From 58e4ae5bc629771626e65877e25d43531f86a1f3 Mon Sep 17 00:00:00 2001 From: Zac Bergquist Date: Tue, 28 Jun 2022 10:38:39 -0600 Subject: [PATCH] Document new pin_source_ip role option (#13495) --- docs/pages/access-controls/reference.mdx | 6 +++--- docs/pages/includes/role-spec.mdx | 4 ++++ 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/docs/pages/access-controls/reference.mdx b/docs/pages/access-controls/reference.mdx index 7530d19e50ecd..6cd67bb25702d 100644 --- a/docs/pages/access-controls/reference.mdx +++ b/docs/pages/access-controls/reference.mdx @@ -213,8 +213,8 @@ RBAC lets teams limit what resources are available to Teleport users. This can b you don't want regular users editing SSO (`auth_connector`) or creating and editing new roles (`role`). -Below is an example `allow` section that illustrates commonly used `rules`. -Each rule includes a list of Teleport resources and the CRUD +Below is an example `allow` section that illustrates commonly used `rules`. +Each rule includes a list of Teleport resources and the CRUD operations that a user is allowed to execute on them: ```yaml @@ -347,5 +347,5 @@ Here is an explanation of the fields used in the `where` and `filter` conditions | `ssh_session.participants` | The list of participants from an SSH session | | `user.metadata.name` | The user's name | -Check out our [predicate language](../setup/reference/predicate-language.mdx#scoping-allowdeny-rules-in-role-resources) +Check out our [predicate language](../setup/reference/predicate-language.mdx#scoping-allowdeny-rules-in-role-resources) guide for a more in depth explanation of the language. diff --git a/docs/pages/includes/role-spec.mdx b/docs/pages/includes/role-spec.mdx index 2165ca3eb085b..0e5fb98cb957e 100644 --- a/docs/pages/includes/role-spec.mdx +++ b/docs/pages/includes/role-spec.mdx @@ -58,6 +58,10 @@ spec: # if unspecified. If one or more of the user's roles has disabled # the clipboard, then it will be disabled. desktop_clipboard: true + # When enabled, the source IP that was used to log in is embedded in the SSH + # certificate, preventing a compromised certificate from being used on other + # devices. The default is false. + pin_source_ip: true # Specify a list of names and associated values to be included in user SSH keys. # The key type can only be "ssh" and the mode can only be "extension". # The name and value fields can be arbitrary strings and the value field