fix: session trackers participants inconsistencies#58853
Merged
Conversation
tigrato
added
no-changelog
This PR fixes some inconsistencies in session trackers' participants
across different protocols. Some protocols set the real username when
dealing with leaf clusters' sessions, while others, such as kube, set
the field to the transformed username - `remote-{user}-{cluster}`.
This is a problem because when performing RBAC against the session
tracker - `contains(session_tracker.participants, user.metadata.name)` -
the root user in the leaf cluster could see it depending on the protocol he used
because the authorizer uses the transformed username.
This PR aligns all session trackers by adding a extra field `Cluster`
that carries the origin user's cluster and change the username to use
the real username instead of transformed.
The usernames are transformed before applying the session tracker RBAC.
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
tigrato
force-pushed
the
tigrato/session-tracker-suers
branch
from
0c31b54 to
d43ecc1
Compare
tigrato
added a commit
that referenced
this pull request
Sep 8, 2025
Similarly to #58853, session's end events also showed inconsistencies in participant fiedls for different protocols. This created an issue where root users couldn't watch session recordings they participated depending on the protocol, while some local users could. Since ithe session's participants field is a repeated string, we can't apply the same logic as in #58853, so we need to transform the username prior to emitting the session end events. This will allow leaf users to see their recordings. Fixes #12324 Fixes teleport-private#166 Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
github-actions
bot
added
application-access
audit-log
github-actions
bot
requested review from
gabrielcorado,
greedy52 and
probakowski
danielashare
approved these changes
Sep 8, 2025
probakowski
approved these changes
Sep 8, 2025
public-teleport-github-review-bot
bot
removed request for
gabrielcorado,
greedy52,
rosstimothy and
zmb3
Contributor
tigrato
added a commit
that referenced
this pull request
Sep 8, 2025
Similarly to #58853, session's end events also showed inconsistencies in participant fiedls for different protocols. This created an issue where root users couldn't watch session recordings they participated depending on the protocol, while some local users could. Since ithe session's participants field is a repeated string, we can't apply the same logic as in #58853, so we need to transform the username prior to emitting the session end events. This will allow leaf users to see their recordings. Fixes #12324 Fixes teleport-private#166 Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
tigrato
added a commit
that referenced
this pull request
Sep 8, 2025
* fix: session trackers participants inconsistencies
This PR fixes some inconsistencies in session trackers' participants
across different protocols. Some protocols set the real username when
dealing with leaf clusters' sessions, while others, such as kube, set
the field to the transformed username - `remote-{user}-{cluster}`.
This is a problem because when performing RBAC against the session
tracker - `contains(session_tracker.participants, user.metadata.name)` -
the root user in the leaf cluster could see it depending on the protocol he used
because the authorizer uses the transformed username.
This PR aligns all session trackers by adding a extra field `Cluster`
that carries the origin user's cluster and change the username to use
the real username instead of transformed.
The usernames are transformed before applying the session tracker RBAC.
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
* handle code review comment
---------
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Sep 8, 2025
Similarly to #58853, session's end events also showed inconsistencies in participant fiedls for different protocols. This created an issue where root users couldn't watch session recordings they participated depending on the protocol, while some local users could. Since ithe session's participants field is a repeated string, we can't apply the same logic as in #58853, so we need to transform the username prior to emitting the session end events. This will allow leaf users to see their recordings. Fixes #12324 Fixes teleport-private#166 Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
backport-bot-workflows bot
pushed a commit
that referenced
this pull request
Sep 8, 2025
Similarly to #58853, session's end events also showed inconsistencies in participant fiedls for different protocols. This created an issue where root users couldn't watch session recordings they participated depending on the protocol, while some local users could. Since ithe session's participants field is a repeated string, we can't apply the same logic as in #58853, so we need to transform the username prior to emitting the session end events. This will allow leaf users to see their recordings. Fixes #12324 Fixes teleport-private#166 Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Sep 9, 2025
* fix: session trackers participants inconsistencies
This PR fixes some inconsistencies in session trackers' participants
across different protocols. Some protocols set the real username when
dealing with leaf clusters' sessions, while others, such as kube, set
the field to the transformed username - `remote-{user}-{cluster}`.
This is a problem because when performing RBAC against the session
tracker - `contains(session_tracker.participants, user.metadata.name)` -
the root user in the leaf cluster could see it depending on the protocol he used
because the authorizer uses the transformed username.
This PR aligns all session trackers by adding a extra field `Cluster`
that carries the origin user's cluster and change the username to use
the real username instead of transformed.
The usernames are transformed before applying the session tracker RBAC.
* handle code review comment
---------
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Sep 9, 2025
Similarly to #58853, session's end events also showed inconsistencies in participant fiedls for different protocols. This created an issue where root users couldn't watch session recordings they participated depending on the protocol, while some local users could. Since ithe session's participants field is a repeated string, we can't apply the same logic as in #58853, so we need to transform the username prior to emitting the session end events. This will allow leaf users to see their recordings. Fixes #12324 Fixes teleport-private#166 Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
mmcallister
pushed a commit
that referenced
this pull request
Sep 22, 2025
* fix: session trackers participants inconsistencies
This PR fixes some inconsistencies in session trackers' participants
across different protocols. Some protocols set the real username when
dealing with leaf clusters' sessions, while others, such as kube, set
the field to the transformed username - `remote-{user}-{cluster}`.
This is a problem because when performing RBAC against the session
tracker - `contains(session_tracker.participants, user.metadata.name)` -
the root user in the leaf cluster could see it depending on the protocol he used
because the authorizer uses the transformed username.
This PR aligns all session trackers by adding a extra field `Cluster`
that carries the origin user's cluster and change the username to use
the real username instead of transformed.
The usernames are transformed before applying the session tracker RBAC.
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
* handle code review comment
---------
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
mmcallister
pushed a commit
that referenced
this pull request
Sep 22, 2025
Similarly to #58853, session's end events also showed inconsistencies in participant fiedls for different protocols. This created an issue where root users couldn't watch session recordings they participated depending on the protocol, while some local users could. Since ithe session's participants field is a repeated string, we can't apply the same logic as in #58853, so we need to transform the username prior to emitting the session end events. This will allow leaf users to see their recordings. Fixes #12324 Fixes teleport-private#166 Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR fixes some inconsistencies in session trackers' participants across different protocols. Some protocols set the real username when dealing with leaf clusters' sessions, while others, such as kube, set the field to the transformed username -
remote-{user}-{cluster}.This is a problem because when performing RBAC against the session tracker -
contains(session_tracker.participants, user.metadata.name)- the root user in the leaf cluster could see it depending on the protocol he used because the authorizer uses the transformed username.This PR aligns all session trackers by adding a extra field
Clusterthat carries the origin user's cluster and change the username to use the real username instead of transformed.The usernames are transformed before applying the session tracker RBAC.