Desktop sessions are recorded even if all of a user's roles disable recording

[ibeckermayer]

Expected behavior: Our docs state:

Because recording can be important for auditing and compliance concerns, the presence of a single role with recording enabled will result in the session being recorded. In other words, all of the roles applied to a user must explicitly disable recording to prevent the session from being recorded.

Which means that if all of a user's roles explicitly disable desktop recordings, desktop sessions should not be recorded.

Current behavior:

In a cluster with proxy/auth:

teleport.yaml

```yaml version: v3 auth_service: enabled: "yes" listen_addr: 0.0.0.0:3025 license_file: /home/ubuntu/license.pem proxy_listener_mode: multiplex authentication: second_factor: off session_recording: "node-sync" proxy_service: enabled: "yes" web_listen_addr: 0.0.0.0:3080 public_addr: ec2-3-91-244-156.compute-1.amazonaws.com:3080 ```

and w_d_s:

wds.yaml

```yaml version: v3 # need this for tunneling teleport: data_dir: ~/teleport-wds/data proxy_server: ec2-3-91-244-156.compute-1.amazonaws.com:3080 # This tells the system where the proxy is to create a tunnel. # auth_servers: # - 127.0.0.1:3080 # This tells the system where the proxy is to create a tunnel. auth_token: dd74293d7c1a7e88576279a59789a18c windows_desktop_service: enabled: yes # listen_addr: "0.0.0.0:3028" # this should be commented out for tunneling mode show_desktop_wallpaper: true ldap: addr: "ec2-35-153-18-228.compute-1.amazonaws.com:636" domain: "teleport.dev" username: 'TELEPORT\svc-teleport' sid: "S-1-5-21-3364193892-2067355656-2468816952-1103" server_name: "EC2AMAZ-3DV9NGP.teleport.dev" insecure_skip_verify: false ldap_ca_cert: | -----BEGIN CERTIFICATE----- MIIDhTCCAm2gAwIBAgIQYyP+/l4J+LJMfkjX5ex39zANBgkqhkiG9w0BAQwFADBV MRMwEQYKCZImiZPyLGQBGRYDZGV2MRgwFgYKCZImiZPyLGQBGRYIdGVsZXBvcnQx JDAiBgNVBAMTG3RlbGVwb3J0LUVDMkFNQVotM0RWOU5HUC1DQTAeFw0yNDA1Mjky MjAzMTVaFw0yOTA1MjkyMjEzMTNaMFUxEzARBgoJkiaJk/IsZAEZFgNkZXYxGDAW BgoJkiaJk/IsZAEZFgh0ZWxlcG9ydDEkMCIGA1UEAxMbdGVsZXBvcnQtRUMyQU1B Wi0zRFY5TkdQLUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArTs5 RObVv43jkKGHMHJJB2xI8+bsq++W5rlGYbKGSd88gzL/NdbrY8+9QFty4EIQpOtq m+4/8esRVMfGIfExdFUXX4Lbnu03EvhebWDVT5/5Cnh0aLyDvCVeSxC/cJ+c1t6A SFwKWMMIxas9MrQsSQtOcAShE74mdFlDkVsOOCXM5xBJZNOgAuasFJK/+eWD0kuq WnqeB5t4VWGSDqtzowzFlRK4fTySk9mphj7huZUYfAFY9PIpheUQ13vM7bf6pVAZ p0rFvYvHmXK5T1VFEnWEff4U1D9nJj/yZ43g2XoOdUNH/pn030H9LXMW1B8PAGhv vqWXzhlO5DPm1XbsGQIDAQABo1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUw AwEB/zAdBgNVHQ4EFgQU5BJn4TPLbQRj7hbw4D+8pTJsamMwEAYJKwYBBAGCNxUB BAMCAQAwDQYJKoZIhvcNAQEMBQADggEBAJF+HYcwdhmK2T3GM3AVoH5Gs73Qftcs eSJM4xRKc9jIhv//wleJcPouEUvkoqqEoV1a5XNzGwJxYlfS5k4eNtWuxkMwulvz eMu0M4yiLkpmUdTBacoy2MaDl2fWb2h7+CmmqTZ8v0v8xPoGGtU1Uk6BrtsLLkWC 0G9BI1x8ZQne0mk9JkheNFg7oqp6ZkHE7TXAt7SwTyTXzAm2bYshLjYU7SKHG3un 1bFft+pUnK/QJnFI9SxubM1sumWoVN0KA86jqcSZ0a1kuUc3bnHDuLFMZe3r0Hpv KcheOxZdlAL1VyLhDTGGOmWBDTwbkGP+0jMaCEIw7RGD2/4sEJZkBX8= -----END CERTIFICATE----- discovery: base_dn: "*" # hosts: # - ec2-35-153-18-228.compute-1.amazonaws.com # non_ad_hosts: # - ec2-3-86-148-177.compute-1.amazonaws.com static_hosts: - name: static-host-ad ad: true addr: ec2-35-153-18-228.compute-1.amazonaws.com - name: static-host-non-ad ad: false addr: ec2-3-86-148-177.compute-1.amazonaws.com auth_service: enabled: no ssh_service: enabled: no proxy_service: enabled: no ```

and a user with two roles, access and editor where both's options.record_session.desktop = false (note that access has been modified from its default):

access.yaml

```yaml kind: role metadata: description: Access cluster resources labels: teleport.internal/resource-type: preset name: access revision: 66858d19-9fbc-4193-a210-0ce30476da26 spec: allow: app_labels: '*': '*' aws_role_arns: - '{{internal.aws_role_arns}}' azure_identities: - '{{internal.azure_identities}}' db_labels: '*': '*' db_names: - '{{internal.db_names}}' db_roles: - '{{internal.db_roles}}' db_service_labels: '*': '*' db_users: - '{{internal.db_users}}' gcp_service_accounts: - '{{internal.gcp_service_accounts}}' kubernetes_groups: - '{{internal.kubernetes_groups}}' kubernetes_labels: '*': '*' kubernetes_resources: - kind: '*' name: '*' namespace: '*' verbs: - '*' kubernetes_users: - '{{internal.kubernetes_users}}' logins: - '{{internal.logins}}' node_labels: '*': '*' rules: - resources: - event verbs: - list - read - resources: - session verbs: - read - list where: contains(session.participants, user.metadata.name) - resources: - instance verbs: - list - read - resources: - assistant verbs: - list - create - read - update - delete - use - resources: - cluster_maintenance_config verbs: - list - read windows_desktop_labels: '*': '*' windows_desktop_logins: - '{{internal.windows_logins}}' deny: {} options: cert_format: standard create_db_user: false create_desktop_user: false desktop_clipboard: true desktop_directory_sharing: true enhanced_recording: - command - network forward_agent: true idp: saml: enabled: true max_session_ttl: 30h0m0s pin_source_ip: false port_forwarding: true record_session: desktop: false ssh_file_copy: true version: v7 ```

editor.yaml

```yaml kind: role metadata: description: Edit cluster configuration labels: teleport.internal/resource-type: preset name: editor revision: 8c8cd520-464c-4950-87ad-4858651588a2 spec: allow: rules: - resources: - user verbs: - list - create - read - update - delete - resources: - role verbs: - list - create - read - update - delete - resources: - bot verbs: - list - create - read - update - delete - resources: - crown_jewel verbs: - list - create - read - update - delete - resources: - db_object_import_rule verbs: - list - create - read - update - delete - resources: - oidc verbs: - list - create - read - update - delete - resources: - saml verbs: - list - create - read - update - delete - resources: - github verbs: - list - create - read - update - delete - resources: - oidc_request verbs: - list - create - read - update - delete - resources: - saml_request verbs: - list - create - read - update - delete - resources: - github_request verbs: - list - create - read - update - delete - resources: - cluster_audit_config verbs: - list - create - read - update - delete - resources: - cluster_auth_preference verbs: - list - create - read - update - delete - resources: - auth_connector verbs: - list - create - read - update - delete - resources: - cluster_name verbs: - list - create - read - update - delete - resources: - cluster_networking_config verbs: - list - create - read - update - delete - resources: - session_recording_config verbs: - list - create - read - update - delete - resources: - external_audit_storage verbs: - list - create - read - update - delete - resources: - ui_config verbs: - list - create - read - update - delete - resources: - trusted_cluster verbs: - list - create - read - update - delete - resources: - remote_cluster verbs: - list - create - read - update - delete - resources: - token verbs: - list - create - read - update - delete - resources: - connection_diagnostic verbs: - list - create - read - update - delete - resources: - db verbs: - list - create - read - update - delete - resources: - database_certificate verbs: - list - create - read - update - delete - resources: - installer verbs: - list - create - read - update - delete - resources: - device verbs: - list - create - read - update - delete - create_enroll_token - enroll - resources: - db_service verbs: - list - read - resources: - instance verbs: - list - read - resources: - login_rule verbs: - list - create - read - update - delete - resources: - saml_idp_service_provider verbs: - list - create - read - update - delete - resources: - user_group verbs: - list - create - read - update - delete - resources: - plugin verbs: - list - create - read - update - delete - resources: - okta_import_rule verbs: - list - create - read - update - delete - resources: - okta_assignment verbs: - list - create - read - update - delete - resources: - assistant verbs: - list - create - read - update - delete - use - resources: - lock verbs: - list - create - read - update - delete - resources: - integration verbs: - list - create - read - update - delete - use - resources: - billing verbs: - list - create - read - update - delete - resources: - cluster_alert verbs: - list - create - read - update - delete - resources: - access_list verbs: - list - create - read - update - delete - resources: - node verbs: - list - create - read - update - delete - resources: - discovery_config verbs: - list - create - read - update - delete - resources: - security_report verbs: - list - create - read - update - delete - use - resources: - audit_query verbs: - list - create - read - update - delete - use - resources: - access_graph verbs: - list - create - read - update - delete - resources: - server_info verbs: - list - create - read - update - delete - resources: - access_monitoring_rule verbs: - list - create - read - update - delete - resources: - app_server verbs: - list - create - read - update - delete - resources: - vnet_config verbs: - list - create - read - update - delete deny: {} options: cert_format: standard create_db_user: false create_desktop_user: false desktop_clipboard: true desktop_directory_sharing: true enhanced_recording: - command - network forward_agent: true idp: saml: enabled: true max_session_ttl: 30h0m0s pin_source_ip: false port_forwarding: true record_session: desktop: false ssh_file_copy: true version: v7 ```

that user's sessions continue to be recorded

[ibeckermayer]

Oops, I just noticed that recordings in fact were disabled. I was seeing them show up in the recording list, but not noticing the fact that they weren't play-able: