Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update desktop access docs for 9.0 #10406

Merged
merged 4 commits into from
Feb 22, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
708 changes: 563 additions & 145 deletions docs/config.json

Large diffs are not rendered by default.

18 changes: 9 additions & 9 deletions docs/pages/desktop-access/getting-started.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,6 @@ description: Connect Teleport to Active Directory and log into a Windows Desktop
videoBanner: YvMqgcq0MTQ
---

<Admonition type="warning" title="Warning">
Desktop Access is currently in Preview. Do not use this feature for any
critical infrastructure and keep a backup option for accessing your desktop
hosts.
</Admonition>

# Getting Started

In this guide we will connect an Active Directory domain to Teleport using
Expand Down Expand Up @@ -365,7 +359,8 @@ the filepath to the `der_ca_file` configuration variable.

In order to enable Desktop Access in Teleport, add the following section in
`teleport.yaml` on your Linux server. For a detailed description of these
configuration fields, see the [reference](./reference.mdx) page.
configuration fields, see the
[configuration reference](./reference/configuration.mdx) page.

<Details title="Desktop Service Configuration" min="7.0" scopeOnly={true} scope={["oss", "enterprise"]}>
```yaml
Expand Down Expand Up @@ -437,8 +432,13 @@ spec:
windows_desktop_logins: ["Administrator"]
```

See the [RBAC section](./reference.mdx#rbac) in the Reference documentation
for more information about setting up Windows Desktop Access permissions.
<Admonition type="warning" title="RBAC Configuration">
Ensure that each Teleport user is only assigned Windows logins that they should
be allowed to access.
</Admonition>

See the [RBAC page](./rbac.mdx) for more information about setting up
Windows Desktop Access permissions.

See the [Access Controls Getting Started](../access-controls/getting-started.mdx#step-13-add-local-users-with-preset-roles)
guide for instructions on how to create or update a user with a given role.
Expand Down
43 changes: 15 additions & 28 deletions docs/pages/desktop-access/introduction.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -4,22 +4,6 @@ description: Teleport Desktop Access introduction and resources.
videoBanner: n2h0GisWdss
---

<Admonition
type="warning"
title="Warning"
>
Desktop Access is currently in Preview. Do not use this feature for any critical
infrastructure and keep a backup option for accessing your desktop hosts.

Desktop Access Preview:

- is not compatible with HSM integration.
- does not support clipboard sharing.
- does not support session recording.
- does not support per-session MFA.
- may have worse performance than a native RDP client.
</Admonition>

# Desktop Access

Teleport manages graphical desktop access to remote hosts. With Teleport
Expand All @@ -34,7 +18,7 @@ Desktop Access, you get:
type="note"
title="Supported platforms"
>
Only Windows hosts accessible over RDP are supported currently. Specifically:
Only Windows hosts accessible over RDP are supported. Specifically:

- Windows Server 2012 R2 / Windows 10 or newer
- Hosts connected to an Active Directory domain
Expand All @@ -50,17 +34,20 @@ Desktop Access, you get:

## Resources

{/*

To learn more about configuring role-based access control for Desktop Access,
check out [RBAC](./rbac.mdx) section.

TODO: Complete the RBAC section

*/}

See [Reference](./reference.mdx) for an overview of
Desktop Access related configuration and CLI commands.
<TileSet>
<Tile icon="wrench" title="Configuration" href="./reference/configuration.mdx">
Configure Windows Desktop Service
</Tile>
<Tile icon="lock" title="RBAC" href="./rbac.mdx">
Role-based Access Control for Teleport Desktop Access
</Tile>
<Tile icon="window" title="CLI" href="./reference/cli.mdx">
CLI Reference
</Tile>
<Tile icon="list" title="Audit" href="./reference/audit.mdx">
Audit Events
</Tile>
</TileSet>

## Troubleshooting

Expand Down
138 changes: 138 additions & 0 deletions docs/pages/desktop-access/rbac.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,138 @@
---
title: Role-Based Access Control for Desktop Access
description: Role-based access control (RBAC) for Teleport Desktop Access
---

# Desktop Access Role-Based Access Control

Teleport's RBAC allows administrators to set up granular access policies for
Windows desktops connected to Teleport.

Teleport's `role` resource provides the following options for controlling
desktop access:

```yaml
kind: role
version: v4
metadata:
name: developer
spec:
options:
# Specify whether or not to record the user's desktop sessions.
# Desktop session recording is enabled if one or more of the user's
# roles has enabled recording. Defaults to true if unspecified.
# Desktop sessions will never be recorded if auth_service.session_recording
# is set to 'off' in teleport.yaml or if the cluster's session_recording_config
# resource has set 'mode: off'.
record_sessions:
desktop: true

# Specify whether clipboard sharing should be allowed with the
# remote desktop (requires a supported browser). Defaults to true
# if unspecified. If one or more of the user's roles has disabled
# the clipboard, then it will be disabled.
desktop_clipboard: true
allow:
# Label selectors for desktops this role has access to.
windows_desktop_labels:
environment: ["dev", "stage"]

# Windows user accounts this role can connect as.
windows_desktop_logins: ["Administrator", "{{internal.windows_logins}}"]
```

<Admonition type="warning" title="Active Directory Configuration">
Teleport's RBAC system is not a replacement for proper Active Directory
administration. Teleport-issued Windows certificates are valid for a small
amount of time, but they do apply to the entire domain. Proper care should be
taken to ensure that each Teleport user's roles reflect only the necesary
Windows logins, and that these Windows users are properly secured.
</Admonition>

## Labeling

Both `allow` and `deny` rules support `windows_desktop_labels` selectors. These
selectors are matched against the labels set on the desktop. It is possible to
use wildcards (`"*"`) to match all desktop labels.

Windows desktops acquire labels in two ways:

1. The `host_labels` rules defined in the `windows_desktop_service` section of
your Teleport configuration file.
2. Automatic `teleport.dev/` labels applied by Teleport (for desktops discovered
via LDAP only)

For example, the following `host_labels` configuration would apply the
`environment: dev` label to a Windows desktop named `test.dev.example.com`
and the `environment: prod` label to `desktop.prod.example.com`:

```yaml
host_labels:
- match: '^.*\.dev\.example\.com$'
labels:
environment: dev
- match: '^.*\.prod\.example\.com$'
labels:
environment: prod
```

zmb3 marked this conversation as resolved.
Show resolved Hide resolved
For desktops discovered via LDAP, Teleport applies the following labels automatically:

| Label | LDAP Attribute | Example |
| ----- | -------------- | ------- |
| `teleport.dev/computer_name` | `name` | `WIN-I5G06B8RT33`
| `teleport.dev/dns_host_name` | [`dNSHostName`](https://docs.microsoft.com/en-us/windows/win32/adschema/a-dnshostname) | `WIN-I5G06B8RT33.example.com`
| `teleport.dev/os` | [`operatingSystem`](https://docs.microsoft.com/en-us/windows/win32/adschema/a-operatingsystem) | `Windows Server 2012`
| `teleport.dev/os_version`| [`osVersion`](https://docs.microsoft.com/en-us/windows/win32/adschema/a-operatingsystemversion) | `4.0`
| `teleport.dev/windows_domain`| Sourced from config | `example.com`
| `teleport.dev/is_domain_controller` | `primaryGroupID` | `true`

## Logins

The `windows_desktop_logins` role setting lists the Windows user accounts that
the role permits access to. For local users, the `{{internal.windows_logins}}`
variable can be used as a placeholder for the user's `windows_logins` trait. The
`windows_logins` trait can be specified when the user is created with
`tctl users add alice --windows-logins=Administrator,DBUser`.

New clusters automatically populate the preset `access` role with the following:

```yaml
allow:
windows_desktop_logins: ["{{internal.windows_logins}}"]
```

## Clipboard Access

In order for a user to copy and paste between a remote desktop and their local
workstation, clipboard sharing must be enabled for the user. The
`desktop_clipboard` role option defaults to enabled if unspecified. To disable
clipboard sharing for a Teleport user, ensure that they are assigned at least
one role that explicitly disables clipboard sharing:

```yaml
desktop_clipboard: false
```

## Session Recording

In order for a Teleport user's desktop sessions to be recorded, the following must
both be true:

- Session recording is enabled (i.e. not set to `off`) on the cluster. This
setting resides in `teleport.yaml` under `auth_service.session_recording`, but
can also be configured dynamically via the cluster's
`session_recording_config` resource.
- The user's roles enable desktop session recording.

By default, desktop session recording is considered enabled in Teleport roles
unless it is explicitly disabled:

```yaml
record_sessions:
desktop: false
```

In order to disable desktop session recording for a user, *all* of the user's
roles must disable it. In other words, the presence of a single role which
enables recording is enough to ensure sessions are recorded.
122 changes: 0 additions & 122 deletions docs/pages/desktop-access/reference.mdx

This file was deleted.

Loading