Session Recording RBAC `where` should support `session.server_labels`

[programmerq]

What would you like Teleport to do?

Expand the Teleport RBAC system to permit the where clause in role definitions to evaluate additional fields within session objects, specifically, the session.server_labels. This change would enable the creation of access rules that can check against server labels, such as the team associated with the session, aligning access to session recordings with an individual's role or team.

What problem does this solve?

The current limitation within the Teleport RBAC system does not allow the where clause to evaluate session.server_labels, restricting the ability to implement more granular access policies for session recordings. The existing system only permits the where clause to evaluate session.participants. For some environments that have more complex requirements, this is insufficient.

If there are multiple teams of auditors, they should have access to only the recordings on nodes that they are tasked to audit.

An auditor from a different team, for example, should not be able to play back recordings for nodes that should only be audited by members of the "payments" audit team.

If a workaround exists, please include it.

Currently, there are no known workarounds that enable the desired level of RBAC for session recordings using session.server_labels with the where clause. The existing RBAC settings cannot fulfill the need to control access to session recordings as per server labels.

Proposed example for role configuration:

where: contains(session.server_labels.team, "payments")

Or dynamically:

where: contains(session.server_labels.team, user.spec.roles)

[zmb3]

This request is also already captured in #10405 and #13482.

[philip-teleport]

+1 from a prospect