search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.37k stars 1.74k forks source link

Additive Resource access requests #28304

Open tigrato opened 1 year ago

tigrato commented 1 year ago

What would you like Teleport to do?

When a user assumes a resource access request, the resources he has access to are replaced by those included in the access request. This is problematic if users need to access different resources while assuming the access request. A solution would be to include all the required resources in the access request, but that's not always possible.

When a user requests access to a resource, he should keep access to his regular resources and extend them with the new resource.

What problem does this solve?

When a user needs to access multiple resources and they are not known at the request time, it's annoying to create access requests and wait for approval for resources that he regularly has access to.

If a workaround exists, please include it.

Including all the resources he needs in the access request.

othmane399 commented 8 months ago

The really issue here is that a user that have access by default to several resources, loose these access if they assume a resource based role. Which can be a blocker if a user need to keep their active connection that are granted by default on logging + the requested one.

4durban commented 2 months ago

Regards,

We are also interested in this feature, or this way of applying Access Request.

As @tigrato said, we use Access Request and its Dual Authorization in order to extend user privileges, not in order to swap it with different ones.

Image this scenario, we have a DMZ with the web server, and the rest of the service inside a different VLAN with our backend and databases. I want to allow users to access DMZ without any restriction, just login, but if they want to access the backend or the database I want them to need a Dual Authorization (through Access Request), when they assume that roles they loose access to the DMZ machines. So debugging an issue becomes quite complicated because they have access to the database or to the web server in the DMZ, not both at the same time.

This is quite a simple scenario, and I know that you are going to tell me that I can achieve this through role access request instead of resource access request, but, our privilege scenario is more complicated and we are not able to model all of the privileges with a single role, we need more roles just for the basic access.

Regarding the previous scenario if I have 2 different machines in the DMZ (webserver01 and webserver02) with different privileges (different sudoers files for example) I need two different roles, one for each. So how can I make the user keep permissions with a single role in this scenario? There is no way.

So for us being able to keep the previous roles and just add more roles is something extremely useful. I am not saying about making this the default behavior but you may be able to add a flag on the access request section on the role to drop or not the previous roles and let the Admin of the Teleport Cluster decide.

Thank you