Dynamic Roles #897
Merged
Dynamic Roles #897
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
russjones
force-pushed
the
rjones/oidc-templates
branch
from
30c38b9 to
ecbd113
Compare
russjones
force-pushed
the
rjones/oidc-templates
branch
from
ecbd113 to
fcfb883
Compare
klizhentas
reviewed
Apr 5, 2017
lib/auth/auth.go
Outdated
| } | ||
|
|
||
| // figure out ttl for role. expires = now + ttl => ttl = expires - now | ||
| ttl := ident.ExpiresAt.Sub(time.Now()) |
There was a problem hiding this comment.
can you use auth server clock instead?
klizhentas
reviewed
Apr 5, 2017
lib/auth/auth.go
Outdated
| } else { | ||
| } | ||
|
|
||
| // check if any exisiting user is a non-oidc user, dont override their |
There was a problem hiding this comment.
incomplete comment sentence
klizhentas
reviewed
Apr 5, 2017
| // Roles is a list of static teleport roles to match. | ||
| Roles []string `json:"roles,omitempty"` | ||
| // RoleTemplate a template role that will be filled out with claims. | ||
| RoleTemplate *RoleV2 `json:"role_template,omitempty"` |
There was a problem hiding this comment.
can you implement this sligthly in a different way that will allow me to add extesions:
- use json.RawMessageHere
- use GetRoleMarshaller().Unmarshal()
- set the value
This will allow me to override this setting in Telekube and Teleport Enterprise
There was a problem hiding this comment.
actually, nevermind, I can already do this without this change
klizhentas
reviewed
Apr 5, 2017
|
@klizhentas Made the changes you suggested, can you take another look? |
klizhentas
approved these changes
Apr 5, 2017
hatched
pushed a commit
to hatched/teleport-merge
that referenced
this pull request
Nov 30, 2022
hatched
pushed a commit
that referenced
this pull request
Dec 20, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Purpose
As covered in #891, at the moment using OIDC with individual system logins means you have to either create a role for every user or keep updating a shared role with logins whenever someone new joins the team.
To improve the user experience of OIDC and Teleport, this PR allows you to define a role template that can be used to dynamically create roles based off the claims received from an identity provider.
Implementation
The
claims_to_rolesfor an OIDC connector can now containrolesor arole_templatethat contains an embedded role that is filled out by data from claims.UpsertRolehas been updated with a TTL so that dynamic roles are removed along with the dynamic user.User creation logic has been updated so if you re-login via OIDC you don't have to wait for your existing
Userto expire.Related Issues
Fixes #891