Aug 29, 2023
zmb3
approved these changes
Aug 29, 2023
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport #31068.
Changelog:
tsh request dropbehavior was restored to pre-v13.3.5 state where after dropping an access request, the role list will be based on the current role list of the user on the backend, not on the login state (as introduced in #30628).The backport doesn't include the integration test because the test was for a feature that's not included in v13.