Teleport: Provide a roles scenario tester

Created on 18 May 2020  路  2Comments  路  Source: gravitational/teleport

Feature Request

Provide command and web mechanisms to list the nodes currently allowed or denied by specific roles. So a command like tctl testroles --roles=dev,staging --showdenied --showusers would return the list of nodes with what roles allow access to a node, what users are assigned with that role, which roles are applying denials and what roles explicitly deny access to the node.

| node  | allowed        | roles allowing              | roles denying | roles not matched |
|-------|----------------|-----------------------------|---------------|-------------------|
| one   | yes            | dev                         |               | staging           |
|       | dev users:     | root, {{external.username}} |               |                   |
| two   | no             |                             | dev           | staging           |
| three | yes            | staging                     |               | dev               |
|       | staging users: | root, ubuntu                |               |                   |

There are multiple options here such as display labels, only show allowed,...

Motivation

Currently creating and managing roles is fairly manual to match to nodes' access. This would provide a tool to validate and troubleshoot the role configuration.

  1. Configuring Roles/Troubleshooting: A administrator is configuring their roles or troubleshooting why a user can't access node with the right user. That would explicitly list the access allowed or denied vs the user having to scan across multiple roles a user is assigned to. That also eliminates the churn of assigning roles to various test users.

  2. Confirm Approval Flow. Prior to granting more access a user could confirm what nodes the individual would get with additional roles. That would let them confirm if the user is getting too many or too few nodes access

  3. Audit Check. A auditor can confirm what nodes are accessible to particular roles. This could be run on regular periods to produce a report showing what nodes are or are not available.

Who's it for?

Pro, Enterprise

cookie rbac sales-onboarding ux

Most helpful comment

A view of this via the web UI when actually manipulating roles would be great too.

All 2 comments

A view of this via the web UI when actually manipulating roles would be great too.

I have been working on role tracer:

https://github.com/gravitational/teleport/pull/4991

And would like to add query API oracle that can answer these questions:

  • What hosts Alice can access?
  • Who can access this resource as root?
  • Can Alice access this host as root?

And others.

Was this page helpful?
0 / 5 - 0 ratings