search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.6k stars 1.76k forks source link

Allow self-approval of access requests #13416

Open webvictim opened 2 years ago

webvictim commented 2 years ago

What would you like Teleport to do?

Currently, Teleport hardcodes a limitation which prevents a user from approving their own access requests, even when they have permissions to approve the roles they're requesting.

I have had at least 3 different people ask for the ability to override this limitation - perhaps as an RBAC rule on a role itself to allow self-approvals.

What problem does this solve?

Teleport provides a great flow for requesting elevated access and logging approval/any use of it. People would like to use this functionality to restrict their own access by default, but easily be able to escalate it on demand and track the reasons for doing so.

If a workaround exists, please include it.

Create an approver user, give a role allowing request approval, export a long-lived certificate for it with tctl auth sign (or use machine ID) and build a flow which wraps a tsh request review --approve call using this approver user.

There is also an "unofficial" workaround using tctl request approve which isn't subject to the same self-approval restriction, but is not guaranteed to function forever.

It's also possible to use the Pagerduty plugin to do this, or write your own automatic self-approval plugin.

webvictim commented 2 years ago

Similar to https://github.com/gravitational/teleport/issues/12079

campanamarco commented 2 years ago

+1 current Q3 prospect has also asked about this capability

dmsergeevN26 commented 1 year ago

This is also relevant for us. It's certainly useful to have an ability to self-approve when required.

programmerq commented 1 year ago

This workflow can be implemented using an access workflow plugin. Technically, the plugin would verify based on whatever logic/policy it is supposed to follow.

I have seen plenty of folks do this sort of workflow with success. The example plugin in the teleport repo is a good starting point for doing a DIY plugin that can auto-approve. You still get the audit events, so it works somewhat similarly to sudo in practice.

dengliu commented 11 months ago

Is there any update about this feature? We must have it 💯

NitriKx commented 8 months ago

Would be great to have this one! 💯

KurtLehnardt commented 5 months ago

Any updates?