From b29bfa36b5beccae3c56af93ba4b4a196fe291d8 Mon Sep 17 00:00:00 2001 From: EdwardDowling Date: Fri, 8 Dec 2023 12:41:51 +0000 Subject: [PATCH 1/8] Add docs for future assume time on access requests --- .../access-requests/access-request-configuration.mdx | 8 ++++++++ docs/pages/reference/cli/tsh.mdx | 2 ++ 2 files changed, 10 insertions(+) diff --git a/docs/pages/access-controls/access-requests/access-request-configuration.mdx b/docs/pages/access-controls/access-requests/access-request-configuration.mdx index 84a34cc8df2bf..658a317720c36 100644 --- a/docs/pages/access-controls/access-requests/access-request-configuration.mdx +++ b/docs/pages/access-controls/access-requests/access-request-configuration.mdx @@ -189,6 +189,14 @@ privileges: earlier, whichever is shorter. Otherwise, set the duration of elevated privileges to the session TTL. +### Setting when the elevated privileges can be assumed + +When creating or reviewing access requests the earliest time the elevated privileges +can be set using the `--assume-start-time` flag. This flag is available for the +[`tsh request create`](../../reference/cli/tsh.mdx#tsh-request-create) and [`tsh request +review`](../../reference/cli/tsh.mdx#tsh-request-review) commands. The format accepted +is RFC3339 e.g `2023-12-12T23:20:50.52Z` + ### The `request.max_duration` field The `max_duration` option indicates the maximum length of time that a user is diff --git a/docs/pages/reference/cli/tsh.mdx b/docs/pages/reference/cli/tsh.mdx index 0efcbc3cffa4b..5576ddbd997e9 100644 --- a/docs/pages/reference/cli/tsh.mdx +++ b/docs/pages/reference/cli/tsh.mdx @@ -1077,6 +1077,7 @@ $ tsh request create [] | `--request-ttl` | 1 hour | Relative duration like `5s`, `2m`, or `3h`, | Defines how long the Access Request will be in a `PENDING` state before becoming invalid | | `--session-ttl` | Time left on current session | Relative duration like `5s`, `2m`, or `3h` | Defines how long the elevated session will be valid for | | `--max-duration` | none | Relative duration like `5s`, `2m`, `3h`, or `7d` | Defines the maximum duration of the elevated session up to 7 days. The assigned role also must have `max_duration` option specified (optional) | +| `--assume-start-time` | none | String | Sets time roles can be assumed by requestor (RFC3339) | The `--request-ttl` and `--session-ttl` values can not be greater than the @@ -1140,6 +1141,7 @@ $ tsh request review [] | `--approve` | `false` | `true` or `false` | Review proposes approval | | `--deny` | `false` | `true` or `false` | Review proposes denial | | `--reason` | none | String | Review reason message | +| `--assume-start-time` | none | String | Sets time roles can be assumed by requestor (RFC3339) | ### Arguments From fd1aa366c4220901dafc58a8cfcb7379780a5a76 Mon Sep 17 00:00:00 2001 From: Edward Dowling Date: Mon, 11 Dec 2023 17:30:50 +0000 Subject: [PATCH 2/8] Update docs/pages/access-controls/access-requests/access-request-configuration.mdx Co-authored-by: Zac Bergquist --- .../access-requests/access-request-configuration.mdx | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/pages/access-controls/access-requests/access-request-configuration.mdx b/docs/pages/access-controls/access-requests/access-request-configuration.mdx index 658a317720c36..173a0a1cdfb30 100644 --- a/docs/pages/access-controls/access-requests/access-request-configuration.mdx +++ b/docs/pages/access-controls/access-requests/access-request-configuration.mdx @@ -191,8 +191,9 @@ privileges: ### Setting when the elevated privileges can be assumed -When creating or reviewing access requests the earliest time the elevated privileges -can be set using the `--assume-start-time` flag. This flag is available for the +When creating or reviewing access requests, you can specify the earliest time +at which the elevated privileges can be assumed using the `--assume-start-time` +flag. This flag is available for the [`tsh request create`](../../reference/cli/tsh.mdx#tsh-request-create) and [`tsh request review`](../../reference/cli/tsh.mdx#tsh-request-review) commands. The format accepted is RFC3339 e.g `2023-12-12T23:20:50.52Z` From e801fc9183960a9d8a41429f2f08c696a1f74b71 Mon Sep 17 00:00:00 2001 From: Edward Dowling Date: Thu, 14 Dec 2023 12:36:40 +0000 Subject: [PATCH 3/8] Update docs/pages/access-controls/access-requests/access-request-configuration.mdx Co-authored-by: Paul Gottschling --- .../access-requests/access-request-configuration.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/pages/access-controls/access-requests/access-request-configuration.mdx b/docs/pages/access-controls/access-requests/access-request-configuration.mdx index 173a0a1cdfb30..a3682bfe766ef 100644 --- a/docs/pages/access-controls/access-requests/access-request-configuration.mdx +++ b/docs/pages/access-controls/access-requests/access-request-configuration.mdx @@ -189,7 +189,7 @@ privileges: earlier, whichever is shorter. Otherwise, set the duration of elevated privileges to the session TTL. -### Setting when the elevated privileges can be assumed +### Setting when users can assume elevated privileges When creating or reviewing access requests, you can specify the earliest time at which the elevated privileges can be assumed using the `--assume-start-time` From 30454bb079543344114524a7c507f6c3d3a31081 Mon Sep 17 00:00:00 2001 From: Edward Dowling Date: Thu, 14 Dec 2023 12:36:52 +0000 Subject: [PATCH 4/8] Update docs/pages/access-controls/access-requests/access-request-configuration.mdx Co-authored-by: Paul Gottschling --- .../access-requests/access-request-configuration.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/pages/access-controls/access-requests/access-request-configuration.mdx b/docs/pages/access-controls/access-requests/access-request-configuration.mdx index a3682bfe766ef..ce323bbd373c7 100644 --- a/docs/pages/access-controls/access-requests/access-request-configuration.mdx +++ b/docs/pages/access-controls/access-requests/access-request-configuration.mdx @@ -192,7 +192,7 @@ privileges: ### Setting when users can assume elevated privileges When creating or reviewing access requests, you can specify the earliest time -at which the elevated privileges can be assumed using the `--assume-start-time` +that a user can assume elevated privileges by using the `--assume-start-time` flag. This flag is available for the [`tsh request create`](../../reference/cli/tsh.mdx#tsh-request-create) and [`tsh request review`](../../reference/cli/tsh.mdx#tsh-request-review) commands. The format accepted From 39c3e2f57238fec00b12e09fc2ad3fddfd571e30 Mon Sep 17 00:00:00 2001 From: Edward Dowling Date: Thu, 14 Dec 2023 12:37:02 +0000 Subject: [PATCH 5/8] Update docs/pages/access-controls/access-requests/access-request-configuration.mdx Co-authored-by: Paul Gottschling --- .../access-requests/access-request-configuration.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/pages/access-controls/access-requests/access-request-configuration.mdx b/docs/pages/access-controls/access-requests/access-request-configuration.mdx index ce323bbd373c7..21ec4e3c081b1 100644 --- a/docs/pages/access-controls/access-requests/access-request-configuration.mdx +++ b/docs/pages/access-controls/access-requests/access-request-configuration.mdx @@ -191,7 +191,7 @@ privileges: ### Setting when users can assume elevated privileges -When creating or reviewing access requests, you can specify the earliest time +When creating or reviewing Access Requests, you can specify the earliest time that a user can assume elevated privileges by using the `--assume-start-time` flag. This flag is available for the [`tsh request create`](../../reference/cli/tsh.mdx#tsh-request-create) and [`tsh request From 12ba438a68e2a012f8d33356c472c697e448a72a Mon Sep 17 00:00:00 2001 From: EdwardDowling Date: Thu, 14 Dec 2023 12:39:35 +0000 Subject: [PATCH 6/8] Add link to RFC339 to access request doc --- .../access-requests/access-request-configuration.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/pages/access-controls/access-requests/access-request-configuration.mdx b/docs/pages/access-controls/access-requests/access-request-configuration.mdx index 21ec4e3c081b1..05c78ce360b1b 100644 --- a/docs/pages/access-controls/access-requests/access-request-configuration.mdx +++ b/docs/pages/access-controls/access-requests/access-request-configuration.mdx @@ -196,7 +196,7 @@ that a user can assume elevated privileges by using the `--assume-start-time` flag. This flag is available for the [`tsh request create`](../../reference/cli/tsh.mdx#tsh-request-create) and [`tsh request review`](../../reference/cli/tsh.mdx#tsh-request-review) commands. The format accepted -is RFC3339 e.g `2023-12-12T23:20:50.52Z` +is defined in [RFC 3339](https://datatracker.ietf.org/doc/html/rfc3339), e.g, `2023-12-12T23:20:50.52Z`. ### The `request.max_duration` field From 69b920654809ac2f7f92f28060317a3d18634483 Mon Sep 17 00:00:00 2001 From: EdwardDowling Date: Mon, 8 Jan 2024 14:53:18 +0000 Subject: [PATCH 7/8] Add more info to future assumne time on access requests --- .../access-requests/access-request-configuration.mdx | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/pages/access-controls/access-requests/access-request-configuration.mdx b/docs/pages/access-controls/access-requests/access-request-configuration.mdx index 05c78ce360b1b..14139e522f8be 100644 --- a/docs/pages/access-controls/access-requests/access-request-configuration.mdx +++ b/docs/pages/access-controls/access-requests/access-request-configuration.mdx @@ -197,6 +197,11 @@ flag. This flag is available for the [`tsh request create`](../../reference/cli/tsh.mdx#tsh-request-create) and [`tsh request review`](../../reference/cli/tsh.mdx#tsh-request-review) commands. The format accepted is defined in [RFC 3339](https://datatracker.ietf.org/doc/html/rfc3339), e.g, `2023-12-12T23:20:50.52Z`. +The time specified must be in the future. + +Reviewers can override this time when approving an Access Request. +In the event of multiple reviewers specifying an earliest time the most recent +override will be chosen. ### The `request.max_duration` field From d6107c409711ee8ce6688e22f2fc170740a240ce Mon Sep 17 00:00:00 2001 From: EdwardDowling Date: Tue, 9 Jan 2024 10:42:53 +0000 Subject: [PATCH 8/8] Reword future assume role for access requests docs --- .../access-requests/access-request-configuration.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/pages/access-controls/access-requests/access-request-configuration.mdx b/docs/pages/access-controls/access-requests/access-request-configuration.mdx index 14139e522f8be..e3d124c574aa9 100644 --- a/docs/pages/access-controls/access-requests/access-request-configuration.mdx +++ b/docs/pages/access-controls/access-requests/access-request-configuration.mdx @@ -200,7 +200,7 @@ is defined in [RFC 3339](https://datatracker.ietf.org/doc/html/rfc3339), e.g, `2 The time specified must be in the future. Reviewers can override this time when approving an Access Request. -In the event of multiple reviewers specifying an earliest time the most recent +If multiple reviewers override the start time, the most recent override will be chosen. ### The `request.max_duration` field