Open corkrean opened 2 years ago
If a user has access to read the logs on the auth service, they probably also have access to just disable the client idle timeout, no?
IMO, the better place for this information would be the audit log.
Though if you have to run a long-running script that's going to result in large idle times, it's probably a better UX all around if you do that without a role that enforces an idle timeout. Perhaps using an access request to request a much longer timeout when this script needs to run is the better approach.
In this case, they must always have a client_idle_timeout
set. The user would not need permission to view the logs because the alerts would come from a third party like a SIEM or AWS SNS (see SNS example).
An audit log would work.
An access request would not work in this case because the lower client_idle_timeout
from the original role would take precedence over the client_idle_timeout:
in the assumed role.
What would you like Teleport to do? Warn users five minutes before a
client_idle_timeout:
disconnect occurs. To keep it simple, this could be done by emitting a warn level log on the auth service. The users could then set up alerts for this log.What problem does this solve? A user is executing a long-running script and would like to be warned before their session is disconnected.
If a workaround exists, please include it. n/a