Initialize access monitoring service#54000
Conversation
There was a problem hiding this comment.
Are we OK putting this feature in Teleport OSS? I am absolutely in favor if doing so, this makes development and testing easier, but we might want to check with product before.
There was a problem hiding this comment.
@bernardjkim This should be an enterprise feature and require Identity Governance. If some of the code is in OSS, that should be fine, but the core auto-approval services should not run unless you run enterprise with IG enabled.
| if err != nil { | ||
| return trace.Wrap(err) | ||
| } | ||
| process.RegisterFunc("auth.access_monitoring_service", func() error { |
There was a problem hiding this comment.
What's going to happen for hosted plugins? We currently run hosted plugins in teleport.e's plugin manager, and this looks a lot like a plugin but runs as an auth service. I'd like to understand the goal: what should run where, and what's the criteria. My main concern is the increasing number of different ways of running things in teleport.
There was a problem hiding this comment.
This service should be functionally the same as a hosted plugin for access reviews. We we're originally thinking about implementing it as a hosted plugin, but it made more sense to implement it as an auth service. The hosted plugins will continue to be managed by teleport.e's plugin manager.
I'm not sure if it'll work out as I'm planning, but once we're done with the initial implementation of automatic reviews, I'd like to reimplement the hosted plugins using this new AccessMonitor. This will replace the App that we use for plugins. And hopefully, we can eventually unify the different implementations we have of the App.
|
This doesn't need to happen in this PR, but could we add a few metrics for the service covering at least:
|
|
Does it make sense to call this the "access monitoring service"?? Is this related to the access monitoring feature we already have (with the Athena audit log), or is it a completely different thing? |
I'll be working on access request metrics after this PR. I'll make sure to include these. |
Ah, this is not related to Athena audit logs. This service implements automatic reviews of Access Requests using Access Monitoring Rules. How about |
|
Service initialization moved into teleport.e https://github.com/gravitational/teleport.e/pull/6371. |
4 participants
Supports: #51682
RFD: #51979
Requires: #53769
Changelog: Teleport now supports automatic reviews of access requests
This PR initializes and runs the new internal access monitoring service. This service runs as part of the Auth Service, and it is responsible for monitoring and automatically reviewing access requests.