Label-Specific Login options for multi-role users

[deusxanima]

What

If a user is assigned to multiple roles, each with separate logins specified in their respective role config file, when they use the Connect dropdown next to a server in the WebUI they see all of the login options from all of the roles instead of only seeing the label-specific login options. This can be confusing for customers who may have multiple roles assigned to them based on env labels, but where each role-given login is label-specific.

Example:

Role A:

• can see nodes matching label "env: a"
  • matches ServerA
• has login listed as "userA"

Role B:

• can see nodes matching label "env: b"
  • matches ServerB
• has login listed as "userB"

If a user logs into the proxy WebUI and assumes both roles when they click the Connect dropdown option next to ServerA they see both "userA" and "userB" as login options. Even though "userB" will not work in this case it is still confusing nonetheless, especially in clusters where users may have more than two roles simultaneously and hundreds if not thousands of nodes with different labels and login options.

How

If a user clicks the Connect dropdown option next to ServerA, they should only see the "userA" login option that was defined in that role.

Why

Customers with large networks and multiple role mappings have requested the feature.

gz#5440

[klizhentas]

When we display a page, we take current user context and filter all the nodes through logins in the role set and add logins to the nodes list that role set allows for each node.

With pagination it's possible now, so our fullstack team can take care of it.

[mcbattirola]

PRs merged on master.

Backport:

• v9
  • teleport
  • webapps
  • webapps.e

[mcbattirola]

FYI @AHARIC @WilliamLoy this got into teleport 10, it should be available in the next release