[v15] Display allowed logins for leaf resources in the root web ui#39887
Merged
rosstimothy merged 2 commits intobranch/v15from Mar 27, 2024
Merged
[v15] Display allowed logins for leaf resources in the root web ui#39887rosstimothy merged 2 commits intobranch/v15from
rosstimothy merged 2 commits intobranch/v15from
Conversation
zmb3
approved these changes
Mar 27, 2024
avatus
approved these changes
Mar 27, 2024
public-teleport-github-review-bot
Bot
removed the request for review
from fspmarshall
github-merge-queue
Bot
removed this pull request from the merge queue due to a conflict with the base branch
Updates ListResources and ListUnifiedResources to optionally allow responses to include the allowed logins per returned resource that requesting user has access to given there roles. Logins are only currently populated for SSH and WindowsDesktop resources. The new types.EnrichedResource was added to facilitate transporting the underlying resource and the additional user specific information to consumers.
…39579) The Proxy web api now requests that Auth include allowed logins per resource instead of guessing logins per resource based on the information it has cached. However, due to the way SSH sessions are authorized, the logins are not provide to users verbatim. Any sessions created via the root web ui to a leaf resource will use the SSH certificate created for that user in the root cluster. New certificates are not minted per leaf cluster. This is important because the nodes only allow os logins for a session if they are present in the valid prinicpals of the SSH certificate. So even though we are now capabale of displaying all allowed logins for leaf SSH servers in the root web ui, the user is only able to use a subset of them. To avoid any odd UX, the Proxy will filter out any allowed logins which do not exist in the principals of the root SSH certificate. The above only holds for SSH, windows desktops are not as strict and any allowed login from a leaf cluster is now visible in the root web ui. Fixes #5041
rosstimothy
force-pushed
the
tross/backport-logins/v15
branch
from
e4338cb to
5d17988
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backports #38827 and #39579 to branch/v15
Changelog: Correctly show the users allowed logins when accessing leaf resources via the root cluster web ui