Access Requests search returns resources not associated with search_as_roles

[stevenGravy]

Expected behavior:

The access request resources search would not return resources that do not match search_as_roles for a user's roles.

Current behavior:

Users see all resources they have access to in the Access Request resource view, not just searchable ones. This makes it difficult to search for the request specific items since all resources are showing.

For example a user has two roles. One with just access to a set of resources with env: dev and another role with search_as_roles that match to env: prod. Both env: dev and env: prod nodes will show in a new resources request search. If the user attempts to submit an access request they will get an error like below since it's invalid.

Bug details:

• Teleport version: 16.2.0

• Recreation steps

  1. Add two resources such as ssh nodes with one env: dev labeled and another env: prod
  2. Define a role dev-access that has just ssh access to env: dev nodes
  3. Define a role prod-access that has just ssh access to env: prod nodes
  4. Define a role requester-access that allows requesting the prod role

     spec:
     allow:
     request:
     roles:
     - prod-access
     search_as_roles:
     - prod-access

  5. Assign a user to dev-access and requester-access
  6. Attempt to create a new request. Both dev and prod node will show. Add the dev node and attempt to submit.

[avatus]

This error has popped up (and been solved) before and I thought it was checked for in the unified resources page. I'll double check.

However, I think it's just a spaghetti mess trying to solve the actual problem.

The current state of access requests with search_as_roles is that the api request gets extended by your search_as_roles rather than swapping your roles completely. As far as I'm aware, it's been this way forever.

I think it creates a lot of confusion, especially now that we include multiple states in the unified resources view.

I'll bring it up with the UX team this week and see if maybe we can add an "exclusive search_as_roles" state. I think it makes sense in the context of unified resources view now.