Is it possible that no ACL or RBAC is available for teleport?
So if I add a user "joe" he can log in to all of the joined nodes in the cluster ot thu moment if understand the docs correctly.
How can I restrict user "joe" to be able to login only to the nodes with label "webserver" for example?
You need to provision a new cluster, and then use trusted clusters to do the setup:
https://github.com/gravitational/teleport/blob/master/docs/admin-guide.md#trusted-clusters
It's not supported at the labels level
I think RBAC is a valid feature request - we've been thinking about this as well
Just a thought how this could be implemented via labels:
e.g. we have two sets of labeled nodes:
access-group=normal and access-group=privileged
When adding a user, we can optionally limit the users's access to nodeSelector
e.g.
# alice is admin
add user --name=alice --node-selector=access-group=normal,access-group=privileged
# bob is regular user
add user --name=bob --node-selector=access-group=normal
@kontsevoy what do you think?
I have talked to a few Teleport users who have implemented this using regular user mappings. For example they'd create users like "backup", "deploy" on their machines first. These are essentially become "roles". Then, when adding users, they'd specify which roles they can assume:
tctl users add joe backup,deploy
Is this close enough to your needs, @jaxxstorm ?
Absolutely
Out of curiosity, how would you limit logins to your production servers to a specific group of users? Have a production specific cluster with only those users? Or create production specific users (on the production servers)?
I feel this ticket was closed a bit prematurely...
I still can't limit users even with a trusted cluster: see #490. I'd like to restrict users to be able to connect to a trusted cluster.
Let's say we have deploy, backup "roles" in cluster-production and cluster-testing.
I only want to allow our developers to be able to connect to the cluster-testing as "deploy" and "backup", but not to cluster-production, but the systems engineers should be able to login to both cluster-testing and cluster-production as "deploy" and "backup". How to do this? I think this is not supported by teleport at the moment.
I want to have only 1 server where I store all my users, all other clusters are trusted clusters.
Reopening to keep the conversation going. @woohgit you're right, Teleport does not offer any RBAC features on top of accounts and SSH session keys: this wasn't our internal requirement and to date there isn't a commercial Teleport user asking for it.
@tjwallace The way Teleport is used for restricting access is based on OS Logins. First, you need to define roles, say "deploy" or "backup". Then, you create OS users on _affected machines_ for these roles with sufficient OS-level privileges. And finally, when creating Teleport users, say Joe and Alice, you define "user mappings", so to grant Joe only "deploy" priviliges (like accessing machines with "deploy" role) you will:
tctl users add joe deploy
@woohgit see above. Will it not work for your use case?
@kontsevoy This is clear if you have only 1 environment and 1 environment related roles.
What is the issue when you have at least 2 or 3 environments:
The command below will allow "joe" to login to ANY system (connected as a trusted cluster) as "deploy". I only want to allow "joe" to access to the "testing" environment, but not to the "production" and "staging".
tctl users add joe deploy
@kontsevoy But I"m happy to chat if my needs are not quite clear :)
@woohgit yes sir, you are correct. The desired behavior (to have ACL based on cluster+login) is not something Teleport currently supports. The workarounds are:
a) Having production_deploy + test_deploy.
b) Running separate auth servers on each of your environments and not declaring them as trusted. This way you'll add joe only to select environments. (our internal use case)
See, the "trusted clusters" feature was designed to allow a part of server group (environment) exist behind firewalls, not as an access partitioning tool.
With that said, what you're suggesting is a useful addition, no doubt. My guess is that most likely it will be added when one of commercial Teleport customers asks for it.
As a MSP it could be awesome, based on tags, to allow a customer to access temporarly to its own cluster.
@apestel agreed. it's (tentatively) in the works!
Duplicate of #620
how i give permission to add new user to access existing role.
in teleport embbed with tero tool
plz . help
Most helpful comment
@kontsevoy This is clear if you have only 1 environment and 1 environment related roles.
What is the issue when you have at least 2 or 3 environments:
The command below will allow "joe" to login to ANY system (connected as a trusted cluster) as "deploy". I only want to allow "joe" to access to the "testing" environment, but not to the "production" and "staging".