MCP access part 2: new role options, access checker, role editor#54734
Merged
MCP access part 2: new role options, access checker, role editor#54734
Conversation
greedy52
added
the
no-changelog
greedy52
force-pushed
the
STeve/54705_part_2_role
branch
4 times, most recently
from
bcd475a to
175cd24
Compare
Contributor
|
Amplify deployment status
|
greedy52
force-pushed
the
STeve/54705_part_2_role
branch
from
175cd24 to
10fe4f0
Compare
greedy52
force-pushed
the
STeve/54705_part_2_role
branch
from
10fe4f0 to
73c189b
Compare
greedy52
force-pushed
the
STeve/54705_part_2_role
branch
from
73c189b to
8b1669b
Compare
github-actions
Bot
requested review from
avatus,
bernardjkim,
flyinghermit,
gzdunek,
hugoShaka,
kimlisa,
kiosion,
marcoandredinis,
mmcallister,
ptgott,
r0mant and
ravicious
greedy52
removed request for
marcoandredinis,
mmcallister,
ptgott,
ravicious,
rudream,
ryanclark,
tigrato and
zmb3
bl-nero
reviewed
May 15, 2025
Comment on lines
+819
to
+825
| // For allow, only update entries and wildcardAllowed when the role | ||
| // matches the resources without any matcher. | ||
| var roleMatchResource bool | ||
| if err := NewRoleSet(role).checkAccess(resource, a.info.Traits, AccessState{MFAVerified: true}); err == nil { | ||
| roleMatchResource = true | ||
| } | ||
|
|
Contributor
There was a problem hiding this comment.
I don't understand the reason behind this change. It seems arbitrary and unrelated to the purpose of this PR.
Contributor
Author
There was a problem hiding this comment.
it's a bug fix. The Enumerate function tries to mimic CheckAccess which should allow the entities that matched by the role.
For example, two roles dev and prod
kind: role
metadata:
name: dev
spec:
allow:
db_labels:
env:
- dev
db_users:
- *
And
kind: role
metadata:
name: prod
spec:
allow:
db_labels:
env:
- prod
db_users:
- "abc"
before the fix, with a env=dev database resource, enumerate will return the result where both * and abc are allowed. But abc is really irrelevant. So after the fix, abc won't show up any more.
Note that the Enumerate functions are only used for displaying information. They are not used in the final access check decision making.
Collaborator
There was a problem hiding this comment.
Does this bug fix need to be backported earlier than v17? If so, probably best to do it in a separate PR instead of burying it in this 4000-line PR.
tigrato
approved these changes
May 19, 2025
avatus
approved these changes
May 19, 2025
bl-nero
approved these changes
May 21, 2025
public-teleport-github-review-bot
Bot
removed request for
GavinFrazar,
hugoShaka and
r0mant
Merged
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Jul 21, 2025
* Initial PostgreSQL MCP support (#54431) * feat(mcp): initial postgres mcp * test(postgres): fix missing mock function * fix(gomod): go mod tidy all * refactor: code review suggestions * fix(tsh): mcp init missing logger * chore(tsh): missing other route to database field * refactor: use in-memory net listener * test(tsh): add mcp db command test * chore: fix license * refactor(tsh): move logger init * test(mcp): sort slices to avoid flakiness * chore: fix lint * test(mcp): sort the resources before assertion * fix(mcp): update error handler for better message * refactor: code review suggestions * feat: add external error retriever for more accurate error messages * refactor: use the same logger init for mcp purposes * refactor: code review suggestions * refactor(tsh): rename command to `tsh mcp db start` * refactor(mcp): protect database resources with rw mutex * chore: update server godocs * chore: go mod tidy * refactor: update command to take list of databases * chore(mcp): license * chore(tsh): remove unused function * refactor: code review suggestions * refactor(tsh): validate duplicated databases in MCP configuration * refactor(tsh): rename files to mcp_db * feat(mcp): add cluster name to the database resource * fix(tsh): update InitLogger return type (#55479) * MCP access part 1: update app definition and config (#54706) * MCP access part 1: update app definition and config * address feedback * make -C integrations/operator crd * MCP access part 2: new role options, access checker, role editor (#54734) * MCP access part 2: new role options, access checker, role editor * catch unsupported mcp fields * simplify mcpToolsToModel * MCP access part 3: audit events and reporting (#54779) * MCP access part 3: audit events and reporting * add new icon, storybook, format * MCP access part 4: mcputils (#54880) * MCP access part 4: mcp helpers * address feedback * address comment, minor edits * update mcp-go * MCP access part 5: Claude desktop config parser (#55179) * claude desktop config * rework * split Config to Config and FileConfig * add a comment on unofficial linux * MCP access part 6: "tsh mcp ls" (#55292) * MCP access part 6: "tsh mcp ls" * address feedback * MCP access part 7: MCP app in Web UI (#55306) * MCP access part 7: MCP app in Web UI * Make spacing in modal closer to what's in database modal * add mcp app to ResourceActionButton.story.tsx * move AppSubKind to shared/services/types. * remove --format claude (not needed see part 8) * add jsdoc --------- Co-authored-by: Rafał Cieślak <rafal.cieslak@goteleport.com> * MCP access part 8: tsh mcp config (#55370) * MCP access part 8: tsh mcp login/logout * change to --format and --config-file * switch to config and drop logout * enable debug by default * remove unused ut functions * MCP access part 9: tsh mcp connect, stub server, integration test (#55547) * MCP access part 9: tsh mcp connect, stub server, integration test * fix tests and lint * MCP access part 10: server handler (#55644) * MCP access part 10: server handler * address feedback and fix docker tests * add more comments * minor lint fix * move set logger default after other checks * Implement `tsh mcp db config` (#55781) * feat(tsh): add `tsh mcp db config` subcommand * chore(claude): fix lint * refactor: code review suggestions * refactor: code review suggestions * test(tsh): add missing option on test case * chore(tsh): add message on manually adding database URI * Refactor MCP database access to dial ALPN proxy directly (#55836) * refactor: dial database instead of using local proxy for MCP servers * refactor: review suggestions * manual fixes * tctl users add/update to support mcp tools trait (#56771) * tctl users add/update to support mcp tools trait * revert empty slice capability * Enhances MCP servers usage with Cursor (#56474) * feat(mcp): enhances MCP servers usage with Cursor * refactor: code review suggestions * mcputils refactor and new mcptest package (#56010) * mcp server and mcputils refactor * mcptest package * allow testing in mcptest * Teleport MCP demo server (#56637) * Teleport MCP demo server * replace guide tool with session tool, and switch to resource label * add new flag to teleport configure * replace teleport_session_id with mcp_transport_type * feat(gomod): update mcp-go to v0.32.0 * eslint-disable-next-line (same in master) --------- Co-authored-by: Gabriel Corado <gabriel.oliveira@goteleport.com> Co-authored-by: Rafał Cieślak <rafal.cieslak@goteleport.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related
It's a lot of files... but this is the norm now for any new RBAC option.