Skip to content

[v15] Update Admin Action MFA enforcment#37199

Merged
Joerger merged 1 commit intobranch/v15from
joerger/v15/refactor-admin-mfa-requirement
Jan 25, 2024
Merged

[v15] Update Admin Action MFA enforcment#37199
Joerger merged 1 commit intobranch/v15from
joerger/v15/refactor-admin-mfa-requirement

Conversation

@Joerger
Copy link
Copy Markdown
Contributor

@Joerger Joerger commented Jan 24, 2024
edited
Loading

Backport #37136 to branch/v15

Depends on #37198

Changelog: MFA is enforced for admin actions on clusters where WebAuthn is required. This applies to adding users, adding trusted devices, reviewing access requests, among many others. You can set TELEPORT_UNSTABLE_DISABLE_MFA_ADMIN_ACTIONS=yes environment variable on Teleport auth to temporarily disable MFA enforcement for admin actions. The environment variable will be removed in Teleport 16.

@Joerger Joerger added the no-changelog Indicates that a PR does not require a changelog entry label Jan 24, 2024
@github-actions github-actions Bot added size/sm tctl tctl - Teleport admin tool labels Jan 24, 2024
@github-actions github-actions Bot requested review from Tener and kimlisa January 24, 2024 20:46
@Joerger Joerger removed the no-changelog Indicates that a PR does not require a changelog entry label Jan 24, 2024
@Joerger Joerger force-pushed the joerger/v15/reuse-mfa-tctl-users-add branch from daa3bf3 to ee3d97d Compare January 24, 2024 22:21
@Joerger Joerger force-pushed the joerger/v15/refactor-admin-mfa-requirement branch from 1552df9 to dfc168d Compare January 24, 2024 22:22
@Joerger Joerger force-pushed the joerger/v15/refactor-admin-mfa-requirement branch from dfc168d to 26429ab Compare January 24, 2024 23:48
@Joerger Joerger changed the base branch from joerger/v15/reuse-mfa-tctl-users-add to branch/v15 January 24, 2024 23:48
@Joerger Joerger enabled auto-merge January 24, 2024 23:51
@Joerger
Update Admin Action MFA enforcment (#37136)
7563b78 
* Only enforce admin MFA when webauthn is required.

* Add TELEPORT_UNSTABLE_DISABLE_MFA_ADMIN_ACTIONS env flag for an emergency escape hatch.

* Fix TestAdminActionMFA unit tests.
@Joerger Joerger force-pushed the joerger/v15/refactor-admin-mfa-requirement branch from 26429ab to 7563b78 Compare January 25, 2024 00:59
@Joerger Joerger added this pull request to the merge queue Jan 25, 2024
Merged via the queue into branch/v15 with commit 8e4e2e3 Jan 25, 2024
@Joerger Joerger deleted the joerger/v15/refactor-admin-mfa-requirement branch January 25, 2024 01:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hugoShaka hugoShaka hugoShaka approved these changes

@rosstimothy rosstimothy rosstimothy approved these changes

Assignees

No one assigned

Labels

size/sm tctl tctl - Teleport admin tool

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Joerger @hugoShaka @rosstimothy