hide Login As button if role lacks login permissions

[aberoham]

What happened:

A PCI compliance auditor with read-only Teleport RBAC permissions logged in and saw Login As buttons present for all visible nodes, even though their Teleport role only allowed session list & session read. (role below) They didn't want to click Login As without explicit authority, and only once you click the button do you get an error stating that you don't have access.

What you expected to happen:

The interface would hide or otherwise provide better UX around the Login As button if login to any given node is not explicitly allowed.

How to reproduce it (as minimally and precisely as possible):

auditor.yaml: |-
    kind: "role"
    version: "v3"
    metadata:
      name: "auditor"
    spec:
      options:
        # max_session_ttl defines the TTL (time to live) of SSH certificates 
        # issued to the users with this role.
        max_session_ttl: "1h"
      allow:
        rules:
          - resources: [session]
            verbs: [list, read]
      deny:
        node_labels:
          "*": "*"

Environment:

• Teleport version (use teleport version): 2.5.x Enterprise
• Tsh version (use tsh version): same
• OS (e.g. from /etc/os-release): n/a

Browser environment

n/a

Relevant Debug Logs If Applicable

n/a

[aberoham]

TL;DR from in-person discussion with Alexey, If allowed_logins is empty, we could simply not display "Login As", that would suffice for this particular customer ask. The more detailed work to limit node visibility would be handled in #1954