Moderated session mode other than peer not working on webshell.

[john-kyuhae-lee]

Following example here: https://goteleport.com/docs/access-controls/guides/moderated-sessions/

Both roles are version: v5.

moderated role yaml:

metadata:
  name: prod-access
spec:
  allow:
    require_session_join:
      - name: Auditor oversight
        filter: 'contains(user.roles, "auditor")'
        kinds: ['k8s', 'ssh']
        modes: ['moderator']
        count: 2

moderator role yaml:

kind: role
metadata:
  name: auditor
spec:
  allow:
    join_sessions:
      - name: Auditor oversight
        roles : ['prod-access']
        kinds: ['k8s', 'ssh']
        modes: ['moderator', 'observer']

Expected behavior: A user with a role auditor should be able to join session as mode moderator

Current behavior: Auditor joining a session created by a user with role prod-access result in the following error.

insufficient permissions to join session

The mode for a webshell is always set as peer and doesn't allow moderator and observer role to join the session even though the require_session_join setting requests modes other than peer.

Bug details:

• Teleport version: v9.3.8
• Recreation steps: https://goteleport.com/docs/access-controls/guides/moderated-sessions/
• Debug logs:

  insufficient permissions to join session

[xacrimon]

Hi, this is an explicit limitation of moderated sessions in their current state and not a bug. We only support observer and moderator. for joining via tsh.

[zmb3]

Closing as duplicate of #13936