Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A user with permissions to create a token cannot create it in the web gui #13218

Closed
programmerq opened this issue Jun 6, 2022 · 2 comments · Fixed by #14506
Closed

A user with permissions to create a token cannot create it in the web gui #13218

programmerq opened this issue Jun 6, 2022 · 2 comments · Fixed by #14506
Assignees
@r0mant @hatched @marcoandredinis @kimlisa
Labels
bug c-ac Internal Customer Reference discover Issues related to Teleport Discover good-starter-issue Good starter issue to start contributing to Teleport rbac Issues related to Role Based Access Control ui ux webassets Automated PRs for webassets submodules

Comments

@programmerq
Copy link
Contributor

programmerq commented Jun 6, 2022
edited
Loading

Expected behavior:

A user with the create permission for tokens should be able to create a token in the web interface.

Current behavior:

The web interface complains that the user does not have the update permission when a user tries to create a token. It appears the web gui will create and then update. The same user is able to successfully do a tctl create command from the command line since that only issues an api call with the create verb.

image

Bug details:

  • Teleport version
  • Recreation steps
  • Debug logs

gz#5325
@programmerq programmerq added bug ux ui webassets Automated PRs for webassets submodules c-ac Internal Customer Reference labels Jun 6, 2022
@zmb3 zmb3 added the rbac Issues related to Role Based Access Control label Jun 6, 2022
@russjones russjones added the good-starter-issue Good starter issue to start contributing to Teleport label Jul 12, 2022
@russjones
Copy link
Contributor

@kimlisa @hatched Please sync with @r0mant about this when you are working on the discover wizard.

I don't think we need to go back and fix this since we are changing this flow completely anyway.

@r0mant r0mant added the discover Issues related to Teleport Discover label Jul 14, 2022
@marcoandredinis
Copy link
Contributor

marcoandredinis commented Jul 15, 2022
edited
Loading

There's a difference between tctl and web clients:

  • tctl uses GenerateToken - requires create verb on token resource
  • web uses UpsertToken - requires create and update verb on token resource

That's why we get this error

We can't use GenerateToken from web because it doesn't allow setting the JoinMethod required to generate a Provision Token for IAM joining.

I guess our usage of the Upsert<resource> methods leads to this situations, I'm sure there are other resources with this approach (roles comes to mind)

I'll open a PR to fix this

@marcoandredinis marcoandredinis mentioned this issue Jul 15, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@r0mant r0mant

@hatched hatched

@marcoandredinis marcoandredinis

@kimlisa kimlisa

Labels
bug c-ac Internal Customer Reference discover Issues related to Teleport Discover good-starter-issue Good starter issue to start contributing to Teleport rbac Issues related to Role Based Access Control ui ux webassets Automated PRs for webassets submodules
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove update verb requirement when creating Tokens gravitational/teleport
7 participants
@programmerq @r0mant @hatched @marcoandredinis @russjones @zmb3 @kimlisa