Open WilliamLoy opened 1 year ago
This is exactly the issue we've been facing recently. It is indeed counter intuitive that require_session_join are scoped like that and it's a giant pain having to work around it.
My suggestion would be to scope it to <node, os login> and not just node as to enable the following workflow: regular infrastructure access requires moderation but incident resolution activities do not.
Another idea would be to move evaluation of require_session_join
filters and counts on session start and not join. this would allow me to specify a policy that would have count set to 1 and if the user has the oncall role then the filter is satisfied
@nklaassen The idea is to limit require session join only to resources that match the labels in this role.
Backwards compatibility, create a v7
allow:
require_session_join:
...
kube_labels:
* : *
Is it possible to limit it to <node, os login> tuple for servers? this could greatly help us where a user would then be able to pick whether or not to use an unmoderated oncall login or the regular moderated one
We could solve this, without breakages, by letting customers specify different "require_session_join" modes:
FWIW, the same "poison pill" problem exists with ssh_file_copy
(https://github.com/gravitational/teleport/issues/38567, https://github.com/gravitational/teleport/issues/20116) and would likely require a similar solution.
Expected behavior: A role with require_session_join should not apply to resource labels in a separate role without require_session_join when both roles are assigned to the same user.
Customers need the ability to create tiers of access severity across commonly used architectures, such as an environment with a Testing, Staging, and Production environment.
Current behavior: If a user is assigned a role without require_session_join and a role with require_session_join, the session joining requirement is applied to all other roles assigned to that user.
This behavior prevents a customer from being able to specify permissive access for development environments and restrictive access for production environments for the same user. This is very disruptive to a user who works in multiple levels of access severity. Customers should not be required to make their lower environments just as restrictive as their production environments.
For example:
The operator role above doesn't require session joining to access resources labeled with aws/Environment: DEV. This works as expected. If we add the following session-join role to the same user, aws/Environment: DEV is forced to require a joined session even though that is not a requirement of the operator role.
The workaround would be to use an access request for the role with require_session_join. However, this presents a couple of problems:
Bug details: