Provide command and web mechanisms to list the nodes currently allowed or denied by specific roles. So a command like tctl testroles --roles=dev,staging --showdenied --showusers would return the list of nodes with what roles allow access to a node, what users are assigned with that role, which roles are applying denials and what roles explicitly deny access to the node.
| node | allowed | roles allowing | roles denying | roles not matched |
|-------|----------------|-----------------------------|---------------|-------------------|
| one | yes | dev | | staging |
| | dev users: | root, {{external.username}} | | |
| two | no | | dev | staging |
| three | yes | staging | | dev |
| | staging users: | root, ubuntu | | |
There are multiple options here such as display labels, only show allowed,...
Currently creating and managing roles is fairly manual to match to nodes' access. This would provide a tool to validate and troubleshoot the role configuration.
Configuring Roles/Troubleshooting: A administrator is configuring their roles or troubleshooting why a user can't access node with the right user. That would explicitly list the access allowed or denied vs the user having to scan across multiple roles a user is assigned to. That also eliminates the churn of assigning roles to various test users.
Confirm Approval Flow. Prior to granting more access a user could confirm what nodes the individual would get with additional roles. That would let them confirm if the user is getting too many or too few nodes access
Pro, Enterprise
A view of this via the web UI when actually manipulating roles would be great too.
I have been working on role tracer:
https://github.com/gravitational/teleport/pull/4991
And would like to add query API oracle that can answer these questions:
And others.
Most helpful comment
A view of this via the web UI when actually manipulating roles would be great too.