gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.54k stars 1.75k forks source link

Host User Creation group reconciliation removes groups from users not managed by Teleport #45536

Closed rosstimothy closed 2 months ago

rosstimothy commented 2 months ago

After https://github.com/gravitational/teleport/issues/41178 was resolved, Teleport will attempt to reconcile groups for users when host user creation is enabled. However, as pointed out by @strideynet in https://github.com/gravitational/teleport/issues/45411#issuecomment-2285899405:

Additionally, I think there's another problematic behavior here where we are updating groups for users regardless of whether or not they were created by Teleport. Surely we only want to manage the groups of users that were created by Teleport?

Introduced by https://github.com/gravitational/teleport/pull/41919

rosstimothy commented 2 months ago

Going forward Teleport should only reconcile groups if the user can be identified as managed by Teleport. Presently this is only possible for users created when using DROP or INSECURE DROP mode because they get added to a teleport-system group. Users created in KEEP mode are not added to any groups, so Teleport cannot determine if an existing user is managed by Teleport or not.

To fix this issue Teleport should start adding users created in KEEP mode to a teleport-managed group. Any users previously created by Teleport have three options for migrating to being managed by Teleport:

1) update host_groups in the users role to include teleport-managed 2) manually delete the local user from the host 3) manually add the local user to the teleport-managed group

This also applies to static host users which will exist in the near future. These users are going to be added to the teleport-static group so they will be identifiable out of the gate.