User can't see nodes if missing principals

[russjones]

Umbrella: Improve user experience for users trying teleport with self-signed certificates.

Our getting started for local users has this:

tctl users add --roles=editor,access test

The problem is, that this user has no principals and it should have been:

tctl users add --logins=ubuntu --roles=editor,access test

This one requires creative solution. First of all, user should be able to add principals without removing the user entry. Second, we should find a way to explain to users why they don't see the nodes if they are missing principals.

We only guessed (properly) when troubleshooting. But there should be a better way. For example, if users see empty list of nodes, they should see a different empty state:

Not seeing nodes? Your user is missing Linux principals. If trying teleport for the first time, follow this guide:

https://goteleport.com/docs/getting-started#principals

Related issues: https://github.com/gravitational/teleport/issues/9790 https://github.com/gravitational/teleport/issues/10574

[russjones]

We have the ability to update parts of a YAML resource in tctl already with set-roles:

https://github.com/gravitational/teleport/blob/master/tool/tctl/common/user_command.go#L92-L95

Let's add something similar here, maybe tctl users update --set-logins.

Let's also break this work into parts so we can get it out quicker.

• [x] CLI just for adding SSH logins and tsh ls output showing the nicer error message.
• [ ] Web UI changes to show the nicer error message.
• [x] CLI for adding login/names/clusters parity for Kubernetes Access, Application Access, Database Access, and Desktop Access.

[xinding33]

Hello, regarding the Web UI changes:

• Let's update the "create new user" flow with designs from https://github.com/gravitational/teleport/issues/9790
• Let's add a warning to the UI when the following are true:
  • User has access to at least 1 server
  • User is not assigned any logins that match any servers they have access to

[r0mant]

@atburke @jakule Let's punt on this for now. As part of Teleport Discover wizard we're updating the "get nodes" API to return all nodes even if your principals list is empty so this will partially be addressed then. Once that's done, we'll come back here and decide how we want to handle scenario when you can see the servers but don't have any principals to connect as.

[PAStheLoD]

Hello,

Currently on 14.3.2 opensource edition when we add a new user it gets created and saved to the sqlite DB without logins set, and therefore the newly created user cannot log in to nodes (neither via the web terminal nor via cli).

This works as a quick fix for now:

tctl users update --set-logins=root <username>