Add context to "tsh ls" in docs #12583
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
r0mant
reviewed
May 11, 2022
docs/pages/includes/node-logins.mdx
Outdated
| @@ -0,0 +1,30 @@ | |||
| When Teleport's Auth Service receives a request to list Teleport Nodes (e.g., to | |||
| display Nodes in the Web UI or via `tsh ls`), it only returns the Nodes that the | |||
| current user is authorized to access. | |||
There was a problem hiding this comment.
Nit: I would say "see" (or analogue) instead of "access" because you can see the node but still have not permissions to access it if allowed logins don't allow it.
Suggested change
| current user is authorized to access. | |
| current user is authorized to see. |
docs/pages/includes/node-logins.mdx
Outdated
|
|
||
| {/* | ||
|
|
||
| TODO: We might want to mention that the Auth Service checks the resource's |
There was a problem hiding this comment.
Namespaces are basically not used at all in Teleport. All resources always have default namespace and I don't think this will ever change TBH. So I think this "todo" item won't ever get resolved so we may as well just remove it. But it's up to you if you want to keep it.
There was a problem hiding this comment.
Thanks—I'll delete this TODO. I think #12580 can be resolved by deleting all references to Teleport namespaces in the docs (looks like there are a couple of --namespace mentions in the CLI reference, but I don't think anything beyond that)
docs/pages/includes/node-logins.mdx
Outdated
| TODO: We might want to mention that the Auth Service checks the resource's | ||
| namespace as well, but we currently do not document resource namespaces. | ||
| This would not be the appropriate place to include our only namespace | ||
| documentation. See gravitational/teleport issue #12580. |
There was a problem hiding this comment.
If you still intend to keep this "todo" item, just paste a link to the issue.
docs/pages/includes/node-logins.mdx
Outdated
|
|
||
| */} | ||
|
|
||
| - None of the user's roles contains a `deny` rule that matches the Node's labels. |
There was a problem hiding this comment.
English grammar question: is "contains" the correct form here, or should it say "contain"? :) I'd think that "none of the roles contain" is more correct cause it's plural but I may be mistaken.
There was a problem hiding this comment.
From what I've read, "none" can be singular or plural, and there's no good rule for this. It probably would sound better as "contain," though.
docs/pages/includes/node-logins.mdx
Outdated
| */} | ||
|
|
||
| - None of the user's roles contains a `deny` rule that matches the Node's labels. | ||
| - None of the user's roles contains a `deny` rule that matches the user's |
There was a problem hiding this comment.
I may be misunderstanding what this is referring to, but I'm not sure this applies to listing nodes.
There was a problem hiding this comment.
I was attempting to paraphrase RoleSet.CheckAccess, which looks like it would check if one of the matchers, which I thought would be a services.loginMatcher in the case of a Node, matches a deny rule.
| `traits.logins`. | ||
| - At least one of the user's roles contains an `allow` rule that matches the | ||
| Node's labels. | ||
| - At least one of the user's roles contains an `allow` rule that matches the |
There was a problem hiding this comment.
I think mentioning traits makes it a bit more confusing. I would just say that at least one of user's roles has allowed logins for the node. Traits aren't really relevant in this context I think.
r0mant
approved these changes
May 24, 2022
ptgott
force-pushed
the
paul.gottschling/7051-node-logins
branch
from
c228584 to
3315501
Compare
ptgott
force-pushed
the
paul.gottschling/7051-node-logins
branch
3 times, most recently
from
ae36e4a to
d83f7f9
Compare
zmb3
approved these changes
Jun 14, 2022
ptgott
force-pushed
the
paul.gottschling/7051-node-logins
branch
from
d83f7f9 to
9dc4dee
Compare
ptgott
force-pushed
the
paul.gottschling/7051-node-logins
branch
from
9dc4dee to
59cfa81
Compare
Fixes #7051 - Create a partial for how the Teleport Auth Service filters Nodes based on user roles/logins in response to queries. - Add the partial to provide context for example commands that include "tsh ls". - Make our existing text on Teleport's authorization checks clearer by enumerating the checks in the order they are executed in services.RoleSet.CheckAccess. Note that this does not change guides that instruct the user to create a new user and role, since a user following these guides will see the correct "tsh ls" output.
ptgott
force-pushed
the
paul.gottschling/7051-node-logins
branch
from
59cfa81 to
a7fb9d1
Compare
ptgott
added a commit
that referenced
this pull request
Jun 23, 2022
Backports #12583 * Add context to "tsh ls" in docs Fixes #7051 - Create a partial for how the Teleport Auth Service filters Nodes based on user roles/logins in response to queries. - Add the partial to provide context for example commands that include "tsh ls". - Make our existing text on Teleport's authorization checks clearer by enumerating the checks in the order they are executed in services.RoleSet.CheckAccess. Note that this does not change guides that instruct the user to create a new user and role, since a user following these guides will see the correct "tsh ls" output. * Respond to PR feedback
ptgott
added a commit
that referenced
this pull request
Jun 23, 2022
Backports #12583 * Add context to "tsh ls" in docs Fixes #7051 - Create a partial for how the Teleport Auth Service filters Nodes based on user roles/logins in response to queries. - Add the partial to provide context for example commands that include "tsh ls". - Make our existing text on Teleport's authorization checks clearer by enumerating the checks in the order they are executed in services.RoleSet.CheckAccess. Note that this does not change guides that instruct the user to create a new user and role, since a user following these guides will see the correct "tsh ls" output. * Respond to PR feedback
ptgott
added a commit
that referenced
this pull request
Jul 7, 2022
Backports #12583 * Add context to "tsh ls" in docs Fixes #7051 - Create a partial for how the Teleport Auth Service filters Nodes based on user roles/logins in response to queries. - Add the partial to provide context for example commands that include "tsh ls". - Make our existing text on Teleport's authorization checks clearer by enumerating the checks in the order they are executed in services.RoleSet.CheckAccess. Note that this does not change guides that instruct the user to create a new user and role, since a user following these guides will see the correct "tsh ls" output. * Respond to PR feedback
ptgott
added a commit
that referenced
this pull request
Jul 7, 2022
Add context to "tsh ls" in docs Backports #12583 * Add context to "tsh ls" in docs Fixes #7051 - Create a partial for how the Teleport Auth Service filters Nodes based on user roles/logins in response to queries. - Add the partial to provide context for example commands that include "tsh ls". - Make our existing text on Teleport's authorization checks clearer by enumerating the checks in the order they are executed in services.RoleSet.CheckAccess. Note that this does not change guides that instruct the user to create a new user and role, since a user following these guides will see the correct "tsh ls" output. * Respond to PR feedback
ptgott
added a commit
that referenced
this pull request
Jul 7, 2022
Backports #12583 * Add context to "tsh ls" in docs Fixes #7051 - Create a partial for how the Teleport Auth Service filters Nodes based on user roles/logins in response to queries. - Add the partial to provide context for example commands that include "tsh ls". - Make our existing text on Teleport's authorization checks clearer by enumerating the checks in the order they are executed in services.RoleSet.CheckAccess. Note that this does not change guides that instruct the user to create a new user and role, since a user following these guides will see the correct "tsh ls" output. * Respond to PR feedback
ptgott
added a commit
that referenced
this pull request
Jul 7, 2022
Add context to "tsh ls" in docs Backports #12583 * Add context to "tsh ls" in docs Fixes #7051 - Create a partial for how the Teleport Auth Service filters Nodes based on user roles/logins in response to queries. - Add the partial to provide context for example commands that include "tsh ls". - Make our existing text on Teleport's authorization checks clearer by enumerating the checks in the order they are executed in services.RoleSet.CheckAccess. Note that this does not change guides that instruct the user to create a new user and role, since a user following these guides will see the correct "tsh ls" output. * Respond to PR feedback
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #7051
based on user roles/logins in response to queries.
"tsh ls".
by enumerating the checks in the order they are executed in
services.RoleSet.CheckAccess.
Note that this does not change guides that instruct the user to create
a new user and role, since a user following these guides will see the
correct "tsh ls" output.