Conversation
github-actions
bot
added
size/md
tsh
tangyatsu
temporarily deployed
to
docs-amplify
GitHub Actions
Inactive
Contributor
|
Amplify deployment status
|
tangyatsu
force-pushed
the
tangyatsu/add-ability-to-list-requestable-roles-via-tsh
branch
from
7604f5a to
044ceb6
Compare
tangyatsu
temporarily deployed
to
docs-amplify
GitHub Actions
Inactive
zmb3
reviewed
Nov 19, 2025
tool/tsh/common/access_request.go
Outdated
|
|
||
| var caps *types.AccessCapabilities | ||
| err = tc.WithRootClusterClient(cf.Context, func(clt authclient.ClientI) error { | ||
| caps, err = clt.GetAccessCapabilities( |
Collaborator
There was a problem hiding this comment.
What's the difference between GetAccessCapabilities and ListRequestableRoles?
The latter seems more appropriate (at least in name).
Contributor
Author
There was a problem hiding this comment.
Yeah, good point, ListRequestableRoles looks much better here
rosstimothy
reviewed
Nov 19, 2025
tangyatsu
temporarily deployed
to
docs-amplify
GitHub Actions
Inactive
tangyatsu
temporarily deployed
to
docs-amplify
GitHub Actions
Inactive
tangyatsu
temporarily deployed
to
docs-amplify
GitHub Actions
Inactive
avatus
reviewed
Nov 20, 2025
tangyatsu
temporarily deployed
to
docs-amplify
GitHub Actions
Inactive
avatus
approved these changes
Nov 20, 2025
zmb3
reviewed
Nov 20, 2025
tool/tsh/common/access_request.go
Outdated
| ) | ||
|
|
||
| err = tc.WithRootClusterClient(cf.Context, func(clt authclient.ClientI) error { | ||
| for { |
Collaborator
There was a problem hiding this comment.
I would take a look at clientutils.Resources, which is a helper function that implements the pagination loop here.
Contributor
Author
There was a problem hiding this comment.
So, I used clientutils.Resources here instead of my original loop. I also thought about adding a new client method with a suitable signature, something like:
ListRequestableRolesV2(ctx context.Context, pageSize int, pageToken string) (*proto.ListRequestableRolesResponse, error)but I wasn’t sure. We have examples like:
// ListAccessLists returns a paginated list of access lists.
ListAccessLists(context.Context, int, string) ([]*accesslist.AccessList, string, error)
// ListAccessListsV2 returns a filtered and sorted paginated list of access lists.
ListAccessListsV2(context.Context, *accesslistv1.ListAccessListsV2Request) ([]*accesslist.AccessList, string, error)And the original ListAccessLists, which had a suitable signature, is now deprecated.
tangyatsu
temporarily deployed
to
docs-amplify
GitHub Actions
Inactive
rosstimothy
approved these changes
Nov 21, 2025
tool/tsh/common/access_request.go
Outdated
Comment on lines
+440
to
+445
| resp, err := clt.ListRequestableRoles(ctx, req) | ||
| if err != nil { | ||
| return nil, "", trace.Wrap(err) | ||
| } | ||
|
|
||
| return resp.Roles, resp.NextPageToken, nil |
Contributor
There was a problem hiding this comment.
If we used the generated Getters which are nil safe we could eliminate a few lines here.
Suggested change
| resp, err := clt.ListRequestableRoles(ctx, req) | |
| if err != nil { | |
| return nil, "", trace.Wrap(err) | |
| } | |
| return resp.Roles, resp.NextPageToken, nil | |
| resp, err := clt.ListRequestableRoles(ctx, req) | |
| return resp.GetRoles(), resp.GetNextPageToken(), trace.Wrap(err) |
Contributor
Author
There was a problem hiding this comment.
I really like that, I’ll update the PR
public-teleport-github-review-bot
bot
removed request for
klizhentas and
r0mant
zmb3
approved these changes
Nov 21, 2025
tangyatsu
force-pushed
the
tangyatsu/add-ability-to-list-requestable-roles-via-tsh
branch
from
fe586d9 to
d9d7e1c
Compare
tangyatsu
temporarily deployed
to
docs-amplify
GitHub Actions
Inactive
tangyatsu
deleted the
tangyatsu/add-ability-to-list-requestable-roles-via-tsh
branch
Contributor
|
@tangyatsu See the table below for backport results.
|
tangyatsu
added a commit
that referenced
this pull request
Nov 21, 2025
zmb3
pushed a commit
that referenced
this pull request
Nov 24, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Resolves: #7693
tsh now supports listing requestable roles via
tsh request search --roles, enforces mutual exclusivity between--rolesand--kindflags, and adds a hint totsh request new --roles, that suggests usingtsh request search --roleswhen the requested role is not allowed.changelog: Added
--rolesflag fortsh request search, allowing users to list all requestable roles. This flag is mutually exclusive with--kindManual Tests
A local test cluster was created with a requester role that is allowed to request several other roles.
A test user with the requester role was created.
The following tests were performed:
tsh request searchreturns an errortsh request search --rolessucceeds, lists requestable rolestsh request search --kindreturns an errortsh request search --kind=dbsucceedstsh request search --roles --kind=dbreturns errortsh request search --roles --kindreturns errortsh request new --rolesconfirmed the new hint suggestingtsh request search --roles