Don't block all access to leaf-cluster if some roles being mapped don't match

[deusxanima]

What

At times customers may map a role on the root that doesn't exist on the leaf via regex. A problem occurs if certain regex match criteria are used but a role only exists on one side. For example:

Root Cluster:

• User
  • Role A (root cluster admin)
  • Role B (regular role)

Leaf Cluster:

• User
  • Role B (regular role)

Trusted Cluster Mapping:

  role_map:
  - local:
    - $1
    remote: ^(.*)$

This throws an error b/c Role A on Root Cluster does not have an equivalent on Leaf Cluster. Users with both roles on Root Cluster are not able to see anything on Leaf Cluster even though they have Role B on both.

Ask: in scenarios like this, discard the non-matching roles and preserve only those that actually match (i.e., Role B).

Why

Customers with large numbers of roles per cluster and large number of trusted clusters may not be able to easily manage and maintain static maps between clusters - especially if roles are dynamically created and destroyed often. Regex matching makes sense in these situations, however, certain users may not have a need/permission to administer leaf cluster resources whereas they may have such need/permission to do so on the root. In cases like this it would be beneficial to discard the non-matching roles during the relationship map vs. blocking access to leaf clusters entirely b/c of single missing or mismatched role.

Workaround

Statically mapping roles or manually adding roles to leaf clusters that have no purpose other than to work-around this issue, which can add to role bloat.

[rlabellasfr]

hello In the connector OIDC https://goteleport.com/docs/reference/cli/tctl/#tctl-sso-configure-github part : tctl sso configure oidc

the document says : --ignore-missing-roles Ignore missing roles referenced in --claims-to-roles.

did you have test this option ?

regards Romain