Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tsh db ls returns AccessDeniedError in trusted cluster setup #12239

Closed
smallinsky opened this issue Apr 26, 2022 · 1 comment · Fixed by #12281 or #12318
Closed

tsh db ls returns AccessDeniedError in trusted cluster setup #12239

smallinsky opened this issue Apr 26, 2022 · 1 comment · Fixed by #12281 or #12318
Assignees
@Tener
Labels
bug database-access Database access related issues and PRs tsh tsh - Teleport's command line tool for logging into nodes running Teleport.

Comments

@smallinsky
Copy link
Contributor

Description

tsh db ls returns the trace.AccessDeniedError error in case of trusted cluster setup.

ERROR REPORT:
Original Error: *trace.AccessDeniedError access denied to perform action "read" on "role"
Stack Trace:
	/Users/jnyckowski/projects/teleport/api/client/client.go:1303 github.com/gravitational/teleport/api/client.(*Client).GetRole
	/Users/jnyckowski/projects/teleport/lib/auth/httpfallback.go:57 github.com/gravitational/teleport/lib/auth.(*Client).GetRole
	/Users/jnyckowski/projects/teleport/lib/services/role.go:804 github.com/gravitational/teleport/lib/services.FetchRoleList
	/Users/jnyckowski/projects/teleport/lib/services/role.go:818 github.com/gravitational/teleport/lib/services.FetchRoles
	/Users/jnyckowski/projects/teleport/tool/tsh/db.go:72 main.onListDatabases
	/Users/jnyckowski/projects/teleport/tool/tsh/tsh.go:779 main.Run
	/Users/jnyckowski/projects/teleport/tool/tsh/tsh.go:337 main.main
	/Users/jnyckowski/go/go1.18/src/runtime/proc.go:250 runtime.main
	/Users/jnyckowski/go/go1.18/src/runtime/asm_arm64.s:1259 runtime.goexit
User Message: access denied to perform action "read" on "role"

Reproduction Steps

  1. Setup trusted env
  2. Log into leaf cluster
  3. Preform tsh db ls
@smallinsky smallinsky added bug tsh tsh - Teleport's command line tool for logging into nodes running Teleport. database-access Database access related issues and PRs labels Apr 26, 2022
@smallinsky smallinsky changed the title tsh db ls returns AccessDeniedError in trusted cluster setup. tsh db ls returns AccessDeniedError in trusted cluster setup Apr 26, 2022
@Tener
Copy link
Contributor

Tener commented Apr 26, 2022

Looks like an issue with permissions, definitely something to fix though. My guess is that a trusted cluster assigns a role without visibility into role definition. I'd say the fix is to do graceful degradation.

This was referenced Apr 27, 2022
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Tener Tener

Labels
bug database-access Database access related issues and PRs tsh tsh - Teleport's command line tool for logging into nodes running Teleport.
Projects
None yet
Milestone
No milestone
2 participants
@Tener @smallinsky