Allow user locks to affect access list membership.#34354
Conversation
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
zmb3
left a comment
zmb3
left a comment
There was a problem hiding this comment.
This handles the case where the user lock exists when you run IsAccessListMember, but what about if the lock is added after the fact? Usually we use some sort of watcher to detect that.
The watcher is in https://github.com/gravitational/teleport.e/pull/2605, which will need to be expanded to look after locks once this is implemented. |
|
I'd consider changing the title of this too. When I first read it, I thought you were going to allow locking an access list (a la |
mdwn
changed the title
There was a problem hiding this comment.
Code looks fine to me. Generally when I review the frontend changes I'm only able to use Storybook. Do i need a special license to run access lists locally or can I just setup my cluster with some new rules/whatever. My admin doesn't seem to have privileges to create anything
It should just require an enterprise license. |
Access list membership will now be impacted by active user locks. If a user is locked, they will not be considered a part of an access list. This, in turn will be used for things like Okta assignments to ensure that Okta access can be rescinded while a lock is active.
mdwn
force-pushed
the
mike.wilson/locking-affects-access-lists
branch
from
435ef67 to
dc3aab5
Compare
public-teleport-github-review-bot
Bot
removed the request for review
from Joerger
3 participants
Access list membership will now be impacted by active user locks. If a user is locked, they will not be considered a part of an access list. This, in turn will be used for things like Okta assignments to ensure that Okta access can be rescinded while a lock is active.
changelog: Access lists now respect user locking.