Display available allowed logins for leaf resources in root web ui#39579
Merged
rosstimothy merged 1 commit intomasterfrom Mar 25, 2024
Merged
Display available allowed logins for leaf resources in root web ui#39579rosstimothy merged 1 commit intomasterfrom
rosstimothy merged 1 commit intomasterfrom
Conversation
rosstimothy
force-pushed
the
tross/web_ui_logins
branch
3 times, most recently
from
acbf6b9 to
16ef6f5
Compare
The Proxy web api now requests that Auth include allowed logins per resource instead of guessing logins per resource based on the information it has cached. However, due to the way SSH sessions are authorized, the logins are not provide to users verbatim. Any sessions created via the root web ui to a leaf resource will use the SSH certificate created for that user in the root cluster. New certificates are not minted per leaf cluster. This is important because the nodes only allow os logins for a session if they are present in the valid prinicpals of the SSH certificate. So even though we are now capabale of displaying all allowed logins for leaf SSH servers in the root web ui, the user is only able to use a subset of them. To avoid any odd UX, the Proxy will filter out any allowed logins which do not exist in the principals of the root SSH certificate. The above only holds for SSH, windows desktops are not as strict and any allowed login from a leaf cluster is now visible in the root web ui. Fixes #5041
rosstimothy
force-pushed
the
tross/web_ui_logins
branch
from
16ef6f5 to
f9a8cbf
Compare
Contributor
Author
fspmarshall
approved these changes
Mar 25, 2024
gabrielcorado
approved these changes
Mar 25, 2024
rosstimothy
added a commit
that referenced
this pull request
Mar 27, 2024
…39579) The Proxy web api now requests that Auth include allowed logins per resource instead of guessing logins per resource based on the information it has cached. However, due to the way SSH sessions are authorized, the logins are not provide to users verbatim. Any sessions created via the root web ui to a leaf resource will use the SSH certificate created for that user in the root cluster. New certificates are not minted per leaf cluster. This is important because the nodes only allow os logins for a session if they are present in the valid prinicpals of the SSH certificate. So even though we are now capabale of displaying all allowed logins for leaf SSH servers in the root web ui, the user is only able to use a subset of them. To avoid any odd UX, the Proxy will filter out any allowed logins which do not exist in the principals of the root SSH certificate. The above only holds for SSH, windows desktops are not as strict and any allowed login from a leaf cluster is now visible in the root web ui. Fixes #5041
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Mar 27, 2024
…39887) * Enrich resources with additional metadata (#38827) Updates ListResources and ListUnifiedResources to optionally allow responses to include the allowed logins per returned resource that requesting user has access to given there roles. Logins are only currently populated for SSH and WindowsDesktop resources. The new types.EnrichedResource was added to facilitate transporting the underlying resource and the additional user specific information to consumers. * Display available allowed logins for leaf resources in root web ui (#39579) The Proxy web api now requests that Auth include allowed logins per resource instead of guessing logins per resource based on the information it has cached. However, due to the way SSH sessions are authorized, the logins are not provide to users verbatim. Any sessions created via the root web ui to a leaf resource will use the SSH certificate created for that user in the root cluster. New certificates are not minted per leaf cluster. This is important because the nodes only allow os logins for a session if they are present in the valid prinicpals of the SSH certificate. So even though we are now capabale of displaying all allowed logins for leaf SSH servers in the root web ui, the user is only able to use a subset of them. To avoid any odd UX, the Proxy will filter out any allowed logins which do not exist in the principals of the root SSH certificate. The above only holds for SSH, windows desktops are not as strict and any allowed login from a leaf cluster is now visible in the root web ui. Fixes #5041
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The Proxy web api now requests that Auth include allowed logins per resource instead of guessing logins per resource based on the information it has cached. However, due to the way SSH sessions are authorized, the logins are not provide to users verbatim.
Any sessions created via the root web ui to a leaf resource will use the SSH certificate created for that user in the root cluster. New certificates are not minted per leaf cluster. This is important because the nodes only allow os logins for a session if they are present in the valid prinicpals of the SSH certificate. So even though we are now capabale of displaying all allowed logins for leaf SSH servers in the root web ui, the user is only able to use a subset of them. To avoid any odd UX, the Proxy will filter out any allowed logins which do not exist in the principals of the root SSH certificate.
The above only holds for SSH, windows desktops are not as strict and any allowed login from a leaf cluster is now visible in the root web ui.
Fixes #5041
Changelog: Correctly display available allowed logins of leaf resources in the root cluster web ui