search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.4k stars 1.74k forks source link

RBAC match isn't working with Github Auth for Teleport Community Edition #12261

Closed benarent closed 2 years ago

benarent commented 2 years ago

Current behavior:

I'm currently setting up Teleport Database Access with my test cluster. For some strange reason, with the same role. It'll work with a local user but won't work with a Github User. See RBAC log below.

Github RBAC

Apr 27 04:25:25 ip-172-31-8-103 teleport[445]: 2022-04-27T04:25:25Z DEBU [RBAC]      Access to db "aurora" denied, no allow rule matched; [role=access, match(matchers=<nil>) role=aws-console-access, match(label=no match, empty selector) role=default-implicit-role, match(label=no match, empty selector)] services/role.go:1957

Local User

Apr 27 04:29:19 ip-172-31-8-103 teleport[445]: 2022-04-27T04:29:19Z DEBU [RBAC]      Access to db "aurora" granted, allow rule in role "access" matched. services/role.go:1949

Bug details:

stevenGravy commented 2 years ago

can you share the role and certificate it made for each @benarent ?

benarent commented 2 years ago

Access Role:

kind: role
metadata:
  description: Access cluster resources
  id: 1651029786137578485
  name: access
spec:
  allow:
    app_labels:
      '*': '*'
    db_labels:
      '*': '*'
    db_names:
    - '{{internal.db_names}}'
    - redis
    - aurora
    - bizops
    - mongodb
    - mongodb-atlas
    db_users:
    - '{{internal.db_users}}'
    - alice
    - sre
    - sre-team
    - default
    kubernetes_groups:
    - '{{internal.kubernetes_groups}}'
    - system:masters
    kubernetes_labels:
      '*': '*'
    kubernetes_users:
    - '{{internal.kubernetes_users}}'
    logins:
    - '{{internal.logins}}'
    - ubuntu
    - ec2-user
    - debian
    node_labels:
      '*': '*'
    rules:
    - resources:
      - '*'
      verbs:
      - '*'
    windows_desktop_labels:
      '*': '*'
    windows_desktop_logins:
    - '{{internal.windows_logins}}'
    - Admin
    - Administrator
  deny: {}
  options:
    cert_format: standard
    desktop_clipboard: true
    enhanced_recording:
    - command
    - network
    forward_agent: true
    max_session_ttl: 30h0m0s
    port_forwarding: true
    record_session:
      desktop: true
version: v5

AWS Connect Role

kind: role
metadata:
  name: aws-console-access
spec:
  allow:
    app_labels:
      '*': '*'
    aws_role_arns:
    - arn:aws:iam::981262289404:role/gui_teleport_cloudwatch_full
  deny: {}
  options:
    cert_format: standard
    desktop_clipboard: true
    enhanced_recording:
    - command
    - network
    forward_agent: false
    max_session_ttl: 10h0m0s
    port_forwarding: true
    record_session:
      desktop: true
version: v4

Teleport Admin Role

image

Github Auth

kind: github
metadata:
  name: github
spec:
  client_id: xxx
  client_secret: xxx
  display: github
  redirect_url: https://teleport-9a.asteroid.earth:443/v1/webapi/github/callback
  teams_to_logins:
  - logins:
    - access
    - aws-console-access
    organization: gravitational
    team: employees-development
version: v3
benarent commented 2 years ago

When logging in, I used the below with teleport-admin user.

tsh db login --db-user=sre --db-name=postgres aurora -> tsh db connect aurora

I needed to have 'postgres' in my 'access' role.