docs: include a separate page for OSS access requests #22613
Conversation
github-actions
bot
requested review from
alexfornuto,
ptgott,
r0mant and
xinding33
| ## Requesting Access | ||
|
|
||
| While Teleport Enterprise supports the same CLI-based workflows for requesting | ||
| access to roles, most users will prefer to request access via the web UI. |
There was a problem hiding this comment.
Note to reviewers: I didn't cover the tsh flow for requesting access from the command line. Wasn't sure if I should duplicate a bunch of that info here or link to that page in some way, so I just briefly mentioned it here.
There was a problem hiding this comment.
If the tsh flow is what you're referencing with "the same CLI-based workflow", then we need to mention it somehow. That "the same" isn't referencing anything previously discussed.
There was a problem hiding this comment.
It's previously discussed in the admonition 5-10 lines above?
| In OSS Teleport, Access Requests must be reviewed by a cluster administrator | ||
| with the ability to run `tctl` on the Auth Server. | ||
|
|
||
| Administrators can list requests with `tctl requests ls`, and view the details | ||
| of a particular request with `tctl requests get`. | ||
|
|
||
| To quickly approve or deny a request, use `tctl requests review`. | ||
|
|
||
| For example, to approve a request: | ||
|
|
||
| ```code | ||
| $ tctl requests review --approve --author=bob bc8ca931-fec9-4b15-9a6f-20c13c5641a9 | ||
| ``` |
There was a problem hiding this comment.
Hey, my bad, I was misremembering the requirements for this when we chatted earlier
It is not necessary to run tctl on the auth server necessarily, you just need update permissions for access_request resources in one of your roles. So you could have a reviewer role like this and use tctl remotely:
kind: role
version: v6
metadata:
name: reviewer
spec:
allow:
rules:
- resources:
- access_request
verbs:
- updateAlso, I believe tctl requests review will not work in OSS. This is because whatever user you give for the --author flag, they will not be allowed to review requests, because non of their roles can have spec.allow.review_requests in OSS.
So, only tctl request approve or tctl request deny should work in OSS.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
There was a problem hiding this comment.
My bad, should have actually tried that, I was missing the rules block in the yaml, I've updated the yaml in the original comment to a role I just tested
There was a problem hiding this comment.
Thanks for the update. I added the required lines to my reviewer role:
kind: role
metadata:
id: BLAH
name: reviewer
spec:
allow:
...
...
rules:
- resources:
- access_request
verbs:
- update
...
...Then I logged out and in as a user with that role:
> Profile URL: https://myhomelabdomain
Logged in as: alex
Cluster: myhomelabdomain
Roles: access, auditor, dba, editor, reviewer, sp-managerBut I still don't see requests:
❯ tctl requests ls
Token Requestor Metadata Resources Created At (UTC) Request TTL Session TTL Status Request Reason Resolve Reason
----- --------- -------- --------- ---------------- ----------- ----------- ------ -------------- --------------
❯
Edit: PS I was still able to approve, but in this scenario the requester has to provide the request ID manually to the reviewer.
There was a problem hiding this comment.
right, in order to view them you will need the read and list verbs, I should have included those
There was a problem hiding this comment.
So you could have a reviewer role like this and use tctl remotely:
I'm not sure we should even mention this. If you can't use tctl locally, then you're probably on Cloud, which means you can use tsh.
Adding these allow rules is a slippery slope because you can accidentally give yourself too many permissions and break the security of the access request system. What do you think about not mentioning it in the docs, even though it does work?
There was a problem hiding this comment.
If you can't use tctl locally, then you're probably on Cloud
Or you're a security tech with admin rights in Teleport, but not given direct access to the host running the auth service.
Or you can access it, but it's difficult enough to access a shell in that environment. In my case, the auth service is in a container on a server, so I need to SSH then docker exec a shell or tctl command. Or what about a k8s cluster?
Just my 2¢, do as you will.
There was a problem hiding this comment.
Okay @nklaassen @alexfornuto it seems this is our unresolved item.
I am hesitant to even mention how to configure RBAC to run tctl remotely here, as these rules allow you to modify any access request, including those of your own or of others. If this is done in an enterprise environment it could result in privilege escalation attacks.
Thoughts?
There was a problem hiding this comment.
I agree that we should not recommend to include update rules for access requests, it gives too much power to the reviewer. Technically running tctl directly on Auth gives you even more power that could be abused, but I think it makes it clear that this should only be possible for cluster admins and avoids us publishing a dangerous config that people could copy and use without realizing it.
docs/pages/access-controls/access-requests/oss-role-requests.mdx
Outdated
Show resolved
Hide resolved
docs/pages/access-controls/access-requests/oss-role-requests.mdx
Outdated
Show resolved
Hide resolved
| In OSS Teleport, Access Requests must be reviewed by a cluster administrator | ||
| with the ability to run `tctl` on the Auth Server. | ||
|
|
||
| Administrators can list requests with `tctl requests ls`, and view the details | ||
| of a particular request with `tctl requests get`. | ||
|
|
||
| To quickly approve or deny a request, use `tctl requests review`. | ||
|
|
||
| For example, to approve a request: | ||
|
|
||
| ```code | ||
| $ tctl requests review --approve --author=bob bc8ca931-fec9-4b15-9a6f-20c13c5641a9 | ||
| ``` |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
| ```code | ||
| $ tctl request approve \ | ||
| --roles="db-support" \ | ||
| --reason="approved access to db-support, dba is not necessary" |
There was a problem hiding this comment.
Because the ID is part of the command.
| --reason="approved access to db-support, dba is not necessary" | |
| --reason="approved access to db-support, dba is not necessary" \ |
| ## Requesting Access | ||
|
|
||
| While Teleport Enterprise supports the same CLI-based workflows for requesting | ||
| access to roles, most users will prefer to request access via the web UI. |
There was a problem hiding this comment.
If the tsh flow is what you're referencing with "the same CLI-based workflow", then we need to mention it somehow. That "the same" isn't referencing anything previously discussed.
public-teleport-github-review-bot
bot
removed request for
r0mant,
xinding33 and
ptgott
zmb3
force-pushed
the
zmb3/access-request-docs
branch
from
952c9c3 to
0f04f26
Compare
OSS Teleport supports access requests in a very limited fashion. Make this clear by adding a separate page that covers the supported OSS features.
Also fix a number of other small requests and issues with the docs while we're here, and add screenshots for the web UI workflows.
Closes #4818
Closes #13175
Closes #14889
Closes #15979
Closes #22587