Merged
Conversation
hugoShaka
approved these changes
Jan 24, 2024
Contributor
|
Looks like there might be a few tests that need their |
zmb3
approved these changes
Jan 24, 2024
public-teleport-github-review-bot
Bot
removed request for
gzdunek and
rosstimothy
Joerger
added a commit
that referenced
this pull request
Jan 24, 2024
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Jan 24, 2024
* Allow webauthnResponse to be passed into API requests; Prompt for MFA before creating a user in the WebUI. * Skip MFA check if webauthn is not configured. * Add getWebauthnResponseForAdminAction helper function. * Remove unused admin action name. * Fix lint. * Check for specific error. * Address comments. * Relax admin action mfa enforcement expectation, in line with #37136.
Joerger
added a commit
that referenced
this pull request
Jan 24, 2024
* Allow webauthnResponse to be passed into API requests; Prompt for MFA before creating a user in the WebUI. * Skip MFA check if webauthn is not configured. * Add getWebauthnResponseForAdminAction helper function. * Remove unused admin action name. * Fix lint. * Check for specific error. * Address comments. * Relax admin action mfa enforcement expectation, in line with #37136.
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Jan 24, 2024
* Allow webauthnResponse to be passed into API requests; Prompt for MFA before creating a user in the WebUI. * Skip MFA check if webauthn is not configured. * Add getWebauthnResponseForAdminAction helper function. * Remove unused admin action name. * Fix lint. * Check for specific error. * Address comments. * Relax admin action mfa enforcement expectation, in line with #37136.
Joerger
added a commit
that referenced
this pull request
Jan 25, 2024
* Only enforce admin MFA when webauthn is required. * Add TELEPORT_UNSTABLE_DISABLE_MFA_ADMIN_ACTIONS env flag for an emergency escape hatch. * Fix TestAdminActionMFA unit tests.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Relax Admin Action MFA enforcement to only apply to clusters with
second_factor: webauthn, where we can be 100% positive that all potential users have a WebAuthn key registered. This avoids issues where WebAuthn is configured, but some users only have otp devices registered, which is in some cases a default setup.Additionally, this PR adds an escape hatch to disable admin action MFA -
TELEPORT_UNSTABLE_DISABLE_MFA_ADMIN_ACTIONS. This may be used by users who have existing integrations not yet making use of Machine ID, or in cases where an uncommon/untested flow is broken by the admin action MFA enforcement. This flag will likely be removed at a later date once Admin Action MFA enforcement is in a more stable position.Changelog: MFA is enforced for admin actions on clusters where WebAuthn is required. This applies to adding users, adding trusted devices, reviewing access requests, among many others. You can set TELEPORT_UNSTABLE_DISABLE_MFA_ADMIN_ACTIONS=yes environment variable on Teleport auth to temporarily disable MFA enforcement for admin actions. The environment variable will be removed in Teleport 16.