Open deusxanima opened 3 years ago
I spend a bit more time after our meeting to review the Zendesk issue and this ticket, and I can now see how 'overrides the global cluster setting' is confusing. As per @awly we should always keep global settings as the limit and restrict it further with roles. For this customer the global client_idle_timeout should be the max. e.g. 8hrs for analysts and other users should have a shorter RBAC rule set to 30m.
I'm going to open a PR to make the docs clear that the override is more of a restriction / shortening of the global setting.
# client_idle_timeout determines if SSH sessions to cluster nodes are forcefully
- # terminated after no activity from a client (idle client). it overrides the
+ # terminated after no activity from a client (idle client). it can shorten the
# global cluster setting. examples: "30m", "1h" or "1h30m"
Thanks for clarifying and confirming @benarent
Description
What happened:
Customer has database analysts that create a long-lived session so they can jump & port-forward to an rds instance. Customer configured cluster global client_idle_timeout at 30m and analyst-role-specific client_idle_timeout at 8h. Analysts are reporting that their sessions are terminating and timing out after 30m vs. honoring the role-specific client_idle_timeout settings. Analysts only get assigned one role so there is no issue of conflicting roles w/ more restrictive settings.
What you expected to happen:
Expectation is that the role-specific client_idle_timeout settings would take precedence over the cluster global client_idle_timeout settings so long as there were no other roles with more restrictive settings in place.
How to reproduce it (as minimally and precisely as possible):
Root Cluster Global Proxy config:
Role on Root Cluster:
Run Following Command:
tsh ssh -L 5001:localhost:3080 root-jumphost
Observe: session will timeout after 1m of idle vs staying open for 10m
Environment
Teleport version: Enterprise 4.4.0
Tsh version: Enterprise 4.4.0
OS: Ubuntu 18.04.5 LTS
Where are you running Teleport? (e.g. AWS, GCP, Dedicated Hardware): aws
Relevant Debug Logs If Applicable