Explain how wildcards work in label matching syntax in role definitions

[ravicious]

Applies To

• https://goteleport.com/docs/access-controls/reference/

Details

A customer asked if they can just write

db_labels:
  foo: bar*

to allow access to DBs with labels foo: bar1, foo: bar2 and so on.

My empirical tests have shown that this is possible, however our docs don't tell that clearly. The access control reference mentions wildcard a couple of times, but it mostly just shows that "*" means any node and doesn't mention wildcarding a suffix such as "bar*". Another problem is the fact that some fields support wildcards while others don't (see Related Issues).

It seems to me we should at least document how wildcards work in our label matching syntax.

How will we know this is resolved?

When the Access Controls reference explains how wildcards work in label matching syntax.

Related Issues

• https://github.com/gravitational/teleport/issues/16428
• https://github.com/gravitational/teleport/issues/25193

[ptgott]

Let's change the "RBAC for infrastructure resources" H2 of the Access Controls reference to:

• Indicate the specific fields that regular (non-label expression) label matchers apply to. Currently, we only provide examples of node_labels and db_labels, then move on to label expressions.
• Describe the way globs and regular expressions work in these label fields.