Skip to content

docs: role definition update #32728

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
stevenGravy merged 3 commits into from
Oct 10, 2023
Merged

docs: role definition update #32728

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
44fac70
docs: update session resources
stevenGravy Sep 28, 2023
fcee2d3
adds instance, session_tracker and updates ssh_session
stevenGravy Sep 28, 2023
cee1e38
Merge branch 'master' into stevenGravy/docs/roleresourceupdate
stevenGravy Oct 10, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions docs/pages/access-controls/reference.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -435,18 +435,18 @@ metadata:
spec:
allow:
rules:
# Teleport allows shared session access by default, so for our restrictions
# to work we first allow access to ssh_sessions...
- resources: [ssh_session]
# Teleport allows session access to the user's sessions
# and sessions they can join by default. This allows seeing any sessions.
- resources: [session_tracker]
verbs: ['*']
deny:
rules:
# ... and then limit that access via a deny rule.
# Deny rules take precedence over allow rules, so the resulting role allows
# users to create SSH sessions but to only view their own sessions.
- resources: [ssh_session]
- resources: [session_tracker]
verbs: [list, read, update, delete]
where: '!contains(ssh_session.participants, user.metadata.name)'
where: '!contains(session_tracker.participants, user.metadata.name)'
```

## Second Factor - U2F
Expand All @@ -462,7 +462,7 @@ Here is an explanation of the fields used in the `where` and `filter` conditions
| -------------------------- | ------------------------------------------------- |
| `user.spec.roles` | The list of roles assigned to a user |
| `session.participants` | The list of participants from a session recording |
| `ssh_session.participants` | The list of participants from an SSH session |
| `session_tracker.participants` | The list of participants from an SSH session |
| `user.metadata.name` | The user's name |

Check out our [predicate language](../reference/predicate-language.mdx#scoping-allowdeny-rules-in-role-resources)
Expand Down
4 changes: 3 additions & 1 deletion docs/pages/includes/role-spec.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -392,7 +392,9 @@ spec:
# access_plugin_data - allows modifying Access Request plugin data
#
# session - session playback records
# ssh_session - an active SSH session
# session_tracker - an active session
# ssh_session - allows seeing active sessions page
Comment thread
stevenGravy marked this conversation as resolved.
# instance - a Teleport instance
# event - structured audit logging event
#
#
Expand Down