You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A PCI compliance auditor with read-only Teleport RBAC permissions logged in and saw Login As buttons present for all visible nodes, even though their Teleport role only allowed session list & session read. (role below) They didn't want to click Login As without explicit authority, and only once you click the button do you get an error stating that you don't have access.
What you expected to happen:
The interface would hide or otherwise provide better UX around the Login As button if login to any given node is not explicitly allowed.
How to reproduce it (as minimally and precisely as possible):
auditor.yaml: |-
kind: "role"
version: "v3"
metadata:
name: "auditor"
spec:
options:
# max_session_ttl defines the TTL (time to live) of SSH certificates
# issued to the users with this role.
max_session_ttl: "1h"
allow:
rules:
- resources: [session]
verbs: [list, read]
deny:
node_labels:
"*": "*"
Environment:
Teleport version (use teleport version): 2.5.x Enterprise
Tsh version (use tsh version): same
OS (e.g. from /etc/os-release): n/a
Browser environment
n/a
Relevant Debug Logs If Applicable
n/a
The text was updated successfully, but these errors were encountered:
TL;DR from in-person discussion with Alexey, If allowed_logins is empty, we could simply not display "Login As", that would suffice for this particular customer ask. The more detailed work to limit node visibility would be handled in #1954
What happened:
A PCI compliance auditor with read-only Teleport RBAC permissions logged in and saw
Login As
buttons present for all visible nodes, even though their Teleport role only allowed session list & session read. (role below) They didn't want to clickLogin As
without explicit authority, and only once you click the button do you get an error stating that you don't have access.What you expected to happen:
The interface would hide or otherwise provide better UX around the
Login As
button if login to any given node is not explicitly allowed.How to reproduce it (as minimally and precisely as possible):
Environment:
teleport version
): 2.5.x Enterprisetsh version
): sameBrowser environment
n/a
Relevant Debug Logs If Applicable
n/a
The text was updated successfully, but these errors were encountered: