Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

desktop access: enhanced labeling support #12326

Open
2 of 3 tasks
zmb3 opened this issue Apr 29, 2022 · 0 comments
Open
2 of 3 tasks

desktop access: enhanced labeling support #12326

zmb3 opened this issue Apr 29, 2022 · 0 comments
Labels
desktop-access feature-request Used for new features in Teleport, improvements to current should be #enhancements rbac Issues related to Role Based Access Control

Comments

@zmb3
Copy link
Collaborator

zmb3 commented Apr 29, 2022
edited
Loading

The current mechanism for labeling Windows Desktops is to run a regex against the desktop's name:

  # Rules for applying labels to Windows hosts based on regular expressions
  # matched against the host name. If multiple rules match, the desktop will
  # get the union of all matching labels.
  host_labels:
  - match: '^.*\.dev\.example\.com$'
    labels:
      environment: dev
  - match: '^.*\.prod\.example\.com$'
    labels:
      environment: prod

If you're using labels for access control like we recommend, then this means your desktops must follow a naming convention where similar desktops are named in a common way so that they can be grouped by label. In many cases, desktop names are randomly assigned and don't follow a particular pattern.

This request includes 3 enhancements for labeling Windows desktops that are discovered via LDAP:

  • Always include the Organizational Unit (OU) as a new teleport.dev/ou label. This will allow organizations who don't have a formal naming standard but do organize desktops by OU to label desktops accordingly.
  • Provide a regex-based labeling system similar to today's host_labels feature, but allow the regex to match against the full distinguished name (DN) of the desktop, not just the hostname. This will allow further customization for cases where option 1 alone is not sufficient.
  • Allow for pulling in custom LDAP attributes and adding them as labels. This is similar to the labeling work we're doing based on AWS tags in Automatically add AWS tags to servers #11627. The proposal is to extend the discovery section of the config to allow users to specify a set of additional LDAP attributes that should be included on the query and set as labels on the host:
  discovery:
    base_dn: '*'
    filters:
    - '(location=Oakland)'
    - '(!(primaryGroupID=516))' # exclude domain controllers
    
    # new: specify LDAP attributes that should be turned into labels
    attribute_labels:
    - location    
    - department
@zmb3 zmb3 added feature-request Used for new features in Teleport, improvements to current should be #enhancements desktop-access labels Apr 29, 2022
@zmb3 zmb3 mentioned this issue Apr 29, 2022
Closed
@zmb3 zmb3 added the rbac Issues related to Role Based Access Control label Apr 29, 2022
@zmb3 zmb3 mentioned this issue May 3, 2022
Merged
zmb3 added a commit that referenced this issue May 4, 2022
@zmb3
Desktop access: add teleport.dev/ou label
2628c56 
Automatically label discovered desktops with the LDAP
organizational unit they belong to. This expands the
ability to define RBAC rules based on OU.

Updates #12326
zmb3 added a commit that referenced this issue May 4, 2022
@zmb3
Desktop access: add teleport.dev/ou label
4cc75f8 
Automatically label discovered desktops with the LDAP
organizational unit they belong to. This expands the
ability to define RBAC rules based on OU.

Updates #12326
zmb3 added a commit that referenced this issue May 6, 2022
@zmb3
Desktop access: add teleport.dev/ou label
8190f7f 
Automatically label discovered desktops with the LDAP
organizational unit they belong to. This expands the
ability to define RBAC rules based on OU.

Since the organizationalUnit attribute is often unspecified,
we compute the OU by trimming the CN from the full DN.

Updates #12326
zmb3 added a commit that referenced this issue May 6, 2022
@zmb3
Desktop access: add teleport.dev/ou label (#12390)
3c63f67 
Automatically label discovered desktops with the LDAP
organizational unit they belong to. This expands the
ability to define RBAC rules based on OU.

Since the organizationalUnit attribute is often unspecified,
we compute the OU by trimming the CN from the full DN.

Updates #12326
github-actions bot pushed a commit that referenced this issue May 6, 2022
@zmb3
Desktop access: add teleport.dev/ou label
0993a16 
Automatically label discovered desktops with the LDAP
organizational unit they belong to. This expands the
ability to define RBAC rules based on OU.

Since the organizationalUnit attribute is often unspecified,
we compute the OU by trimming the CN from the full DN.

Updates #12326
zmb3 added a commit that referenced this issue May 6, 2022
@zmb3
Desktop access: add teleport.dev/ou label (#12502)
d5fca9c 
Automatically label discovered desktops with the LDAP
organizational unit they belong to. This expands the
ability to define RBAC rules based on OU.

Since the organizationalUnit attribute is often unspecified,
we compute the OU by trimming the CN from the full DN.

Updates #12326
zmb3 added a commit that referenced this issue May 31, 2022
@zmb3
Label desktops based on the content of LDAP attributes
2ea8076 
This allows users to configure an optional set of LDAP attributes
which will be included in all LDAP queries. Teleport uses these
attributes when labeling desktops.

Updates #12326
@zmb3 zmb3 mentioned this issue May 31, 2022
Merged
zmb3 added a commit that referenced this issue Jun 1, 2022
@zmb3
Label desktops based on the content of LDAP attributes
0b2f29a 
This allows users to configure an optional set of LDAP attributes
which will be included in all LDAP queries. Teleport uses these
attributes when labeling desktops.

Updates #12326
zmb3 added a commit that referenced this issue Jun 2, 2022
@zmb3
Label desktops based on the content of LDAP attributes
dc00f35 
This allows users to configure an optional set of LDAP attributes
which will be included in all LDAP queries. Teleport uses these
attributes when labeling desktops.

Updates #12326
zmb3 added a commit that referenced this issue Jun 7, 2022
@zmb3
Label desktops based on the content of LDAP attributes
13a997b 
This allows users to configure an optional set of LDAP attributes
which will be included in all LDAP queries. Teleport uses these
attributes when labeling desktops.

Updates #12326
zmb3 added a commit that referenced this issue Jun 7, 2022
@zmb3
Label desktops based on the content of LDAP attributes (#13028)
e7feac4 
* Label desktops based on the content of LDAP attributes

This allows users to configure an optional set of LDAP attributes
which will be included in all LDAP queries. Teleport uses these
attributes when labeling desktops.

Updates #12326
github-actions bot pushed a commit that referenced this issue Jun 7, 2022
@zmb3
Label desktops based on the content of LDAP attributes
75be3d5 
This allows users to configure an optional set of LDAP attributes
which will be included in all LDAP queries. Teleport uses these
attributes when labeling desktops.

Updates #12326
zmb3 added a commit that referenced this issue Jun 7, 2022
@zmb3
[v9] Label desktops based on the content of LDAP attributes (#13238)
c60a318 
* Label desktops based on the content of LDAP attributes

This allows users to configure an optional set of LDAP attributes
which will be included in all LDAP queries. Teleport uses these
attributes when labeling desktops.

Updates #12326
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
desktop-access feature-request Used for new features in Teleport, improvements to current should be #enhancements rbac Issues related to Role Based Access Control
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@zmb3