Fix missing roles in access lists causing users to be locked out of their account #49456
Conversation
|
While use of deny rules in access lists is discouraged, we do not have a mechanism of preventing it, meaning that it isn't sane to skip roles as it might constitute a privilege escalation. Because of the risk of malformed access lists breaking login, we've already made a single exception to this rule. We allow access list application to fail "atomically". I.e. we assume that failure to apply the entire access lists will not result in privilege escalation, and we make it the user's responsibility to only ever use access lists as a whole as a means of privilege escalation, not privilege limiting the way an individual role might be used. We can solve missing roles locking out users, but it must be solved s.t. the entire access list that assigned the roles is skipped, rather than just skipping the specific role (i.e. none of the roles, traits, etc from that list get applied). |
rudream
force-pushed
the
yassine/access-list-missing-role
branch
from
9b32e7f to
8c8055b
Compare
@fspmarshall After confirming with the customer, I've gone with this approach and updated this PR. |
|
@smallinsky I would appreciate your review on this one too if you have a few minutes this week 🙏 |
rudream
force-pushed
the
yassine/access-list-missing-role
branch
from
8845fb9 to
b91148a
Compare
lib/auth/userloginstate/generator.go
Outdated
| if missingRoles != nil { | ||
| g.emitSkippedAccessListEvent(ctx, accessList.Spec.Title, missingRoles, user.GetName(), trace.NewAggregate(notFoundErrs...)) | ||
| return nil, nil, nil | ||
| } |
There was a problem hiding this comment.
Could you add a high-level comment to explain why the flow skips the entire access list instead of skipping individual roles based on @fspmarshall feedback #49456 (comment)
Something like:
// The flow is designed to skip the entire access list rather than processing individual roles within it.
// This approach ensures that access lists are treated as cohesive units of access control. Partial
// application of an access list could result in unintended permission configurations, potentially leading
// to security vulnerabilities or unpredictable behavior.
Purpose
This PR resolves #43775
This PR fixes an issue where users would be logged out and locked out of their accounts if their access list references a role which no longer exists. This can occur when the role in the access list has a TTL and expires.
When generating the
UserLoginState, any access lists which reference one or more non-existent roles will be skipped entirely, and an audit event is emitted as a notice.changelog: Fix missing roles in access lists causing users to be locked out of their account