search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.29k stars 1.74k forks source link

Allow session recording enabling/disabling on a role basis #8752

Open deusxanima opened 2 years ago

deusxanima commented 2 years ago

What

Customers have requested the ability to enable/disable session recordings on a per-role basis.

Desktop Access already supports this. Add support Server Access and Kubernetes Access. Stretch goal to support Application Access and Database Access.

Why

Customers who add Teleport to their monitoring tools may create automation/monitoring users in Teleport which access all Teleport nodes with the identity file at a certain interval to ensure that all nodes are accessible. The problem is that doing this causes backend logs and sessions to increase exponentially, even though the sessions to nodes are not interactive.

sysadmiral commented 2 years ago

We were talking to Sean at DevOpsDays Birmingham about this yesterday and I would just add that per-session would also be super useful like tsh ssh --no-record or something?

zmb3 commented 2 years ago

@gabrielcorado do your new recording mode role options make it possible to disable session recording on a per-role basis?

gabrielcorado commented 2 years ago

No, we've considered disabling/enabling session recordings out of the feature scope. But we can reuse the options added to cover this.