Skip to content

docs: join_sessions overrides the deny rule for sessions a user is allowed …#32991

Merged
lsgunn-teleport merged 1 commit intomasterfrom
LG/join-sessions-policy-overrides-deny-list
Oct 9, 2023
Merged

docs: join_sessions overrides the deny rule for sessions a user is allowed …#32991
lsgunn-teleport merged 1 commit intomasterfrom
LG/join-sessions-policy-overrides-deny-list

Conversation

@lsgunn-teleport
Copy link
Copy Markdown
Contributor

@lsgunn-teleport lsgunn-teleport commented Oct 4, 2023
edited
Loading

…to join
Content change based on https://github.com/gravitational/teleport.e/issues/1359:

Role configuration gotchas
(possibly a note on this page: https://goteleport.com/docs/access-controls/reference/ or https://goteleport.com/docs/access-controls/guides/moderated-sessions/)
join_sessions has a special condition within our RBAC. Although in general deny statements take precedent, when a user is provided the allow for join_sessions the account will be implicitly able to also list session. This is a nuanced exception where the allow will override an explicit denial for listing sessions.

When this list / deny issue is resolved, #32420 must also be updated.
Replaces #32357

@lsgunn-teleport lsgunn-teleport mentioned this pull request Oct 4, 2023
Closed
@lsgunn-teleport lsgunn-teleport temporarily deployed to vercel October 4, 2023 20:23 — with GitHub Actions Inactive
@lsgunn-teleport lsgunn-teleport temporarily deployed to vercel October 4, 2023 20:23 — with GitHub Actions Inactive
@zmb3
Copy link
Copy Markdown
Collaborator

zmb3 commented Oct 4, 2023

Looks great, thanks for your patience while we figured this one out.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Oct 4, 2023

🤖 Vercel preview here: https://docs-1oh2f7is2-goteleport.vercel.app/docs/ver/14.x

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Oct 4, 2023

🤖 Vercel preview here: https://docs-653l673n1-goteleport.vercel.app/docs/ver/14.x

@ptgott
Copy link
Copy Markdown
Contributor

ptgott commented Oct 5, 2023

@lsgunn-teleport Added backport labels just in case. Feel free to remove any that don't apply!

@lsgunn-teleport lsgunn-teleport added this pull request to the merge queue Oct 9, 2023
Merged via the queue into master with commit 45e9733 Oct 9, 2023
@lsgunn-teleport lsgunn-teleport deleted the LG/join-sessions-policy-overrides-deny-list branch October 9, 2023 17:54
@public-teleport-github-review-bot
Copy link
Copy Markdown

public-teleport-github-review-bot Bot commented Oct 9, 2023

@lsgunn-teleport See the table below for backport results.

Branch Result
branch/v12 Failed
branch/v13 Create PR
branch/v14 Create PR

This was referenced Oct 9, 2023
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zmb3 zmb3 zmb3 approved these changes

@ptgott ptgott ptgott approved these changes

Assignees

No one assigned

Labels

documentation size/sm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lsgunn-teleport @zmb3 @ptgott